更新: 21 个文件 - 2026-03-17 00:00:00
这个提交包含在:
hao
50
README.md
50
README.md
@@ -17,30 +17,31 @@
|
||||
|
||||
```text
|
||||
websafe/
|
||||
├── 00-environments/ # 靶场与本地实验编排
|
||||
├── 00-environments/ # 系统 catalog、真实版本/当前版本 profile、synthetic 模板
|
||||
├── 01-sql-injection/ # SQL 注入实验
|
||||
├── 02-xss/ # XSS 与浏览器端注入实验
|
||||
├── 03-authentication/ # 认证、会话与 JWT 实验
|
||||
├── 04-server-security/ # 服务器、TLS、暴露面与关联面实验
|
||||
├── 05-defense/ # 检测、观测、实验对照与代码修复示例
|
||||
├── 06-case-studies/ # 授权案例与原始报告归档
|
||||
├── 06-case-studies/ # 授权案例与 run bundle / 报告归档
|
||||
├── 07-framework-security/ # CMS、电商、框架、服务器、平台系统安全
|
||||
├── 08-threat-intel/ # source-map、registry、generated、订阅规则、自动入库
|
||||
├── 08-threat-intel/ # source-map、repro-map、registry、dashboard、订阅规则、自动入库
|
||||
├── 09-scope-and-targeting/ # 授权模型、资产模板、测试记录模板
|
||||
├── requirements-intel.txt # intel 自动化依赖
|
||||
└── scripts/intel/ # hotlane / ingest / reconcile / backfill / open-pr CLI
|
||||
├── requirements-intel.txt # intel + lab 自动化依赖(含 Playwright Python 包)
|
||||
├── scripts/intel/ # hotlane / ingest / reconcile / backfill / open-pr CLI
|
||||
└── scripts/lab/ # provision / baseline / attack / browser / evidence / render / queue CLI
|
||||
```
|
||||
|
||||
## 能力矩阵
|
||||
|
||||
| 覆盖域 | 历史全量策略 | 近两年策略 | 全量 registry | 重点案例 Markdown | secure-code 关联 | 自动同步状态 |
|
||||
|--------|--------------|------------|---------------|--------------------|------------------|--------------|
|
||||
| CMS / 内容平台 | `WordPress`, `Drupal`, `Joomla` | `Ghost`, `Strapi`, `Directus`, `MediaWiki`, `Moodle`, `Discourse` | `registry/advisories + registry/systems` | `core 全量 + 高价值 extension` | `yes` | `render / ingest / hotlane / reconcile ready` |
|
||||
| 电商系统 | `Adobe Commerce`, `Magento Open Source`, `WooCommerce`, `PrestaShop`, `Shopware`, `OpenCart` | `OpenMage`, `Saleor`, `Medusa` | `registry/advisories + registry/systems` | `core 全量 + 高价值 module` | `yes` | `render / ingest / hotlane / reconcile ready` |
|
||||
| Web 框架与运行时 | `React`, `Next.js`, `Vue`, `Nuxt`, `Vite`, `Node.js`, `Nginx`, `Apache HTTP Server`, `Apache Tomcat` | 其余主流框架与运行时按 `rolling-24m` | `registry/advisories + registry/systems` | `core 全量 + 高价值 package` | `yes` | `render / ingest / hotlane / reconcile ready` |
|
||||
| 开源平台与后台系统 | `history-full` 不强制 | `phpMyAdmin`, `Adminer`, `Gitea`, `GitLab CE`, `Jenkins`, `Grafana`, `Kibana`, `Mattermost`, `Redmine` | `registry/advisories + registry/systems` | `高价值案例输出` | `yes` | `render / ingest / hotlane / reconcile ready` |
|
||||
| 修复示例库 | 不适用 | 不适用 | 不适用 | 由案例页反向链接 | `javascript-typescript`, `nodejs`, `java`, `php`, `python`, `ruby`, `csharp`, `go` | `render ready` |
|
||||
| 自动化入库 | `backfill --tier history-full` | `ingest --since`, `reconcile` | `registry + generated` | `基于 render_policy` | `front matter 反向链接` | `open-pr dry-run ready` |
|
||||
| 覆盖域 | 历史全量策略 | 近两年策略 | 全量 registry | 重点案例 Markdown | secure-code 关联 | 本地实证状态 | 浏览器证据 | run bundle | 看板展示 | 自动同步状态 |
|
||||
|--------|--------------|------------|---------------|--------------------|------------------|--------------|------------|-----------|----------|--------------|
|
||||
| CMS / 内容平台 | `WordPress`, `Drupal`, `Joomla` | `Ghost`, `Strapi`, `Directus`, `MediaWiki`, `Moodle`, `Discourse` | `registry/advisories + registry/systems` | `core 全量 + 高价值 extension` | `yes` | `verified-real / verified-synthetic / blocked-* / triage-manual` | `前端类强制` | `06-case-studies/generated-runs` | `dashboard + report` | `render / ingest / hotlane / reconcile ready` |
|
||||
| 电商系统 | `Adobe Commerce`, `Magento Open Source`, `WooCommerce`, `PrestaShop`, `Shopware`, `OpenCart` | `OpenMage`, `Saleor`, `Medusa` | `registry/advisories + registry/systems` | `core 全量 + 高价值 module` | `yes` | `同上` | `前台/后台面板类强制` | `run bundle + logs` | `dashboard + report` | `render / ingest / hotlane / reconcile ready` |
|
||||
| Web 框架与运行时 | `React`, `Next.js`, `Vue`, `Nuxt`, `Vite`, `Node.js`, `Nginx`, `Apache HTTP Server`, `Apache Tomcat` | 其余主流框架与运行时按 `rolling-24m` | `registry/advisories + registry/systems` | `core 全量 + 高价值 package` | `yes` | `family runner + advisory profile` | `浏览器/HTTP 混合` | `run bundle + timeline` | `dashboard + report` | `render / ingest / hotlane / reconcile ready` |
|
||||
| 开源平台与后台系统 | `history-full` 不强制 | `phpMyAdmin`, `Adminer`, `Gitea`, `GitLab CE`, `Jenkins`, `Grafana`, `Kibana`, `Mattermost`, `Redmine` | `registry/advisories + registry/systems` | `高价值案例输出` | `yes` | `真实版本优先` | `Web 面板类强制` | `run bundle + screenshots` | `dashboard + report` | `render / ingest / hotlane / reconcile ready` |
|
||||
| 修复示例库 | 不适用 | 不适用 | 不适用 | 由案例页反向链接 | `javascript-typescript`, `nodejs`, `java`, `php`, `python`, `ruby`, `csharp`, `go` | `由案例反向映射` | `不适用` | `不适用` | `索引页` | `render ready` |
|
||||
| 自动化入库与实证 | `backfill --tier history-full` | `ingest --since`, `reconcile` | `registry + generated + registry/runs` | `基于 render_policy` | `front matter 反向链接` | `queue + run-case / run-batch` | `Playwright required for browser cases` | `report.md / report.html / timeline.mmd` | `serve-dashboard` | `open-pr / cron ready` |
|
||||
|
||||
## 当前覆盖对象
|
||||
|
||||
@@ -62,13 +63,30 @@ python3 /Users/x/websafe/scripts/intel/main.py ingest --since last-success
|
||||
python3 /Users/x/websafe/scripts/intel/main.py reconcile
|
||||
python3 /Users/x/websafe/scripts/intel/main.py backfill --tier history-full --dry-run
|
||||
python3 /Users/x/websafe/scripts/intel/main.py open-pr --dry-run
|
||||
python3 /Users/x/websafe/scripts/lab/main.py catalog sync
|
||||
python3 /Users/x/websafe/scripts/lab/main.py validate
|
||||
python3 /Users/x/websafe/scripts/lab/main.py run-case --case nextjs--CVE-2025-29927 --dry-run
|
||||
python3 /Users/x/websafe/scripts/lab/main.py run-batch --only-hotlane --limit 10
|
||||
python3 /Users/x/websafe/scripts/lab/main.py serve-dashboard --port 8734
|
||||
```
|
||||
|
||||
计划中的本机 cron 入口:
|
||||
|
||||
- [run-hourly.sh](/Users/x/websafe/scripts/intel/run-hourly.sh) 只处理 KEV / 在野利用 / 极高优先级更新
|
||||
- [run-nightly.sh](/Users/x/websafe/scripts/intel/run-nightly.sh) 处理常规增量同步
|
||||
- [run-weekly-reconcile.sh](/Users/x/websafe/scripts/intel/run-weekly-reconcile.sh) 对齐最近 30 天更新
|
||||
- [run-hourly.sh](/Users/x/websafe/scripts/intel/run-hourly.sh) 处理 KEV / 在野利用 / 极高优先级更新,并触发 hotlane 实证队列
|
||||
- [run-nightly.sh](/Users/x/websafe/scripts/intel/run-nightly.sh) 处理常规增量同步、批量实证、dashboard 渲染和 PR
|
||||
- [run-weekly-reconcile.sh](/Users/x/websafe/scripts/intel/run-weekly-reconcile.sh) 对齐最近 30 天更新,并重跑失败/阻塞任务
|
||||
|
||||
## 本地实证链路
|
||||
|
||||
每条 advisory 的自动链路固定为:
|
||||
|
||||
1. `registry/advisories/*.json` 选中 case。
|
||||
2. `repro-map.yaml + repro-profiles/` 解析到 repro family / advisory profile。
|
||||
3. `00-environments/catalog + profiles` 生成 compose 拓扑和靶站参数。
|
||||
4. `scripts/lab/main.py run-case` 拉起环境、收集 baseline、执行受控攻击链。
|
||||
5. 前端类 case 强制走 Playwright 浏览器回放,生成截图、DOM、console、network 证据。
|
||||
6. 生成 `06-case-studies/generated-runs/<run-id>/` 报告和 `08-threat-intel/registry/runs/<run-id>.json`。
|
||||
7. 自动回写 registry、系统 INDEX、案例页和 dashboard。
|
||||
|
||||
## 实验边界
|
||||
|
||||
|
||||
在新工单中引用
屏蔽一个用户