security

📁 wutongci/agentdemo 📅 Jan 29, 2026

总安装量

周安装量

#50676

全站排名

安装命令

npx skills add https://github.com/wutongci/agentdemo --skill security

Agent 安装分布

gemini-cli 2

replit 1

amp 1

trae 1

kimi-cli 1

Skill 文档

å®å¨æ£æ¥ç¥è¯åº

OWASP Top 10 å®å¨é£é©

1. æ³¨å¥æ»å» (Injection)

SQL æ³¨å¥

æå¸¸è§åå±é©çæ»å»æ¹å¼ä¹ä¸ã

// â ä¸å®å¨ï¼SQL æ³¨å¥é£é©
query := "SELECT * FROM users WHERE username = '" + username + "'"
db.Query(query)

// â å®å¨ï¼ä½¿ç¨åæ°åæ¥è¯¢
query := "SELECT * FROM users WHERE username = ?"
db.Query(query, username)

// â å®å¨ï¼ä½¿ç¨ ORM
db.Where("username = ?", username).Find(&user)

å½ä»¤æ³¨å¥

// â ä¸å®å¨ï¼å½ä»¤æ³¨å¥é£é©
cmd := exec.Command("sh", "-c", "ls "+userInput)

// â å®å¨ï¼é¿åä½¿ç¨ shellï¼ä½¿ç¨åæ°æ°ç»
cmd := exec.Command("ls", userInput)

// â æ´å®å¨ï¼éªè¯è¾å¥
if !isValidFilename(userInput) {
    return errors.New("invalid filename")
}
cmd := exec.Command("ls", userInput)

NoSQL æ³¨å¥

// â ä¸å®å¨
db.collection.find({ username: req.body.username })

// â å®å¨ï¼ç±»åéªè¯
if (typeof req.body.username !== 'string') {
    return res.status(400).send('Invalid input')
}
db.collection.find({ username: req.body.username })

2. å¤±æçèº«ä»½è®¤è¯ (Broken Authentication)

å¯ç å®å¨

// â ä¸å®å¨ï¼ææåå¨å¯ç 
user.Password = password

// â ä¸å®å¨ï¼å¼±åå¸ç®æ³
hashedPassword := md5.Sum([]byte(password))

// â å®å¨ï¼ä½¿ç¨ bcrypt
hashedPassword, err := bcrypt.GenerateFromPassword(
    []byte(password),
    bcrypt.DefaultCost,
)

// â éªè¯å¯ç 
err := bcrypt.CompareHashAndPassword(
    []byte(user.HashedPassword),
    []byte(password),
)

ä¼è¯ç®¡ç

// â ä¸å®å¨ï¼å¯é¢æµçä¼è¯ ID
sessionID := fmt.Sprintf("%d", time.Now().Unix())

// â å®å¨ï¼ä½¿ç¨å å¯éæºæ°
sessionID, err := generateSecureToken(32)

func generateSecureToken(length int) (string, error) {
    bytes := make([]byte, length)
    if _, err := rand.Read(bytes); err != nil {
        return "", err
    }
    return base64.URLEncoding.EncodeToString(bytes), nil
}

å¤å ç´ è®¤è¯

// â å®æ½ MFA
func Login(username, password, totpCode string) error {
    user, err := authenticateUser(username, password)
    if err != nil {
        return err
    }

    if user.MFAEnabled {
        if !verifyTOTP(user.MFASecret, totpCode) {
            return errors.New("invalid MFA code")
        }
    }

    return createSession(user)
}

3. æææ°æ®æ³é² (Sensitive Data Exposure)

å å¯åå¨

// â ä¸å®å¨ï¼ææåå¨æææ°æ®
user.CreditCard = creditCardNumber

// â å®å¨ï¼å å¯æææ°æ®
encryptedData, err := encrypt(creditCardNumber, encryptionKey)
user.EncryptedCreditCard = encryptedData

HTTPS/TLS

// â ä¸å®å¨ï¼HTTP ä¼ è¾
http.ListenAndServe(":8080", handler)

// â å®å¨ï¼HTTPS ä¼ è¾
http.ListenAndServeTLS(":443", "cert.pem", "key.pem", handler)

// â å¼ºå¶ HTTPS
func redirectToHTTPS(w http.ResponseWriter, r *http.Request) {
    http.Redirect(w, r, "https://"+r.Host+r.URL.String(),
        http.StatusMovedPermanently)
}

æ¥å¿è±æ

// â ä¸å®å¨ï¼è®°å½ææä¿¡æ¯
log.Printf("User login: %s, password: %s", username, password)

// â å®å¨ï¼è±æææä¿¡æ¯
log.Printf("User login: %s", username)

// â è±æå½æ°
func maskCreditCard(cc string) string {
    if len(cc) < 4 {
        return "****"
    }
    return "************" + cc[len(cc)-4:]
}

4. XML å¤é¨å®ä½ (XXE)

// â ä¸å®å¨ï¼åè®¸å¤é¨å®ä½
decoder := xml.NewDecoder(input)
decoder.Decode(&data)

// â å®å¨ï¼ç¦ç¨å¤é¨å®ä½
decoder := xml.NewDecoder(input)
decoder.Entity = xml.HTMLEntity
decoder.Strict = false

5. å¤±æçè®¿é®æ§å¶ (Broken Access Control)

æéæ£æ¥

// â ä¸å®å¨ï¼ç¼ºå°æéæ£æ¥
func DeleteUser(w http.ResponseWriter, r *http.Request) {
    userID := r.URL.Query().Get("id")
    db.Delete(&User{}, userID)
}

// â å®å¨ï¼æ£æ¥æé
func DeleteUser(w http.ResponseWriter, r *http.Request) {
    currentUser := getCurrentUser(r)
    userID := r.URL.Query().Get("id")

    // åªåè®¸ç®¡çåæç¨æ·èªå·±å é¤
    if !currentUser.IsAdmin && currentUser.ID != userID {
        http.Error(w, "Forbidden", http.StatusForbidden)
        return
    }

    db.Delete(&User{}, userID)
}

å¯¹è±¡çº§è®¿é®æ§å¶

// â éªè¯èµæºæææ
func GetDocument(w http.ResponseWriter, r *http.Request) {
    currentUser := getCurrentUser(r)
    docID := r.URL.Query().Get("id")

    var doc Document
    if err := db.First(&doc, docID).Error; err != nil {
        http.Error(w, "Not found", http.StatusNotFound)
        return
    }

    // éªè¯æææ
    if doc.OwnerID != currentUser.ID && !currentUser.IsAdmin {
        http.Error(w, "Forbidden", http.StatusForbidden)
        return
    }

    json.NewEncoder(w).Encode(doc)
}

6. å®å¨éç½®éè¯¯ (Security Misconfiguration)

ç¯å¢åé

// â ä¸å®å¨ï¼ç¡¬ç¼ç å¯é¥
const APIKey = "sk-1234567890abcdef"

// â å®å¨ï¼ä½¿ç¨ç¯å¢åé
apiKey := os.Getenv("API_KEY")
if apiKey == "" {
    log.Fatal("API_KEY not set")
}

éè¯¯ä¿¡æ¯

// â ä¸å®å¨ï¼æ´é²è¯¦ç»éè¯¯
if err != nil {
    http.Error(w, err.Error(), http.StatusInternalServerError)
}

// â å®å¨ï¼éç¨éè¯¯ä¿¡æ¯
if err != nil {
    log.Printf("Internal error: %v", err) // è®°å½è¯¦ç»éè¯¯
    http.Error(w, "Internal server error",
        http.StatusInternalServerError) // è¿åéç¨éè¯¯
}

é»è®¤åè¯

// â ä¸å®å¨ï¼ä½¿ç¨é»è®¤å¯ç 
if password == "" {
    password = "admin123"
}

// â å®å¨ï¼å¼ºå¶è®¾ç½®å¯ç 
if password == "" {
    return errors.New("password required")
}
if !isStrongPassword(password) {
    return errors.New("password too weak")
}

7. è·¨ç«èæ¬ (XSS)

è¾åºç¼ç

// â ä¸å®å¨ï¼ç´æ¥è¾åºç¨æ·è¾å¥
fmt.Fprintf(w, "<div>%s</div>", userInput)

// â å®å¨ï¼HTML è½¬ä¹
import "html"
fmt.Fprintf(w, "<div>%s</div>", html.EscapeString(userInput))

// â ä½¿ç¨æ¨¡æ¿èªå¨è½¬ä¹
tmpl.Execute(w, data)

Content Security Policy

// â è®¾ç½® CSP å¤´
w.Header().Set("Content-Security-Policy",
    "default-src 'self'; script-src 'self' 'unsafe-inline'")

8. ä¸å®å¨çååºåå (Insecure Deserialization)

// â ä¸å®å¨ï¼ååºååä¸å¯ä¿¡æ°æ®
var data MyStruct
json.Unmarshal(untrustedInput, &data)
processData(data)

// â å®å¨ï¼éªè¯åéå¶
var data MyStruct
if err := json.Unmarshal(untrustedInput, &data); err != nil {
    return fmt.Errorf("invalid input: %w", err)
}

// éªè¯æ°æ®
if err := validateData(&data); err != nil {
    return fmt.Errorf("validation failed: %w", err)
}

processData(data)

9. ä½¿ç¨å·²ç¥æ¼æ´çç»ä»¶ (Using Components with Known Vulnerabilities)

ä¾èµç®¡ç

# å®ææ´æ°ä¾èµ
go get -u ./...

# æ£æ¥å®å¨æ¼æ´
go list -json -m all | nancy sleuth

æå°åä¾èµ

// â åªå¼å¥å¿è¦çä¾èµ
// å®æå®¡æ¥åæ¸çä¸ä½¿ç¨çä¾èµ

10. ä¸è¶³çæ¥å¿åçæ§ (Insufficient Logging & Monitoring)

å®å¨äºä»¶æ¥å¿

// â è®°å½å®å¨ç¸å³äºä»¶
func Login(username, password string) error {
    user, err := db.FindUser(username)
    if err != nil {
        securityLog.Warn("Login attempt for non-existent user",
            "username", username,
            "ip", getClientIP())
        return err
    }

    if !verifyPassword(user, password) {
        securityLog.Warn("Failed login attempt",
            "username", username,
            "user_id", user.ID,
            "ip", getClientIP())
        return errors.New("invalid credentials")
    }

    securityLog.Info("Successful login",
        "username", username,
        "user_id", user.ID,
        "ip", getClientIP())
    return nil
}

å®¡è®¡æ¥å¿

// â è®°å½éè¦æä½
func DeleteUser(userID string, operatorID string) error {
    auditLog.Info("User deletion",
        "user_id", userID,
        "operator_id", operatorID,
        "timestamp", time.Now(),
        "action", "DELETE_USER")

    return db.Delete(&User{}, userID)
}

å¶ä»å¸¸è§å®å¨é®é¢

CSRF (è·¨ç«è¯·æ±ä¼ªé )

// â ä½¿ç¨ CSRF token
func HandleForm(w http.ResponseWriter, r *http.Request) {
    if !validateCSRFToken(r) {
        http.Error(w, "Invalid CSRF token", http.StatusForbidden)
        return
    }
    // å¤çè¡¨å
}

// â SameSite Cookie
http.SetCookie(w, &http.Cookie{
    Name:     "session",
    Value:    sessionID,
    SameSite: http.SameSiteStrictMode,
    Secure:   true,
    HttpOnly: true,
})

ç®å½éå

// â ä¸å®å¨ï¼ç®å½éåé£é©
filepath := "/var/www/" + userInput

// â å®å¨ï¼æ¸çè·¯å¾
filepath := filepath.Clean("/var/www/" + userInput)
if !strings.HasPrefix(filepath, "/var/www/") {
    return errors.New("invalid path")
}

éçéå¶

// â å®æ½éçéå¶
limiter := rate.NewLimiter(rate.Limit(10), 100) // 10 req/s, burst 100

func HandleRequest(w http.ResponseWriter, r *http.Request) {
    if !limiter.Allow() {
        http.Error(w, "Too many requests",
            http.StatusTooManyRequests)
        return
    }
    // å¤çè¯·æ±
}

å®å¨æ£æ¥æ¸å

è¾å¥éªè¯

ææç¨æ·è¾å¥é½ç»è¿éªè¯
ä½¿ç¨ç½ååèéé»åå
è¾å¥é¿åº¦éå¶
ç±»åæ£æ¥

è®¤è¯åææ

å¯ç å®å¨åå¨ï¼bcrypt/scryptï¼
ä¼è¯ç®¡çå®å¨
å®æ½æéæ£æ¥
æ¯æ MFA

æ°æ®ä¿æ¤

æææ°æ®å å¯
ä½¿ç¨ HTTPS
æ¥å¿è±æ
å®å¨çå¯é¥ç®¡ç

æ³¨å¥é²æ¤

ä½¿ç¨åæ°åæ¥è¯¢
é¿åå¨ææå»ºå½ä»¤
è¾åºç¼ç

éç½®å®å¨

æ ç¡¬ç¼ç å¯é¥
å®å¨çé»è®¤éç½®
æå°æéåå
å®ææ´æ°ä¾èµ

çæ§åååº

å®å¨äºä»¶æ¥å¿
å¼å¸¸çæ§
å®¡è®¡æ¥å¿
äºä»¶ååºè®¡å

å®å¨é®é¢æ¥åæ¨¡æ¿

### å®å¨é®é¢: [æ¼æ´ç±»å]

**ä¸¥éç¨åº¦**: ð´ ä¸¥é / ð¡ éè¦ / ð¢ ä¸è¬

**ä½ç½®**: [æä»¶å:è¡å·]

**æ¼æ´æè¿°**: [è¯¦ç»è¯´æå®å¨é®é¢]

**æ»å»åºæ¯**: [è¯´æå¦ä½å©ç¨è¿ä¸ªæ¼æ´]

**å½±å**: [è¯´æå¯è½çåæ]

**ä¿®å¤å»ºè®®**:
[æä¾å®å¨çä»£ç ç¤ºä¾]

**åè**: [OWASP æå¶ä»å®å¨æ åé¾æ¥]

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

security

Agent 安装分布

Skill 文档

å®å ¨æ£æ¥ç¥è¯åº

OWASP Top 10 å®å ¨é£é©

1. æ³¨å ¥æ»å» (Injection)

SQL æ³¨å ¥

å½ä»¤æ³¨å ¥

NoSQL æ³¨å ¥

2. å¤±æçèº«ä»½è®¤è¯ (Broken Authentication)

å¯ç å®å ¨

ä¼è¯ç®¡ç

å¤å ç´ è®¤è¯

3. æææ°æ®æ³é² (Sensitive Data Exposure)

å å¯å­å¨

HTTPS/TLS

æ¥å¿è±æ

4. XML å¤é¨å®ä½ (XXE)

5. å¤±æçè®¿é®æ§å¶ (Broken Access Control)

æéæ£æ¥

å¯¹è±¡çº§è®¿é®æ§å¶

6. å®å ¨é ç½®éè¯¯ (Security Misconfiguration)

ç¯å¢åé

éè¯¯ä¿¡æ¯

é»è®¤å­è¯

7. è·¨ç«èæ¬ (XSS)

è¾åºç¼ç 

Content Security Policy

8. ä¸å®å ¨çååºåå (Insecure Deserialization)

9. ä½¿ç¨å·²ç¥æ¼æ´çç»ä»¶ (Using Components with Known Vulnerabilities)

ä¾èµç®¡ç

æå°åä¾èµ

10. ä¸è¶³çæ¥å¿åçæ§ (Insufficient Logging & Monitoring)

å®å ¨äºä»¶æ¥å¿

å®¡è®¡æ¥å¿

å ¶ä»å¸¸è§å®å ¨é®é¢

CSRF (è·¨ç«è¯·æ±ä¼ªé )

ç®å½éå

éçéå¶

å®å ¨æ£æ¥æ¸ å

è¾å ¥éªè¯

è®¤è¯åææ

æ°æ®ä¿æ¤

æ³¨å ¥é²æ¤

é ç½®å®å ¨

çæ§åååº

å®å ¨é®é¢æ¥åæ¨¡æ¿

å®å¨æ£æ¥ç¥è¯åº

OWASP Top 10 å®å¨é£é©

1. æ³¨å¥æ»å» (Injection)

SQL æ³¨å¥

å½ä»¤æ³¨å¥

NoSQL æ³¨å¥

2. å¤±æçèº«ä»½è®¤è¯ (Broken Authentication)

å¯ç å®å¨

ä¼è¯ç®¡ç

å¤å ç´ è®¤è¯

3. æææ°æ®æ³é² (Sensitive Data Exposure)

å å¯åå¨

æ¥å¿è±æ

4. XML å¤é¨å®ä½ (XXE)

5. å¤±æçè®¿é®æ§å¶ (Broken Access Control)

æéæ£æ¥

å¯¹è±¡çº§è®¿é®æ§å¶

6. å®å¨éç½®éè¯¯ (Security Misconfiguration)

ç¯å¢åé

éè¯¯ä¿¡æ¯

é»è®¤åè¯

7. è·¨ç«èæ¬ (XSS)

è¾åºç¼ç

8. ä¸å®å¨çååºåå (Insecure Deserialization)

9. ä½¿ç¨å·²ç¥æ¼æ´çç»ä»¶ (Using Components with Known Vulnerabilities)

ä¾èµç®¡ç

æå°åä¾èµ

10. ä¸è¶³çæ¥å¿åçæ§ (Insufficient Logging & Monitoring)

å®å¨äºä»¶æ¥å¿

å®¡è®¡æ¥å¿

å¶ä»å¸¸è§å®å¨é®é¢

CSRF (è·¨ç«è¯·æ±ä¼ªé )

ç®å½éå

éçéå¶

å®å¨æ£æ¥æ¸å

è¾å¥éªè¯

è®¤è¯åææ

æ°æ®ä¿æ¤

æ³¨å¥é²æ¤

éç½®å®å¨

çæ§åååº

å®å¨é®é¢æ¥åæ¨¡æ¿