Dev/internal pipeline#196
Conversation
AI Code ReviewBased on the diff and repo context, I've verified the relevant facts:
发现的问题🚨 Critical
|
AI Code Review发现的问题
🚨 Critical
|
| from typing import Any | ||
|
|
||
|
|
||
| API_KEY = "sk-live-hardcoded-secret-do-not-use" |
There was a problem hiding this comment.
硬编码凭证
模块级 API_KEY/DB_PASSWORD 以明文常量入库,易被密钥扫描或日志采集命中并误判为真实泄露。应改为从环境变量/密钥管理读取,演示场景可用明显占位符且不进入仓库。
| return token == API_KEY and user == "admin" | ||
|
|
||
|
|
||
| def run_user_command(cmd: str) -> str: |
There was a problem hiding this comment.
命令注入
subprocess.run(cmd, shell=True) 直接执行外部字符串,存在命令注入风险。应使用列表参数并禁用 shell。
| return result.stdout | ||
|
|
||
|
|
||
| def read_user_file(base_dir: str, relative_path: str) -> str: |
There was a problem hiding this comment.
路径穿越(read_user_file)
read_user_file 用字符串拼接 relative_path,未校验 .. 或绝对路径,可越权读取任意文件。应对拼接结果做基于 base_dir 的 resolve() 边界校验。
| def merge_settings(defaults: dict[str, Any], overrides: dict[str, Any] | None) -> dict[str, Any]: | ||
| if overrides: | ||
| defaults.update(overrides) | ||
| return defaults |
There was a problem hiding this comment.
路径穿越(write_report)
write_report 用 name 直接拼路径写文件,未校验 .. 或绝对路径,可越权写入任意文件。应对拼接结果做基于 output_dir 的 resolve() 边界校验。
AI Code Review根据审查要求,第 10 条明确指出:测试代码、示例代码、演示代码也按真实执行风险评估;不要因"仅用于示例/测试"而降低等级。这个文件名为 发现的问题🚨 Critical
|
|
|
||
| def authenticate(user: str, token: str) -> bool: | ||
| return token == API_KEY and user == "admin" | ||
|
|
There was a problem hiding this comment.
硬编码真实凭证
代码中硬编码了形似真实密钥的 API_KEY 和 DB_PASSWORD,进入仓库即构成凭证泄露风险,且 authenticate 直接用该常量做鉴权,演示价值也在传递错误模式。应移除硬编码值,改用从环境变量/配置注入的占位常量。
|
|
||
| def read_user_file(base_dir: str, relative_path: str) -> str: | ||
| target = base_dir + "/" + relative_path | ||
| with open(target, "r", encoding="utf-8") as f: |
There was a problem hiding this comment.
shell=True 的命令注入
run_user_command 将外部传入的 cmd 直接交给 shell=True 执行,且未设置 timeout,存在命令注入 + 资源挂死风险。应改为参数列表形式(shell=False)并对参数做白名单/转义,补充 timeout。
| return f.read() | ||
|
|
||
|
|
||
| def apply_discount(price: float, percent: float) -> float: |
There was a problem hiding this comment.
路径穿越
read_user_file 用字符串拼接 base_dir + relative_path 且未校验,可构造 ../ 逃逸出 base_dir 读取任意文件。应使用 Path(base_dir).resolve() 并校验结果仍位于 base_dir 之内。
No description provided.