#!/usr/bin/env python3 """ Security Patterns - 보안 취약점 패턴 데이터 이 파일은 보안 패턴이 추가/수정될 때만 변경됨 코드 검토 로직과 분리되어 있음 (SRP 준수) """ import json import sys # 취약점 패턴 정의 VULNERABILITY_PATTERNS = { "SQL Injection": [ r"execute\s*\(\s*[\"'].*%s.*[\"']\s*%\s*\(", # string formatting in SQL r"cursor\.execute\s*\(\s*f[\"']", # f-string in SQL r"\.raw\s*\(\s*[\"'].*\+.*[\"']", # raw query with concatenation r"SELECT.*FROM.*WHERE.*\+", # SQL concatenation ], "XSS (Cross-Site Scripting)": [ r"innerHTML\s*=", # Direct innerHTML assignment r"document\.write\s*\(", # document.write r"\.html\s*\(\s*[^\"']", # jQuery .html() with variable r"render_template_string\s*\(", # Flask unsafe render ], "Hardcoded Secret": [ r"password\s*=\s*[\"'][^\"']+[\"']", # Hardcoded password r"api_key\s*=\s*[\"'][^\"']+[\"']", # Hardcoded API key r"secret\s*=\s*[\"'][^\"']+[\"']", # Hardcoded secret r"token\s*=\s*[\"'][^\"']+[\"']", # Hardcoded token r"private_key\s*=\s*[\"']-----BEGIN", # Hardcoded private key ], "Code Injection": [ r"eval\s*\(", # eval() usage r"exec\s*\(", # exec() usage r"compile\s*\(", # compile() usage r"__import__\s*\(", # Dynamic import ], "Path Traversal": [ r"\.\./", # Parent directory reference r"\.\.\\", # Windows parent directory r"os\.path\.join\s*\([^)]*\+", # Path concatenation ], "Command Injection": [ r"os\.system\s*\(", # os.system r"subprocess\.call\s*\([^)]*shell\s*=\s*True", # shell=True r"subprocess\.Popen\s*\([^)]*shell\s*=\s*True", # shell=True r"eval\s*\(", # eval for commands ], "Insecure Dependencies": [], # Will be checked via npm audit/pip audit } # 위험도 레벨 정의 RISK_LEVELS = {"low": 0, "medium": 1, "high": 2, "critical": 3} def main(): """CLI 테스트 인터페이스""" if len(sys.argv) > 1 and sys.argv[1] == "test": print( json.dumps( { "patterns_loaded": len(VULNERABILITY_PATTERNS), "risk_levels": list(RISK_LEVELS.keys()), "pattern_types": list(VULNERABILITY_PATTERNS.keys()), }, indent=2, ) ) else: print(json.dumps({"usage": "python3 security_patterns.py test"})) if __name__ == "__main__": main()