feat(vulnTestServer): 模块化重构并增强安全性

- 将server.py拆分为模块化结构(handlers目录)
- 数据修改接口(INSERT/UPDATE)改用参数化查询防止SQL注入污染数据
- 只读查询接口保留SQL注入漏洞用于测试
- 移除堆叠查询的数据修改能力
- 添加Windows/Linux启动脚本(start.bat/start.sh)
- 更新启动横幅显示接口安全级别

Author: lanshuizhiyue

src/vulnTestServer/database.py

@@ -94,6 +94,48 @@ def init_database():
         )
     ''')
 
+    # 创建购物车表
+    cursor.execute('''
+        CREATE TABLE IF NOT EXISTS cart (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            user_id INTEGER NOT NULL,
+            product_id INTEGER NOT NULL,
+            quantity INTEGER DEFAULT 1,
+            session_id TEXT,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (user_id) REFERENCES users(id),
+            FOREIGN KEY (product_id) REFERENCES products(id)
+        )
+    ''')
+    
+    # 创建用户反馈表
+    cursor.execute('''
+        CREATE TABLE IF NOT EXISTS feedback (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            user_id INTEGER,
+            session_id TEXT,
+            title TEXT NOT NULL,
+            content TEXT NOT NULL,
+            rating INTEGER DEFAULT 5,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+        )
+    ''')
+    
+    # 创建用户会话表
+    cursor.execute('''
+        CREATE TABLE IF NOT EXISTS user_sessions (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            user_id INTEGER NOT NULL,
+            session_id TEXT NOT NULL UNIQUE,
+            token TEXT NOT NULL,
+            device_info TEXT,
+            ip_address TEXT,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            expires_at TIMESTAMP,
+            FOREIGN KEY (user_id) REFERENCES users(id)
+        )
+    ''')
+    
     # 插入测试用户
     test_users = [
         ('admin', hash_password('admin123'), 'admin@vulnshop.local', '13800000001', 'Admin Office', 99999.99, 1),

src/vulnTestServer/handlers/__init__.py

@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""
+VulnShop API处理器模块
+
+按功能划分的处理器：
+- user_handlers: 用户相关（登录、注册、更新、资料）
+- product_handlers: 商品相关（列表、搜索、详情）
+- order_handlers: 订单相关（创建、查询、取消）
+- cart_handlers: 购物车相关（添加、更新）
+- system_handlers: 系统相关（配置、重置、API信息、反馈）
+"""
+
+from .user_handlers import UserHandlerMixin
+from .product_handlers import ProductHandlerMixin
+from .order_handlers import OrderHandlerMixin
+from .cart_handlers import CartHandlerMixin
+from .system_handlers import SystemHandlerMixin
+
+__all__ = [
+    'UserHandlerMixin',
+    'ProductHandlerMixin',
+    'OrderHandlerMixin',
+    'CartHandlerMixin',
+    'SystemHandlerMixin',
+]

src/vulnTestServer/handlers/base.py

@@ -0,0 +1,177 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""
+VulnShop 基础处理器 - 公共方法和工具函数
+
+提供所有处理器共享的响应发送、请求解析等公共功能
+"""
+
+import json
+import os
+import time
+import xml.etree.ElementTree as ET
+from urllib.parse import unquote
+from datetime import datetime
+
+
+class BaseHandlerMixin:
+    """基础处理器Mixin - 提供公共方法"""
+    
+    # 静态文件MIME类型
+    MIME_TYPES = {
+        '.html': 'text/html; charset=utf-8',
+        '.css': 'text/css; charset=utf-8',
+        '.js': 'application/javascript; charset=utf-8',
+        '.json': 'application/json; charset=utf-8',
+        '.png': 'image/png',
+        '.jpg': 'image/jpeg',
+        '.jpeg': 'image/jpeg',
+        '.gif': 'image/gif',
+        '.ico': 'image/x-icon',
+        '.svg': 'image/svg+xml',
+    }
+    
+    def log_message(self, format, *args):
+        """自定义日志格式"""
+        from config import LOG_REQUESTS, LOG_FILE
+        if LOG_REQUESTS:
+            timestamp = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
+            message = f"[{timestamp}] {self.address_string()} - {format % args}"
+            print(message)
+            try:
+                os.makedirs(os.path.dirname(LOG_FILE), exist_ok=True)
+                with open(LOG_FILE, 'a', encoding='utf-8') as f:
+                    f.write(message + '\n')
+            except:
+                pass
+    
+    def send_json_response(self, data, status=200):
+        """发送JSON响应"""
+        self.send_response(status)
+        self.send_header('Content-Type', 'application/json; charset=utf-8')
+        self.send_header('Access-Control-Allow-Origin', '*')
+        self.send_header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
+        self.send_header('Access-Control-Allow-Headers', 'Content-Type, Authorization')
+        self.end_headers()
+        response = json.dumps(data, ensure_ascii=False)
+        self.wfile.write(response.encode('utf-8'))
+    
+    def send_error_response(self, message, status=400, sql_error=None):
+        """发送错误响应（可能包含SQL错误信息用于演示）"""
+        from config import DEBUG, DIFFICULTY
+        data = {
+            'success': False,
+            'message': message,
+            'timestamp': int(time.time() * 1000)
+        }
+        if sql_error and DEBUG:
+            data['debug'] = {
+                'sql_error': str(sql_error),
+                'difficulty': DIFFICULTY
+            }
+        self.send_json_response(data, status)
+    
+    def send_xml_response(self, data, status=200):
+        """发送XML响应"""
+        self.send_response(status)
+        self.send_header('Content-Type', 'application/xml; charset=utf-8')
+        self.send_header('Access-Control-Allow-Origin', '*')
+        self.send_header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
+        self.send_header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Session-Id, X-Token')
+        self.end_headers()
+        
+        # 将dict转换为XML
+        def dict_to_xml(d, root_name='response'):
+            root = ET.Element(root_name)
+            for key, value in d.items():
+                child = ET.SubElement(root, key)
+                if isinstance(value, dict):
+                    for k, v in value.items():
+                        sub = ET.SubElement(child, k)
+                        sub.text = str(v) if v is not None else ''
+                elif isinstance(value, list):
+                    for item in value:
+                        item_el = ET.SubElement(child, 'item')
+                        if isinstance(item, dict):
+                            for k, v in item.items():
+                                sub = ET.SubElement(item_el, k)
+                                sub.text = str(v) if v is not None else ''
+                        else:
+                            item_el.text = str(item)
+                else:
+                    child.text = str(value) if value is not None else ''
+            return ET.tostring(root, encoding='unicode')
+        
+        xml_str = '<?xml version="1.0" encoding="UTF-8"?>\n' + dict_to_xml(data)
+        self.wfile.write(xml_str.encode('utf-8'))
+    
+    def send_static_file(self, filepath):
+        """发送静态文件"""
+        static_dir = os.path.join(os.path.dirname(os.path.dirname(__file__)), 'static')
+        full_path = os.path.normpath(os.path.join(static_dir, filepath))
+        
+        # 防止目录遍历
+        if not full_path.startswith(static_dir):
+            self.send_error(403, 'Forbidden')
+            return
+        
+        if not os.path.exists(full_path):
+            self.send_error(404, 'File Not Found')
+            return
+        
+        ext = os.path.splitext(filepath)[1].lower()
+        mime_type = self.MIME_TYPES.get(ext, 'application/octet-stream')
+        
+        try:
+            with open(full_path, 'rb') as f:
+                content = f.read()
+            self.send_response(200)
+            self.send_header('Content-Type', mime_type)
+            self.send_header('Content-Length', len(content))
+            self.end_headers()
+            self.wfile.write(content)
+        except Exception as e:
+            self.send_error(500, str(e))
+    
+    def get_post_data(self):
+        """获取POST请求数据，支持JSON、URL-encoded和XML格式"""
+        content_length = int(self.headers.get('Content-Length', 0))
+        if content_length == 0:
+            return {}
+        
+        post_data = self.rfile.read(content_length).decode('utf-8')
+        content_type = self.headers.get('Content-Type', '')
+        
+        if 'application/json' in content_type:
+            try:
+                return json.loads(post_data)
+            except:
+                return {}
+        elif 'application/xml' in content_type or 'text/xml' in content_type:
+            # XML解析
+            try:
+                root = ET.fromstring(post_data)
+                result = {}
+                for child in root:
+                    result[child.tag] = child.text or ''
+                return result
+            except:
+                return {}
+        else:
+            # application/x-www-form-urlencoded
+            result = {}
+            for pair in post_data.split('&'):
+                if '=' in pair:
+                    key, value = pair.split('=', 1)
+                    result[unquote(key)] = unquote(value)
+            return result
+    
+    def get_content_type(self):
+        """获取请求的Content-Type类型"""
+        content_type = self.headers.get('Content-Type', '')
+        if 'application/json' in content_type:
+            return 'json'
+        elif 'application/xml' in content_type or 'text/xml' in content_type:
+            return 'xml'
+        else:
+            return 'form'

src/vulnTestServer/handlers/cart_handlers.py

@@ -0,0 +1,126 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""
+VulnShop 购物车处理器 - 购物车相关API
+
+包含：添加购物车、更新购物车
+
+注意：购物车操作涉及数据修改，使用参数化查询保护，避免SQL注入导致数据污染
+"""
+
+import sqlite3
+
+from config import DEBUG
+from database import get_db_connection
+
+
+class CartHandlerMixin:
+    """购物车相关处理器Mixin"""
+    
+    def handle_cart_add(self, data):
+        """
+        添加购物车 - URL-encoded格式 - 安全接口
+        
+        请求体示例 (application/x-www-form-urlencoded):
+        user_id=1&product_id=2&quantity=1&session_id=abc123&csrf_token=xyz789
+        
+        注意：此接口使用参数化查询，不存在SQL注入漏洞
+        （数据修改操作需保护，避免测试数据污染）
+        """
+        user_id = data.get('user_id', '')
+        product_id = data.get('product_id', '')
+        quantity = data.get('quantity', '1')
+        session_id = data.get('session_id', '')  # 会话ID
+        csrf_token = data.get('csrf_token', '')  # CSRF token
+        
+        if not user_id or not product_id:
+            self.send_json_response({'success': False, 'message': 'user_id and product_id are required'}, 400)
+            return
+        
+        # 验证参数是否为有效数字
+        try:
+            user_id_int = int(user_id)
+            product_id_int = int(product_id)
+            quantity_int = int(quantity)
+        except ValueError:
+            self.send_json_response({'success': False, 'message': 'Invalid numeric parameters'}, 400)
+            return
+        
+        if DEBUG:
+            print(f"[CartAdd] session_id={session_id}, csrf_token={csrf_token}")
+        
+        conn = get_db_connection()
+        cursor = conn.cursor()
+        
+        try:
+            # 使用参数化查询，安全插入数据
+            cursor.execute('''
+                INSERT INTO cart (user_id, product_id, quantity, session_id)
+                VALUES (?, ?, ?, ?)
+            ''', (user_id_int, product_id_int, quantity_int, session_id))
+            conn.commit()
+            cart_id = cursor.lastrowid
+            
+            self.send_json_response({
+                'success': True,
+                'message': 'Added to cart',
+                'data': {
+                    'cart_id': cart_id,
+                    'session_id': session_id
+                }
+            })
+        except sqlite3.Error as e:
+            self.send_json_response({'success': False, 'message': f'Failed to add to cart: {str(e)}'}, 500)
+        finally:
+            conn.close()
+    
+    def handle_cart_update(self, data):
+        """
+        更新购物车 - URL-encoded格式 - 安全接口
+        
+        请求体示例 (application/x-www-form-urlencoded):
+        cart_id=1&quantity=3&session_id=abc123&csrf_token=xyz789
+        
+        注意：此接口使用参数化查询，不存在SQL注入漏洞
+        （数据修改操作需保护，避免测试数据污染）
+        """
+        cart_id = data.get('cart_id', '')
+        quantity = data.get('quantity', '')
+        session_id = data.get('session_id', '')  # 会话ID
+        csrf_token = data.get('csrf_token', '')  # CSRF token
+        
+        if not cart_id:
+            self.send_json_response({'success': False, 'message': 'cart_id is required'}, 400)
+            return
+        
+        # 验证参数是否为有效数字
+        try:
+            cart_id_int = int(cart_id)
+            quantity_int = int(quantity) if quantity else 1
+        except ValueError:
+            self.send_json_response({'success': False, 'message': 'Invalid numeric parameters'}, 400)
+            return
+        
+        if DEBUG:
+            print(f"[CartUpdate] session_id={session_id}, csrf_token={csrf_token}")
+        
+        conn = get_db_connection()
+        cursor = conn.cursor()
+        
+        try:
+            # 使用参数化查询，安全更新数据
+            cursor.execute('UPDATE cart SET quantity = ? WHERE id = ?', (quantity_int, cart_id_int))
+            conn.commit()
+            
+            self.send_json_response({
+                'success': True,
+                'message': 'Cart updated',
+                'data': {
+                    'cart_id': cart_id,
+                    'session_id': session_id
+                }
+            })
+        except sqlite3.Error as e:
+            self.send_json_response({'success': False, 'message': f'Failed to update cart: {str(e)}'}, 500)
+        finally:
+            conn.close()