安全修复: 收敛认证与日志风险并补充基础测试

2026-02-16 00:34:52 +08:00
parent 7627885b1b
commit 7d42f96e42
12 changed files with 163 additions and 50 deletions
--- a/tests/test_security_hardening.py
+++ b/tests/test_security_hardening.py
@@ -0,0 +1,58 @@
+import importlib
+import sys
+from pathlib import Path
+
+import pytest
+from flask import Flask
+
+PROJECT_ROOT = Path(__file__).resolve().parents[1]
+if str(PROJECT_ROOT) not in sys.path:
+    sys.path.insert(0, str(PROJECT_ROOT))
+
+import app_security
+import crypto_utils
+from db import users as db_users
+
+
+def test_user_lookup_rejects_dynamic_field_name():
+    with pytest.raises(ValueError):
+        db_users._get_user_by_field("username OR 1=1 --", "demo")
+
+
+def test_rate_limit_ip_does_not_trust_proxy_headers_by_default(monkeypatch):
+    monkeypatch.delenv("TRUST_PROXY_HEADERS", raising=False)
+    monkeypatch.delenv("TRUSTED_PROXY_CIDRS", raising=False)
+    security_module = importlib.reload(app_security)
+
+    app = Flask(__name__)
+    with app.test_request_context(
+        "/",
+        environ_base={"REMOTE_ADDR": "10.0.0.9"},
+        headers={"X-Forwarded-For": "198.51.100.10"},
+    ):
+        assert security_module.get_rate_limit_ip() == "10.0.0.9"
+
+
+def test_rate_limit_ip_can_use_forwarded_chain_when_explicitly_enabled(monkeypatch):
+    monkeypatch.setenv("TRUST_PROXY_HEADERS", "true")
+    monkeypatch.setenv("TRUSTED_PROXY_CIDRS", "10.0.0.0/8")
+    security_module = importlib.reload(app_security)
+
+    app = Flask(__name__)
+    with app.test_request_context(
+        "/",
+        environ_base={"REMOTE_ADDR": "10.2.3.4"},
+        headers={"X-Forwarded-For": "198.51.100.10, 10.2.3.4"},
+    ):
+        assert security_module.get_rate_limit_ip() == "198.51.100.10"
+
+
+def test_get_encryption_key_refuses_regeneration_when_encrypted_data_exists(monkeypatch, tmp_path):
+    monkeypatch.setenv("ALLOW_NEW_KEY", "true")
+    monkeypatch.delenv("ENCRYPTION_KEY_RAW", raising=False)
+    monkeypatch.delenv("ENCRYPTION_KEY", raising=False)
+    monkeypatch.setattr(crypto_utils, "ENCRYPTION_KEY_FILE", str(tmp_path / "missing_key.bin"))
+    monkeypatch.setattr(crypto_utils, "_check_existing_encrypted_data", lambda: True)
+
+    with pytest.raises(RuntimeError):
+        crypto_utils.get_encryption_key()