PHP代码审计与安全扫描系统

PHP代码审计与安全扫描系统代码审计是发现安全漏洞的重要手段。自动化的安全扫描可以提高审计效率。今天说说PHP代码审计和安全扫描的实现。静态代码扫描可以检查常见的漏洞模式。phpclass CodeScanner{private array $rules [];private array $findings [];public function addRule(string $name, string $pattern, string $severity medium, string $description ): void{$this-rules[$name] compact(pattern, severity, description);}public function scanFile(string $filePath): array{if (!file_exists($filePath)) {throw new \RuntimeException(文件不存在: {$filePath});}$content file_get_contents($filePath);$lines file($filePath);$findings [];foreach ($this-rules as $name $rule) {if (preg_match_all($rule[pattern], $content, $matches, PREG_OFFSET_CAPTURE)) {foreach ($matches[0] as $match) {$offset $match[1];$lineNumber $this-getLineNumber($content, $offset);$findings[] [rule $name,severity $rule[severity],description $rule[description],file $filePath,line $lineNumber,code trim($lines[$lineNumber - 1] ?? ),];}}}$this-findings array_merge($this-findings, $findings);return $findings;}public function scanDirectory(string $dir): array{$allFindings [];$files new RecursiveIteratorIterator(new RecursiveDirectoryIterator($dir));foreach ($files as $file) {if ($file-getExtension() ! php) continue;$findings $this-scanFile($file-getPathname());$allFindings array_merge($allFindings, $findings);}return $allFindings;}public function getReport(): array{$bySeverity [];foreach ($this-findings as $finding) {$sev $finding[severity];if (!isset($bySeverity[$sev])) $bySeverity[$sev] [];$bySeverity[$sev][] $finding;}return [total count($this-findings),by_severity array_map(count, $bySeverity),findings $this-findings,];}private function getLineNumber(string $content, int $offset): int{return substr_count(substr($content, 0, $offset), \n) 1;}}$scanner new CodeScanner();// 添加安全规则$scanner-addRule(SQL注入, /\$\w\s*\.\s*\$_(GET|POST|REQUEST)\b/, high, 可能存在SQL注入);$scanner-addRule(危险函数, /(eval|exec|system|passthru|shell_exec|popen|proc_open|assert)\s*\(/, high, 使用了危险函数);$scanner-addRule(XSS漏洞, /echo\s\$_(GET|POST|REQUEST)\b/, high, 可能存在XSS漏洞);$scanner-addRule(硬编码密码, /password\s*\s*[\]/, medium, 可能存在硬编码密码);$scanner-addRule(文件包含, /include\s*\(?\s*\$/, high, 可能存在文件包含漏洞);$scanner-addRule(不安全的反序列化, /unserialize\s*\(/, high, 不安全的反序列化调用);$scanner-addRule(命令注入, /[^]*\$/m, high, 可能存在命令注入);$scanner-addRule(文件写入, /fwrite|file_put_contents/, medium, 文件写入操作);?安全检查工具对项目进行全面的安全检查phpclass SecurityAuditor{public function audit(string $projectDir): array{$issues [];// 检查.env文件if (file_exists({$projectDir}/.env)) {$perms fileperms({$projectDir}/.env) 0777;if ($perms 0600) {$issues[] [type config, severity high, message .env文件权限过高: {$perms}];}}// 检查debug模式$configFiles glob({$projectDir}/config/*.php);foreach ($configFiles as $file) {$content file_get_contents($file);if (str_contains($content, debug true) || str_contains($content, debug true)) {$issues[] [type config, severity high, message {$file} 中debug模式开启];}}// 检查composer依赖$composerFile {$projectDir}/composer.json;if (file_exists($composerFile)) {$composer json_decode(file_get_contents($composerFile), true);$require $composer[require] ?? [];foreach ($require as $pkg $version) {if (str_contains($version, dev) || str_contains($version, dev)) {$issues[] [type dependency, severity medium, message 使用了开发版依赖: {$pkg}:{$version}];}}}return $issues;}}$auditor new SecurityAuditor();$issues $auditor-audit(__DIR__);print_r($issues);?依赖安全检查也是代码审计的重要组成部分。Composer的audit命令可以检查依赖的已知漏洞。代码审计和安全扫描是安全开发生命周期的重要环节。自动化扫描可以检测常见的漏洞模式但无法覆盖所有安全问题。人工代码审查仍然是发现业务逻辑漏洞的主要方式。静态扫描结合动态测试才能提供更全面的安全保障。