js演练场

2026-02-24 14:15:24 +00:00 · 2025-11-29 03:41:51 +08:00
parent 1dfdff7024
commit e74d5ea97e
25 changed files with 6379 additions and 112 deletions
--- a/web-service/src/test/resources/playground-security-tests.http
+++ b/web-service/src/test/resources/playground-security-tests.http
@@ -0,0 +1,115 @@
+### Playground 安全测试用例集合
+### 用于验证JavaScript执行环境的安全性
+
+### 测试1: 系统命令执行
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-系统命令执行\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('尝试执行系统命令...');\n    \n    try {\n        // 尝试1: 直接访问Runtime类执行命令\n        var Runtime = Java.type('java.lang.Runtime');\n        var runtime = Runtime.getRuntime();\n        var process = runtime.exec('whoami');\n        var reader = new java.io.BufferedReader(new java.io.InputStreamReader(process.getInputStream()));\n        var output = reader.readLine();\n        logger.error('【安全漏洞】成功执行系统命令: ' + output);\n        return '危险: 系统命令执行成功 - ' + output;\n    } catch (e) {\n        logger.info('Runtime.exec失败: ' + e.message);\n    }\n    \n    try {\n        // 尝试2: 使用ProcessBuilder\n        var ProcessBuilder = Java.type('java.lang.ProcessBuilder');\n        var pb = new ProcessBuilder(['ls', '-la']);\n        var process = pb.start();\n        logger.error('【安全漏洞】ProcessBuilder执行成功');\n        return '危险: ProcessBuilder执行成功';\n    } catch (e) {\n        logger.info('ProcessBuilder失败: ' + e.message);\n    }\n    \n    return '✓ 安全: 无法执行系统命令';\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试2: 文件系统访问
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-文件系统访问\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('尝试访问文件系统...');\n    \n    try {\n        var Files = Java.type('java.nio.file.Files');\n        var Paths = Java.type('java.nio.file.Paths');\n        var path = Paths.get('/etc/passwd');\n        var content = Files.readAllLines(path);\n        logger.error('【安全漏洞】成功读取文件: ' + content.get(0));\n        return '危险: 文件读取成功';\n    } catch (e) {\n        logger.info('文件读取失败: ' + e.message);\n    }\n    \n    try {\n        var FileWriter = Java.type('java.io.FileWriter');\n        var writer = new FileWriter('/tmp/security_test.txt');\n        writer.write('security test');\n        writer.close();\n        logger.error('【安全漏洞】成功写入文件');\n        return '危险: 文件写入成功';\n    } catch (e) {\n        logger.info('文件写入失败: ' + e.message);\n    }\n    \n    return '✓ 安全: 无法访问文件系统';\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试3: 系统属性和环境变量访问
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-系统属性访问\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('尝试访问系统属性...');\n    \n    try {\n        var System = Java.type('java.lang.System');\n        var userHome = System.getProperty('user.home');\n        var userName = System.getProperty('user.name');\n        var osName = System.getProperty('os.name');\n        logger.error('【安全漏洞】系统属性 - HOME: ' + userHome + ', USER: ' + userName + ', OS: ' + osName);\n        return '危险: 系统属性访问成功';\n    } catch (e) {\n        logger.info('系统属性访问失败: ' + e.message);\n    }\n    \n    try {\n        var System = Java.type('java.lang.System');\n        var env = System.getenv();\n        var path = env.get('PATH');\n        logger.error('【安全漏洞】环境变量 PATH: ' + path);\n        return '危险: 环境变量访问成功';\n    } catch (e) {\n        logger.info('环境变量访问失败: ' + e.message);\n    }\n    \n    return '✓ 安全: 无法访问系统属性';\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试4: 反射攻击
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-反射攻击\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('尝试使用反射...');\n    \n    try {\n        var Class = Java.type('java.lang.Class');\n        var systemClass = Class.forName('java.lang.System');\n        var methods = systemClass.getDeclaredMethods();\n        logger.error('【安全漏洞】反射访问成功，System类有 ' + methods.length + ' 个方法');\n        return '危险: 反射访问成功';\n    } catch (e) {\n        logger.info('Class.forName失败: ' + e.message);\n    }\n    \n    try {\n        var Thread = Java.type('java.lang.Thread');\n        var classLoader = Thread.currentThread().getContextClassLoader();\n        logger.error('【安全漏洞】获取到ClassLoader: ' + classLoader);\n        return '危险: ClassLoader访问成功';\n    } catch (e) {\n        logger.info('ClassLoader访问失败: ' + e.message);\n    }\n    \n    return '✓ 安全: 无法使用反射';\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试5: 网络Socket连接
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-网络连接\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('尝试创建网络连接...');\n    \n    try {\n        var Socket = Java.type('java.net.Socket');\n        var socket = new Socket('127.0.0.1', 9000);\n        logger.error('【安全漏洞】Socket连接成功');\n        socket.close();\n        return '危险: Socket连接成功';\n    } catch (e) {\n        logger.info('Socket连接失败: ' + e.message);\n    }\n    \n    try {\n        var URL = Java.type('java.net.URL');\n        var url = new URL('http://localhost:9000');\n        var conn = url.openConnection();\n        conn.connect();\n        logger.error('【安全漏洞】URL连接成功');\n        return '危险: URL连接成功';\n    } catch (e) {\n        logger.info('URL连接失败: ' + e.message);\n    }\n    \n    return '✓ 安全: 无法创建网络连接';\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试6: JVM退出攻击
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-JVM退出\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('尝试退出JVM...');\n    \n    try {\n        var System = Java.type('java.lang.System');\n        logger.warn('准备执行 System.exit(1)...');\n        System.exit(1);\n        return '危险: JVM退出成功';\n    } catch (e) {\n        logger.info('System.exit失败: ' + e.message);\n    }\n    \n    try {\n        var Runtime = Java.type('java.lang.Runtime');\n        Runtime.getRuntime().halt(1);\n        return '危险: Runtime.halt成功';\n    } catch (e) {\n        logger.info('Runtime.halt失败: ' + e.message);\n    }\n    \n    return '✓ 安全: 无法退出JVM';\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试7: HTTP客户端SSRF攻击
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-SSRF攻击\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('测试HTTP客户端SSRF风险...');\n    \n    try {\n        // 尝试访问内网地址\n        logger.info('尝试访问本地服务...');\n        var response = http.get('http://127.0.0.1:9000/v2/health');\n        logger.warn('【潜在风险】可以访问内网地址，响应长度: ' + response.length);\n        return '⚠ 警告: HTTP客户端可访问内网 (SSRF风险)';\n    } catch (e) {\n        logger.info('内网访问失败: ' + e.message);\n    }\n    \n    try {\n        // 尝试访问云服务元数据API (AWS/阿里云等)\n        logger.info('尝试访问云服务元数据API...');\n        var response = http.get('http://169.254.169.254/latest/meta-data/');\n        logger.error('【严重漏洞】可以访问云服务元数据!');\n        return '危险: 可访问云服务元数据';\n    } catch (e) {\n        logger.info('元数据API访问失败: ' + e.message);\n    }\n    \n    return '✓ 提示: HTTP客户端功能正常';\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试8: 尝试访问注入对象的私有方法
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-对象滥用\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('尝试滥用注入的对象...');\n    \n    try {\n        // 尝试获取http对象的类信息\n        var httpClass = http.getClass();\n        logger.warn('HTTP客户端类名: ' + httpClass.getName());\n        \n        var methods = httpClass.getDeclaredMethods();\n        logger.warn('HTTP客户端有 ' + methods.length + ' 个方法');\n        \n        // 列出所有方法\n        for (var i = 0; i < Math.min(methods.length, 10); i++) {\n            logger.info('方法' + i + ': ' + methods[i].getName());\n        }\n        \n        return '⚠ 警告: 可以通过反射访问注入对象';\n    } catch (e) {\n        logger.info('对象反射失败: ' + e.message);\n    }\n    \n    try {\n        // 尝试获取shareLinkInfo的内部数据\n        var infoClass = shareLinkInfo.getClass();\n        var fields = infoClass.getDeclaredFields();\n        logger.warn('ShareLinkInfo有 ' + fields.length + ' 个字段');\n        return '⚠ 警告: 可以访问对象内部结构';\n    } catch (e) {\n        logger.info('字段访问失败: ' + e.message);\n    }\n    \n    return '✓ 安全: 对象访问受限';\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试9: 无限循环DOS攻击
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-DOS攻击\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('测试DOS防护...');\n    \n    try {\n        logger.warn('准备执行5秒的计算密集操作...');\n        var startTime = new Date().getTime();\n        var count = 0;\n        \n        // 执行5秒的计算\n        while (new Date().getTime() - startTime < 5000) {\n            count++;\n            // 每100万次记录一次\n            if (count % 1000000 === 0) {\n                logger.info('已执行 ' + (count/1000000) + ' 百万次计算');\n            }\n        }\n        \n        logger.warn('⚠ 警告: 可执行长时间计算，计数: ' + count);\n        return '⚠ 警告: 无超时限制 (DOS风险)';\n    } catch (e) {\n        logger.info('计算被中断: ' + e.message);\n        return '✓ 安全: 存在执行时间限制';\n    }\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+### 测试10: 内存溢出攻击
+POST http://localhost:9000/v2/playground/test
+Content-Type: application/json
+
+{
+  "jsCode": "// ==UserScript==\n// @name         危险测试-内存攻击\n// @type         security_test\n// @match        https://test.com/*\n// ==/UserScript==\n\nfunction parse(shareLinkInfo, http, logger) {\n    logger.info('测试内存限制...');\n    \n    try {\n        logger.warn('准备创建大量字符串对象...');\n        var arrays = [];\n        \n        // 尝试创建100个大数组\n        for (var i = 0; i < 100; i++) {\n            arrays.push(new Array(1000000).fill('x'.repeat(100)));\n            if (i % 10 === 0) {\n                logger.info('已创建 ' + i + ' 个大数组');\n            }\n        }\n        \n        logger.error('【潜在风险】成功创建大量对象，可能导致内存问题');\n        return '⚠ 警告: 无内存限制';\n    } catch (e) {\n        logger.info('内存分配失败: ' + e.message);\n        return '✓ 安全: 存在内存限制';\n    }\n}",
+  "shareUrl": "https://test.com/share/test123",
+  "pwd": "",
+  "method": "parse"
+}
+
+###
+