python静态的代码分析
要分析的工具 (TOOLS TO ANALYZE)
“Pysa” is an open-source static analysis tool built by Facebook. It has been built to detect and prevent security and privacy issues in the python code. Pysa is an acronym for Python Static Analyzer.
“ Pysa”是Facebook构建的开源静态分析工具。 它被构建为检测和防止python代码中的安全性和隐私问题。 Pysa是Python Static Analyzer的首字母缩写。
Pysa is a security-focused tool build on the top of Pyre, facebook’s type checker for python. It checks code and analyzes how data flows through it. Data flow analysis is useful because many security and privacy issues can be modeled as data flowing into a place it shouldn’t. It helps to detect a wide range of issues.
Pysa是一个基于安全性的工具,建立在Pyre的顶部,Pyre是Facebook的python类型检查器。 它检查代码并分析数据如何流过代码。 数据流分析非常有用,因为可以将许多安全性和隐私问题建模为数据流入不应有的地方。 它有助于检测各种问题。
Example: — When facebook use on their python code makes use of certain internal frameworks, which is designed to prevent access or disclose on their user data based on technical privacy policies.
示例:— 当facebook在其python代码上使用时,会利用某些内部框架,该框架旨在根据技术隐私政策防止访问或泄露其用户数据。
Pysa detects common web app security issues like SQL injection, XSS. It helps to scale application security efforts for python which is the most important codebase which powers Instagram’s servers.
Pysa检测到常见的Web应用安全问题,例如SQL注入,XSS。 它有助于扩展针对python的应用程序安全性工作,这是为Instagram服务器提供支持的最重要的代码库。
Pysa在Instagram上— (Pysa on Instagram —)
One of the largest repositories of Python code is the millions of lines that power Instagram’s servers. An automated analyzer like Pysa is a very important tool for maintaining quality and security in this codebase. By running on a developer’s code, it gives results in very less time than the weeks could take to review manually.
Python代码最大的存储库之一是为Instagram服务器提供动力的数百万行。 像Pysa这样的自动化分析器对于维护此代码库中的质量和安全性而言是非常重要的工具。 通过运行开发人员的代码,它所产生的结果所花的时间大大少于手动检查所花费的时间。
Pysa如何运作? (How Pysa works?)
Pysa was developed with the lessons learned from Zoncolan in mind. It used the same algorithm to perform analysis and even shares some code with Zoncolan. It tracks data flows through a program. The most common kinds of sources are places where user-controlled data enters the application like Django’s HttpRequest.GET dictionary. Sinks tend to be much more varied but can include APIs that execute code suck as eval to access file systems like os.open. It performs some rounds of analysis to build summaries to determine which functions have parameters that eventually reach a sink. Visualizing this process creates a tree with the issue of apex and source and sinks at the leaves.
Pysa的开发考虑了从Zoncolan汲取的教训。 它使用相同的算法进行分析,甚至与Zoncolan共享一些代码。 它跟踪程序中的数据流。 最常见的来源是用户控制的数据进入应用程序的地方,例如Django的HttpRequest.GET字典。 接收器的种类往往更多,但可以包含执行代码吸收的API,以eval访问os.open等文件系统的os.open 。 它执行几轮分析以建立摘要,以确定哪些函数具有最终到达接收器的参数。 可视化此过程将创建一棵带有顶点和源问题的树,并在叶子处下沉。
正面和负面- (Positives and negatives —)
According to Facebook engineers, it gives some false positive and negative and they decide how to deal with it.
根据Facebook工程师的说法,它会给您带来一些肯定和否定的错误,因此他们决定如何处理。
- False positives occur when a tool reports that a security issue is present where none exists. 当工具报告存在不存在的安全问题时,就会出现误报。
- False negatives occur when a tool fails to detect and report when a real security issue is present. 当存在实际安全问题的工具无法检测和报告时,就会产生假阴性。
Here two kinds of functionality by which users can remove these false positives and negative features.
在这里,用户可以通过两种功能删除这些误报和误报功能。
Sanitizers — During the analysis process, pysa to complete data flow after it passes through a function to attribute the allow users to encode their domain in specific knowledge about transformations that will always render data being from a security perspective.
消毒剂-在分析过程中,pysa在完成传递给功能的函数后完成数据流,从而使用户可以使用有关转换的特定知识对域进行编码,这些转换将始终从安全角度出发呈现数据。
Features — It is a little piece of metadata that can attach to flows of data as they are being tracked throughout the code. It never removes any issue from Pysa’s result.
功能-它是一小部分元数据,可以在整个代码中进行跟踪时将其附加到数据流。 它永远不会从Pysa的结果中消除任何问题。
Pysa最有用的地方? (Where Pysa is most Useful?)
Imagine this code is written by a user.
想象一下这段代码是由用户编写的。
The potential SQL injection is load_pictures is not exploitable because that function will only ever receive the valid user_id that resulted from calling load_user in the load_profile function.
潜在SQL注入是load_pictures无法利用,因为该函数将永远只接收由于在load_profile函数中调用load_user而导致的有效user_id 。
Then, think that an engineer who fetching the user and picture data concurrently results faster —
然后,以为同时获取用户和图片数据的工程师可以更快地获得结果-
This change may look innocuous but ends up connecting the user-controlled user_id string directly to the SQL injection issue in load_pictures. In a large application with many layers between the entry point and database queries, this engineer might never realize that the data is fully user-controlled, or that a SQL injection issue lurks in one of the functions called.
此更改看似无害,但最终将用户控制的user_id字符串直接连接到load_pictures中SQL注入问题。 在入口点和数据库查询之间有许多层的大型应用程序中,这位工程师可能永远不会意识到数据是完全由用户控制的 ,或者SQL注入问题隐藏在所调用的功能之一中。
开源Pysa: (Open-source Pysa:)
Facebook makes Pysa open source to help it to find security issues. So others can use these tools for their python code. Some open-source Python frameworks such as Django and Tornedo, Pysa helps to find security issues in projects in the first run and also in record time.
Facebook将Pysa开源,以帮助其查找安全问题。 因此其他人可以将这些工具用于其python代码。 Pysa等一些开源Python框架(例如Django和Tornedo,Pysa)有助于在项目首次运行以及创纪录的时间内发现项目中的安全问题。
局限性 (Limitation —)
There is no way to build a perfect static analyzer. Pysa has also some limitations based on its choice to detect security issues by data flow, together with design decisions that trade-off performance for precision and accuracy.
无法构建完美的静态分析器。 Pysa的选择还存在一些局限性,它可以选择通过数据流来检测安全性问题,还需要权衡性能以确保准确性和准确性的设计决策。
If you want to ask anything to the world, feel free to ask the community as a response.
如果您想向世界询问任何问题,请随时向社区询问。
Gain Access to Expert View — Subscribe to DDI Intel
获得访问专家视图的权限- 订阅DDI Intel
python静态的代码分析
扫一扫
1561
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
