OWASP Juice Shop - 防御蓝图：企业级安全防护体系架构与实战

/**
 * Juice Shop 防护状况评估器
 * 用于分析当前应用的防护水平
 */
class JuiceShopDefenseAssessment {
    constructor() {
        this.defenseLayers = {
            inputValidation: this.assessInputValidation(),
            outputEncoding: this.assessOutputEncoding(),
            transportSecurity: this.assessTransportSecurity(),
            browserProtection: this.assessBrowserProtection(),
            gatewayProtection: this.assessGatewayProtection(),
            observability: this.assessObservability()
        };
    }

    /**
     * 评估输入验证防护水平
     * @returns {Object} 验证防护评估结果
     */
    assessInputValidation() {
        const issues = [];
        
        if (!this.hasInputValidationMiddleware()) {
            issues.push('缺少统一的输入验证中间件');
        }
        
        if (!this.hasComprehensiveValidationRules()) {
            issues.push('验证规则不完整，缺少类型、长度、范围检查');
        }
        
        if (!this.hasDangerousCharacterFiltering()) {
            issues.push('未过滤危险字符和控制字符');
        }

        return {
            score: this.calculateSecurityScore(issues),
            issues: issues,
            recommendations: [
                '实施统一的输入验证中间件',
                '建立完整的验证规则库',
                '添加危险字符过滤机制'
            ]
        };
    }

    /**
     * 评估输出编码防护水平
     * @returns {Object} 编码防护评估结果
     */
    assessOutputEncoding() {
        const issues = [];
        
        if (this.isUsingUnsafeTemplateEngine()) {
            issues.push('使用不安全的模板引擎，存在XSS风险');
        }
        
        if (!this.hasContextualEncoding()) {
            issues.push('缺少语境化编码，HTML/JS/URL未分别处理');
        }
        
        if (!this.hasSecureJsonOutput()) {
            issues.push('JSON输出未进行安全处理');
        }

        return {
            score: this.calculateSecurityScore(issues),
            issues: issues,
            recommendations: [
                '升级到安全的模板引擎',
                '实施语境化编码策略',
                '添加JSON输出安全处理'
            ]
        };
    }

    /**
     * 计算安全评分
     * @param {Array} issues 发现的问题列表
     * @returns {number} 安全评分 (0-100)
     */
    calculateSecurityScore(issues) {
        const baseScore = 100;
        const deductionPerIssue = 10;
        return Math.max(0, baseScore - (issues.length * deductionPerIssue));
    }

    // 辅助方法（简化实现）
    hasInputValidationMiddleware() { return false; }
    hasComprehensiveValidationRules() { return false; }
    hasDangerousCharacterFiltering() { return false; }
    isUsingUnsafeTemplateEngine() { return true; }
    hasContextualEncoding() { return false; }
    hasSecureJsonOutput() { return false; }
}

/**
 * 企业级输入验证与过滤系统
 * 提供统一的输入验证中间件和规则引擎
 */
class EnterpriseInputValidationSystem {
    constructor() {
        this.validationRules = new Map();
        this.filteringRules = new Map();
        this.initializeDefaultRules();
    }

    /**
     * 初始化默认验证规则
     */
    initializeDefaultRules() {
        // 用户名验证规则
        this.addValidationRule('username', {
            type: 'string',
            minLength: 3,
            maxLength: 50,
            pattern: /^[a-zA-Z0-9_-]+$/,
            sanitize: true,
            errorMessage: '用户名只能包含字母、数字、下划线和连字符，长度3-50字符'
        });

        // 邮箱验证规则
        this.addValidationRule('email', {
            type: 'email',
            maxLength: 254,
            pattern: /^[^\s@]+@[^\s@]+\.[^\s@]+$/,
            sanitize: true,
            errorMessage: '请输入有效的邮箱地址'
        });

        // 密码验证规则
        this.addValidationRule('password', {
            type: 'string',
            minLength: 8,
            maxLength: 128,
            pattern: /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]/,
            errorMessage: '密码必须包含大小写字母、数字和特殊字符，长度8-128字符'
        });
    }

    /**
     * 添加验证规则
     * @param {string} fieldName 字段名称
     * @param {Object} rule 验证规则
     */
    addValidationRule(fieldName, rule) {
        this.validationRules.set(fieldName, {
            ...rule,
            createdAt: new Date(),
            version: '1.0'
        });
    }

    /**
     * 验证单个字段
     * @param {string} fieldName 字段名称
     * @param {*} value 字段值
     * @returns {Object} 验证结果
     */
    validateField(fieldName, value) {
        const rule = this.validationRules.get(fieldName);
        
        if (!rule) {
            return {
                isValid: false,
                error: `未找到字段 ${fieldName} 的验证规则`,
                fieldName,
                value
            };
        }

        // 类型检查
        if (!this.checkType(value, rule.type)) {
            return {
                isValid: false,
                error: rule.errorMessage || `字段 ${fieldName} 类型错误`,
                fieldName,
                value
            };
        }

        // 长度检查
        if (rule.minLength !== undefined && value.length < rule.minLength) {
            return {
                isValid: false,
                error: rule.errorMessage || `字段 ${fieldName} 长度不能少于 ${rule.minLength}`,
                fieldName,
                value
            };
        }

        // 正则表达式检查
        if (rule.pattern && !rule.pattern.test(value)) {
            return {
                isValid: false,
                error: rule.errorMessage || `字段 ${fieldName} 格式不正确`,
                fieldName,
                value
            };
        }

        return {
            isValid: true,
            fieldName,
            value: rule.sanitize ? this.sanitizeValue(value) : value
        };
    }

    /**
     * 类型检查
     * @param {*} value 要检查的值
     * @param {string} expectedType 期望的类型
     * @returns {boolean} 类型是否匹配
     */
    checkType(value, expectedType) {
        switch (expectedType) {
            case 'string':
                return typeof value === 'string';
            case 'number':
                return typeof value === 'number';
            case 'email':
                return typeof value === 'string' && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value);
            default:
                return true;
        }
    }

    /**
     * 清理输入值
     * @param {string} value 原始值
     * @returns {string} 清理后的值
     */
    sanitizeValue(value) {
        return value
            .trim()
            .replace(/[<>]/g, '') // 移除潜在的HTML标签
            .replace(/['"]/g, ''); // 移除引号
    }
}

// Express.js 中间件示例
const validationSystem = new EnterpriseInputValidationSystem();

function createValidationMiddleware(fieldRules) {
    return (req, res, next) => {
        const errors = [];
        const sanitizedData = {};

        for (const [fieldName, ruleName] of Object.entries(fieldRules)) {
            const value = req.body[fieldName] || req.query[fieldName] || req.params[fieldName];
            const result = validationSystem.validateField(ruleName, value);

            if (!result.isValid) {
                errors.push(result.error);
            } else {
                sanitizedData[fieldName] = result.value;
            }
        }

        if (errors.length > 0) {
            return res.status(400).json({
                success: false,
                errors: errors
            });
        }

        req.sanitizedData = sanitizedData;
        next();
    };
}

// 使用示例
app.post('/api/users', createValidationMiddleware({
    username: 'username',
    email: 'email',
    password: 'password'
}), (req, res) => {
    // 使用 req.sanitizedData 中的安全数据
    const { username, email, password } = req.sanitizedData;
    // 业务逻辑处理
});

// 好的做法：只允许已知的安全字符
function sanitizeHtml(input) {
    return input.replace(/[^a-zA-Z0-9\s\-_.]/g, '');
}

// 避免：黑名单过滤（容易被绕过）
function badSanitizeHtml(input) {
    return input.replace(/<script>/gi, ''); // 容易被 <scr<script>ipt> 绕过
}

// 第一层：前端验证（用户体验）
// 第二层：后端验证（安全保障）
// 第三层：数据库约束（最后防线）

try {
    const result = validationSystem.validateField('email', userInput);
    if (!result.isValid) {
        logger.warn('输入验证失败', { field: 'email', value: userInput });
        return res.status(400).json({ error: result.error });
    }
} catch (error) {
    logger.error('验证系统异常', { error: error.message });
    return res.status(500).json({ error: '系统错误' });
}

/**
 * 语境化编码系统
 * 根据输出上下文选择合适的编码方式
 */
class ContextualEncoder {
    constructor() {
        this.encoders = {
            html: this.htmlEncode.bind(this),
            htmlAttribute: this.htmlAttributeEncode.bind(this),
            javascript: this.javascriptEncode.bind(this),
            url: this.urlEncode.bind(this),
            css: this.cssEncode.bind(this),
            json: this.jsonEncode.bind(this)
        };
    }

    /**
     * HTML 内容编码
     * @param {string} input 原始输入
     * @returns {string} HTML编码后的内容
     */
    htmlEncode(input) {
        const div = document.createElement('div');
        div.textContent = input;
        return div.innerHTML;
    }

    /**
     * HTML 属性编码
     * @param {string} input 原始输入
     * @returns {string} HTML属性编码后的内容
     */
    htmlAttributeEncode(input) {
        return input
            .replace(/&/g, '&')
            .replace(/</g, '&lt;')
            .replace(/>/g, '&gt;')
            .replace(/"/g, '&quot;')
            .replace(/'/g, '&#x27;')
            .replace(/\//g, '&#x2F;');
    }

    /**
     * JavaScript 编码
     * @param {string} input 原始输入
     * @returns {string} JavaScript编码后的内容
     */
    javascriptEncode(input) {
        return input
            .replace(/\\/g, '\\\\')
            .replace(/'/g, '\\x27')
            .replace(/"/g, '\\x22')
            .replace(/</g, '\\x3c')
            .replace(/>/g, '\\x3e')
            .replace(/&/g, '\\x26')
            .replace(/\n/g, '\\n')
            .replace(/\r/g, '\\r');
    }

    /**
     * URL 编码
     * @param {string} input 原始输入
     * @returns {string} URL编码后的内容
     */
    urlEncode(input) {
        return encodeURIComponent(input);
    }

    /**
     * CSS 编码
     * @param {string} input 原始输入
     * @returns {string} CSS编码后的内容
     */
    cssEncode(input) {
        let encoded = '';
        for (let i = 0; i < input.length; i++) {
            const char = input.charCodeAt(i);
            if (char < 256) {
                encoded += '\\' + char.toString(16) + ' ';
            } else {
                encoded += input[i];
            }
        }
        return encoded;
    }

    /**
     * JSON 编码
     * @param {*} input 原始输入
     * @returns {string} JSON编码后的内容
     */
    jsonEncode(input) {
        return JSON.stringify(input);
    }

    /**
     * 根据上下文编码
     * @param {string} input 原始输入
     * @param {string} context 上下文类型
     * @returns {string} 编码后的内容
     */
    encodeForContext(input, context) {
        const encoder = this.encoders[context];
        if (!encoder) {
            throw new Error(`不支持的编码上下文: ${context}`);
        }
        return encoder(input);
    }
}

// 使用示例
const encoder = new ContextualEncoder();

// 在不同上下文中使用
const userInput = '<script>alert("xss")</script>';

// HTML 内容
const htmlContent = `<div>${encoder.encodeForContext(userInput, 'html')}</div>`;

// HTML 属性
const htmlAttribute = `<div title="${encoder.encodeForContext(userInput, 'htmlAttribute')}">内容</div>`;

// JavaScript
const jsCode = `const message = "${encoder.encodeForContext(userInput, 'javascript')}";`;

// URL
const url = `/search?q=${encoder.encodeForContext(userInput, 'url')}`;

// Express.js + EJS 安全配置
app.set('view engine', 'ejs');
app.set('views', path.join(__dirname, 'views'));

// 禁用危险的 EJS 功能
const ejs = require('ejs');
ejs.delimiter = '%'; // 使用自定义分隔符

// 安全渲染函数
function safeRender(template, data) {
    return ejs.render(template, data, {
        async: false,
        escape: (str) => encoder.encodeForContext(str, 'html')
    });
}

// React 自动进行 HTML 编码，但仍需注意：
function UserProfile({ user }) {
    // ✅ 安全：React 自动编码
    return <div>{user.name}</div>;
    
    // ❌ 危险：直接设置 HTML
    // return <div dangerouslySetInnerHTML={{ __html: user.name }} />;
    
    // ✅ 如果必须使用 dangerouslySetInnerHTML，先编码
    const safeHtml = encoder.encodeForContext(user.bio, 'html');
    return <div dangerouslySetInnerHTML={{ __html: safeHtml }} />;
}

/**
 * 智能内容安全策略管理系统
 * 根据应用特征动态生成和调整 CSP 策略
 */
class IntelligentCSPManager {
    constructor() {
        this.policies = new Map();
        this.reportAnalyzer = new CSPReportAnalyzer();
        this.policyOptimizer = new CSPPolicyOptimizer();
    }

    /**
     * 生成基础 CSP 策略
     * @param {Object} options 配置选项
     * @returns {string} CSP 策略字符串
     */
    generateBasePolicy(options = {}) {
        const {
            enableScripts = true,
            enableInlineStyles = false,
            enableEval = false,
            customDomains = [],
            reportUri = '/csp-report'
        } = options;

        const directives = [
            "default-src 'self'",
            enableScripts ? "script-src 'self'" : "script-src 'none'",
            enableInlineStyles ? "style-src 'self' 'unsafe-inline'" : "style-src 'self'",
            enableEval ? "" : "script-src 'self' 'unsafe-eval'",
            "img-src 'self' data: https:",
            "font-src 'self'",
            "connect-src 'self'",
            "frame-ancestors 'none'",
            "base-uri 'self'",
            "form-action 'self'"
        ];

        // 添加自定义域名
        if (customDomains.length > 0) {
            const domainList = customDomains.join(' ');
            directives.push(`script-src 'self' ${domainList}`);
            directives.push(`connect-src 'self' ${domainList}`);
        }

        // 添加报告 URI
        if (reportUri) {
            directives.push(`report-uri ${reportUri}`);
            directives.push(`report-to csp-endpoint`);
        }

        return directives.join('; ');
    }

    /**
     * 根据页面特征优化策略
     * @param {string} pageType 页面类型
     * @param {Object} pageFeatures 页面特征
     * @returns {string} 优化后的 CSP 策略
     */
    optimizePolicyForPage(pageType, pageFeatures) {
        let policy = this.generateBasePolicy();

        switch (pageType) {
            case 'dashboard':
                // 仪表板可能需要图表库
                policy = this.addChartLibrarySupport(policy);
                break;
            case 'editor':
                // 编辑器可能需要内联脚本
                policy = this.addEditorSupport(policy);
                break;
            case 'payment':
                // 支付页面需要最高安全级别
                policy = this.enforceStrictPolicy(policy);
                break;
        }

        return policy;
    }

    /**
     * 添加图表库支持
     * @param {string} basePolicy 基础策略
     * @returns {string} 更新后的策略
     */
    addChartLibrarySupport(basePolicy) {
        return basePolicy.replace(
            "script-src 'self'",
            "script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com"
        );
    }

    /**
     * 添加编辑器支持
     * @param {string} basePolicy 基础策略
     * @returns {string} 更新后的策略
     */
    addEditorSupport(basePolicy) {
        return basePolicy.replace(
            "style-src 'self'",
            "style-src 'self' 'unsafe-inline'"
        );
    }

    /**
     * 强制严格策略
     * @param {string} basePolicy 基础策略
     * @returns {string} 严格策略
     */
    enforceStrictPolicy(basePolicy) {
        return basePolicy
            .replace(/script-src[^;]*/, "script-src 'self'")
            .replace(/style-src[^;]*/, "style-src 'self'")
            .replace(/connect-src[^;]*/, "connect-src 'self'");
    }

    /**
     * 设置 CSP 中间件
     * @param {Object} app Express 应用
     */
    setupCSPMiddleware(app) {
        app.use((req, res, next) => {
            const pageType = this.detectPageType(req.path);
            const policy = this.optimizePolicyForPage(pageType, {});
            
            res.setHeader('Content-Security-Policy', policy);
            res.setHeader('X-Content-Type-Options', 'nosniff');
            res.setHeader('X-Frame-Options', 'DENY');
            res.setHeader('X-XSS-Protection', '1; mode=block');
            res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
            
            next();
        });
    }

    /**
     * 检测页面类型
     * @param {string} path 请求路径
     * @returns {string} 页面类型
     */
    detectPageType(path) {
        if (path.includes('/dashboard')) return 'dashboard';
        if (path.includes('/editor')) return 'editor';
        if (path.includes('/payment')) return 'payment';
        return 'default';
    }
}

/**
 * CSP 违规报告分析器
 */
class CSPReportAnalyzer {
    constructor() {
        this.violations = [];
        this.patterns = new Map();
    }

    /**
     * 处理 CSP 违规报告
     * @param {Object} report 违规报告
     */
    analyzeViolation(report) {
        const violation = {
            timestamp: new Date(),
            blockedURI: report['blocked-uri'],
            documentURI: report['document-uri'],
            effectiveDirective: report['effective-directive'],
            originalPolicy: report['original-policy'],
            referrer: report.referrer,
            sample: report.sample,
            sourceFile: report['source-file'],
            lineNumber: report['line-number'],
            columnNumber: report['column-number']
        };

        this.violations.push(violation);
        this.updatePatterns(violation);
        
        // 生成优化建议
        return this.generateOptimizationSuggestions(violation);
    }

    /**
     * 更新违规模式
     * @param {Object} violation 违规信息
     */
    updatePatterns(violation) {
        const key = `${violation.effectiveDirective}:${violation.blockedURI}`;
        const count = this.patterns.get(key) || 0;
        this.patterns.set(key, count + 1);
    }

    /**
     * 生成优化建议
     * @param {Object} violation 违规信息
     * @returns {Array} 优化建议列表
     */
    generateOptimizationSuggestions(violation) {
        const suggestions = [];
        
        switch (violation.effectiveDirective) {
            case 'script-src':
                suggestions.push({
                    type: 'domain_whitelist',
                    message: `考虑将 ${violation.blockedURI} 添加到脚本白名单`,
                    domain: violation.blockedURI
                });
                break;
            case 'style-src':
                suggestions.push({
                    type: 'inline_styles',
                    message: '检测到内联样式违规，考虑使用外部样式表或启用 unsafe-inline'
                });
                break;
            case 'connect-src':
                suggestions.push({
                    type: 'api_endpoint',
                    message: `API 端点 ${violation.blockedURI} 未在 connect-src 中指定`
                });
                break;
        }

        return suggestions;
    }
}

// Express.js 中使用示例
const cspManager = new IntelligentCSPManager();

// 设置 CSP 中间件
cspManager.setupCSPMiddleware(app);

// 处理 CSP 违规报告
app.post('/csp-report', express.json(), (req, res) => {
    const report = req.body['csp-report'];
    const suggestions = cspManager.reportAnalyzer.analyzeViolation(report);
    
    // 记录违规信息
    logger.warn('CSP 违规', {
        violation: report,
        suggestions: suggestions
    });
    
    res.status(204).end();
});

/**
 * 安全头配置中间件
 */
function securityHeadersMiddleware(req, res, next) {
    // 基础安全头
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('X-Frame-Options', 'DENY');
    res.setHeader('X-XSS-Protection', '1; mode=block');
    res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
    
    // HSTS (仅在生产环境 HTTPS 下启用)
    if (process.env.NODE_ENV === 'production' && req.secure) {
        res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
    }
    
    // 权限策略 (替代 Feature-Policy)
    res.setHeader('Permissions-Policy', 
        'geolocation=(), ' +
        'microphone=(), ' +
        'camera=(), ' +
        'payment=(), ' +
        'usb=(), ' +
        'magnetometer=(), ' +
        'gyroscope=(), ' +
        'accelerometer=()'
    );
    
    next();
}

app.use(securityHeadersMiddleware);

/**
 * 智能Web应用防火墙系统
 * 集成规则引擎和机器学习检测
 */
class IntelligentWAF {
    constructor() {
        this.ruleEngine = new WAFRuleEngine();
        this.mlDetector = new MLAttackDetector();
        this.rateLimiter = new AdaptiveRateLimiter();
        this.threatIntel = new ThreatIntelligence();
    }

    /**
     * 检查请求
     * @param {Object} req HTTP 请求对象
     * @returns {Object} 检查结果
     */
    async inspectRequest(req) {
        const inspection = {
            timestamp: new Date(),
            requestId: this.generateRequestId(),
            clientIP: this.getClientIP(req),
            userAgent: req.get('User-Agent'),
            method: req.method,
            url: req.url,
            headers: req.headers,
            body: req.body,
            query: req.query
        };

        // 1. 基础规则检查
        const ruleResult = await this.ruleEngine.evaluate(inspection);
        if (ruleResult.blocked) {
            return this.createBlockResponse(ruleResult);
        }

        // 2. 机器学习检测
        const mlResult = await this.mlDetector.analyze(inspection);
        if (mlResult.suspicious) {
            return this.createSuspiciousResponse(mlResult);
        }

        // 3. 速率限制检查
        const rateLimitResult = await this.rateLimiter.check(inspection);
        if (rateLimitResult.blocked) {
            return this.createRateLimitResponse(rateLimitResult);
        }

        // 4. 威胁情报检查
        const threatResult = await this.threatIntel.check(inspection);
        if (threatResult.malicious) {
            return this.createThreatResponse(threatResult);
        }

        return { allowed: true, inspection };
    }

    /**
     * 生成请求ID
     * @returns {string} 唯一请求ID
     */
    generateRequestId() {
        return `waf_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
    }

    /**
     * 获取客户端真实IP
     * @param {Object} req HTTP 请求对象
     * @returns {string} 客户端IP
     */
    getClientIP(req) {
        return req.headers['x-forwarded-for'] || 
               req.headers['x-real-ip'] || 
               req.connection.remoteAddress || 
               req.socket.remoteAddress;
    }

    /**
     * 创建阻止响应
     * @param {Object} ruleResult 规则检查结果
     * @returns {Object} 阻止响应
     */
    createBlockResponse(ruleResult) {
        return {
            allowed: false,
            reason: 'rule_violation',
            ruleId: ruleResult.ruleId,
            message: ruleResult.message,
            action: 'block',
            logLevel: 'high'
        };
    }

    /**
     * 创建可疑响应
     * @param {Object} mlResult 机器学习检测结果
     * @returns {Object} 可疑响应
     */
    createSuspiciousResponse(mlResult) {
        return {
            allowed: false,
            reason: 'ml_detection',
            confidence: mlResult.confidence,
            patterns: mlResult.patterns,
            action: 'block',
            logLevel: 'medium'
        };
    }

    /**
     * 创建速率限制响应
     * @param {Object} rateLimitResult 速率限制结果
     * @returns {Object} 速率限制响应
     */
    createRateLimitResponse(rateLimitResult) {
        return {
            allowed: false,
            reason: 'rate_limit',
            limit: rateLimitResult.limit,
            current: rateLimitResult.current,
            resetTime: rateLimitResult.resetTime,
            action: 'throttle',
            logLevel: 'medium'
        };
    }

    /**
     * 创建威胁响应
     * @param {Object} threatResult 威胁检查结果
     * @returns {Object} 威胁响应
     */
    createThreatResponse(threatResult) {
        return {
            allowed: false,
            reason: 'threat_intelligence',
            threats: threatResult.threats,
            sources: threatResult.sources,
            action: 'block',
            logLevel: 'critical'
        };
    }
}

/**
 * WAF 规则引擎
 */
class WAFRuleEngine {
    constructor() {
        this.rules = new Map();
        this.initializeDefaultRules();
    }

    /**
     * 初始化默认规则
     */
    initializeDefaultRules() {
        // SQL 注入检测规则
        this.addRule('sql_injection', {
            patterns: [
                /union\s+select/i,
                /or\s+1\s*=\s*1/i,
                /drop\s+table/i,
                /insert\s+into/i,
                /delete\s+from/i,
                /exec\s*\(/i,
                /xp_cmdshell/i
            ],
            locations: ['query', 'body', 'headers'],
            severity: 'high',
            action: 'block'
        });

        // XSS 检测规则
        this.addRule('xss', {
            patterns: [
                /<script[^>]*>/i,
                /javascript:/i,
                /on\w+\s*=/i,
                /<iframe[^>]*>/i,
                /<object[^>]*>/i,
                /<embed[^>]*>/i
            ],
            locations: ['query', 'body'],
            severity: 'high',
            action: 'block'
        });

        // 路径遍历检测规则
        this.addRule('path_traversal', {
            patterns: [
                /\.\.\//,
                /%2e%2e%2f/i,
                /..\\/i,
                /%2e%2e%5c/i
            ],
            locations: ['url'],
            severity: 'high',
            action: 'block'
        });

        // 命令注入检测规则
        this.addRule('command_injection', {
            patterns: [
                /\|\s*cat/i,
                /\|\s*ls/i,
                /;\s*rm/i,
                /&&\s*rm/i,
                /\$\(/,
                /`[^`]*`/
            ],
            locations: ['query', 'body'],
            severity: 'critical',
            action: 'block'
        });
    }

    /**
     * 添加规则
     * @param {string} ruleId 规则ID
     * @param {Object} rule 规则配置
     */
    addRule(ruleId, rule) {
        this.rules.set(ruleId, {
            ...rule,
            id: ruleId,
            createdAt: new Date(),
            version: '1.0'
        });
    }

    /**
     * 评估请求
     * @param {Object} inspection 请求检查对象
     * @returns {Object} 评估结果
     */
    async evaluate(inspection) {
        for (const [ruleId, rule] of this.rules) {
            const result = await this.evaluateRule(rule, inspection);
            if (result.matched) {
                return {
                    blocked: true,
                    ruleId: ruleId,
                    message: `触发规则: ${ruleId}`,
                    details: result
                };
            }
        }

        return { blocked: false };
    }

    /**
     * 评估单个规则
     * @param {Object} rule 规则对象
     * @param {Object} inspection 请求检查对象
     * @returns {Object} 规则评估结果
     */
    async evaluateRule(rule, inspection) {
        const locations = rule.locations || ['query', 'body', 'headers'];
        
        for (const location of locations) {
            const data = this.getLocationData(inspection, location);
            if (!data) continue;

            for (const pattern of rule.patterns) {
                if (pattern.test(data)) {
                    return {
                        matched: true,
                        location: location,
                        pattern: pattern.source,
                        data: data.substring(0, 100) // 只记录前100字符
                    };
                }
            }
        }

        return { matched: false };
    }

    /**
     * 获取位置数据
     * @param {Object} inspection 请求检查对象
     * @param {string} location 数据位置
     * @returns {string} 位置数据
     */
    getLocationData(inspection, location) {
        switch (location) {
            case 'url':
                return inspection.url;
            case 'query':
                return JSON.stringify(inspection.query);
            case 'body':
                return JSON.stringify(inspection.body);
            case 'headers':
                return JSON.stringify(inspection.headers);
            default:
                return null;
        }
    }
}

/**
 * 自适应速率限制器
 */
class AdaptiveRateLimiter {
    constructor() {
        this.limits = new Map();
        this.adaptiveRules = new Map();
    }

    /**
     * 检查速率限制
     * @param {Object} inspection 请求检查对象
     * @returns {Object} 检查结果
     */
    async check(inspection) {
        const key = this.generateKey(inspection);
        const now = Date.now();
        const window = 60000; // 1分钟窗口

        // 获取当前计数
        const current = this.limits.get(key) || { count: 0, resetTime: now + window };
        
        // 检查是否需要重置
        if (now > current.resetTime) {
            current.count = 0;
            current.resetTime = now + window;
        }

        // 增加计数
        current.count++;
        this.limits.set(key, current);

        // 获取自适应限制
        const limit = this.getAdaptiveLimit(inspection);

        if (current.count > limit) {
            return {
                blocked: true,
                limit: limit,
                current: current.count,
                resetTime: current.resetTime
            };
        }

        return { blocked: false };
    }

    /**
     * 生成限制键
     * @param {Object} inspection 请求检查对象
     * @returns {string} 限制键
     */
    generateKey(inspection) {
        return `rate_limit:${inspection.clientIP}`;
    }

    /**
     * 获取自适应限制
     * @param {Object} inspection 请求检查对象
     * @returns {number} 限制数量
     */
    getAdaptiveLimit(inspection) {
        // 基础限制
        let limit = 100; // 每分钟100次请求

        // 根据用户代理调整
        if (this.isBot(inspection.userAgent)) {
            limit = 10; // 机器人限制更严格
        }

        // 根据请求路径调整
        if (inspection.url.includes('/api/')) {
            limit = 200; // API 接口限制更宽松
        }

        // 根据历史行为调整
        const history = this.getHistory(inspection.clientIP);
        if (history.violations > 0) {
            limit = Math.max(10, limit / 2); // 有违规记录的IP限制更严格
        }

        return limit;
    }

    /**
     * 检查是否为机器人
     * @param {string} userAgent 用户代理字符串
     * @returns {boolean} 是否为机器人
     */
    isBot(userAgent) {
        const botPatterns = [
            /bot/i,
            /crawler/i,
            /spider/i,
            /scraper/i
        ];

        return botPatterns.some(pattern => pattern.test(userAgent));
    }

    /**
     * 获取历史记录
     * @param {string} clientIP 客户端IP
     * @returns {Object} 历史记录
     */
    getHistory(clientIP) {
        // 这里应该连接数据库或缓存系统
        return { violations: 0 };
    }
}

// Express.js 中间件示例
const waf = new IntelligentWAF();

async function wafMiddleware(req, res, next) {
    try {
        const result = await waf.inspectRequest(req);
        
        if (!result.allowed) {
            // 记录安全事件
            logger.warn('WAF 阻止请求', {
                ip: req.ip,
                url: req.url,
                reason: result.reason,
                details: result
            });

            return res.status(403).json({
                error: 'Access Denied',
                message: '请求被WAF阻止'
            });
        }

        next();
    } catch (error) {
        logger.error('WAF 检查异常', { error: error.message });
        next(); // 出错时放行，避免影响业务
    }
}

app.use(wafMiddleware);

/**
 * 安全事件监控系统
 * 提供实时威胁检测和告警
 */
class SecurityMonitoringSystem {
    constructor() {
        this.eventCollector = new SecurityEventCollector();
        this.alertManager = new AlertManager();
        this.dashboard = new SecurityDashboard();
        this.metrics = new SecurityMetrics();
    }

    /**
     * 收集安全事件
     * @param {Object} event 安全事件
     */
    collectEvent(event) {
        const enrichedEvent = this.enrichEvent(event);
        this.eventCollector.add(enrichedEvent);
        
        // 检查是否需要告警
        if (this.shouldAlert(enrichedEvent)) {
            this.alertManager.trigger(enrichedEvent);
        }

        // 更新指标
        this.metrics.update(enrichedEvent);
    }

    /**
     * 丰富事件信息
     * @param {Object} event 原始事件
     * @returns {Object} 丰富后的事件
     */
    enrichEvent(event) {
        return {
            ...event,
            timestamp: new Date(),
            severity: this.calculateSeverity(event),
            category: this.categorizeEvent(event),
            riskScore: this.calculateRiskScore(event)
        };
    }

    /**
     * 计算事件严重性
     * @param {Object} event 事件对象
     * @returns {string} 严重性级别
     */
    calculateSeverity(event) {
        if (event.type === 'sql_injection' || event.type === 'command_injection') {
            return 'critical';
        }
        if (event.type === 'xss' || event.type === 'path_traversal') {
            return 'high';
        }
        if (event.type === 'rate_limit' || event.type === 'suspicious_activity') {
            return 'medium';
        }
        return 'low';
    }

    /**
     * 事件分类
     * @param {Object} event 事件对象
     * @returns {string} 事件类别
     */
    categorizeEvent(event) {
        const categories = {
            sql_injection: 'injection_attack',
            xss: 'client_attack',
            command_injection: 'injection_attack',
            path_traversal: 'file_access',
            rate_limit: 'abuse',
            suspicious_activity: 'anomaly'
        };

        return categories[event.type] || 'unknown';
    }

    /**
     * 计算风险评分
     * @param {Object} event 事件对象
     * @returns {number} 风险评分 (0-100)
     */
    calculateRiskScore(event) {
        let score = 0;

        // 基础分数
        const baseScores = {
            critical: 80,
            high: 60,
            medium: 40,
            low: 20
        };
        score = baseScores[this.calculateSeverity(event)] || 10;

        // 根据IP信誉调整
        if (event.ipReputation === 'malicious') {
            score = Math.min(100, score + 20);
        }

        // 根据频率调整
        if (event.frequency > 10) {
            score = Math.min(100, score + 15);
        }

        return score;
    }

    /**
     * 判断是否需要告警
     * @param {Object} event 事件对象
     * @returns {boolean} 是否需要告警
     */
    shouldAlert(event) {
        return event.severity === 'critical' || 
               event.riskScore > 70 || 
               event.frequency > 5;
    }
}

/**
 * 安全指标收集器
 */
class SecurityMetrics {
    constructor() {
        this.metrics = {
            totalRequests: 0,
            blockedRequests: 0,
            attacksByType: new Map(),
            attacksByIP: new Map(),
            responseTime: [],
            errorRate: 0
        };
    }

    /**
     * 更新指标
     * @param {Object} event 事件对象
     */
    update(event) {
        this.metrics.totalRequests++;

        if (event.blocked) {
            this.metrics.blockedRequests++;
        }

        // 按类型统计
        const typeCount = this.metrics.attacksByType.get(event.type) || 0;
        this.metrics.attacksByType.set(event.type, typeCount + 1);

        // 按IP统计
        const ipCount = this.metrics.attacksByIP.get(event.ip) || 0;
        this.metrics.attacksByIP.set(event.ip, ipCount + 1);
    }

    /**
     * 获取安全报告
     * @returns {Object} 安全报告
     */
    getSecurityReport() {
        const now = new Date();
        const last24h = new Date(now.getTime() - 24 * 60 * 60 * 1000);

        return {
            timestamp: now,
            period: '24h',
            summary: {
                totalRequests: this.metrics.totalRequests,
                blockedRequests: this.metrics.blockedRequests,
                blockRate: (this.metrics.blockedRequests / this.metrics.totalRequests * 100).toFixed(2) + '%',
                topAttackTypes: this.getTopAttackTypes(),
                topAttackerIPs: this.getTopAttackerIPs()
            },
            recommendations: this.generateRecommendations()
        };
    }

    /**
     * 获取主要攻击类型
     * @returns {Array} 攻击类型列表
     */
    getTopAttackTypes() {
        return Array.from(this.metrics.attacksByType.entries())
            .sort((a, b) => b[1] - a[1])
            .slice(0, 5)
            .map(([type, count]) => ({ type, count }));
    }

    /**
     * 获取主要攻击者IP
     * @returns {Array} IP列表
     */
    getTopAttackerIPs() {
        return Array.from(this.metrics.attacksByIP.entries())
            .sort((a, b) => b[1] - a[1])
            .slice(0, 10)
            .map(([ip, count]) => ({ ip, count }));
    }

    /**
     * 生成安全建议
     * @returns {Array} 建议列表
     */
    generateRecommendations() {
        const recommendations = [];
        const blockRate = this.metrics.blockedRequests / this.metrics.totalRequests;

        if (blockRate > 0.1) {
            recommendations.push('阻止率较高，建议检查WAF规则是否过于严格');
        }

        if (blockRate < 0.01) {
            recommendations.push('阻止率较低，建议加强安全防护措施');
        }

        const topAttacks = this.getTopAttackTypes();
        if (topAttacks.length > 0 && topAttacks[0].count > 100) {
            recommendations.push(`检测到大量${topAttacks[0].type}攻击，建议针对性加强防护`);
        }

        return recommendations;
    }
}

// 使用示例
const monitoring = new SecurityMonitoringSystem();

// 监控中间件
function monitoringMiddleware(req, res, next) {
    const startTime = Date.now();
    
    res.on('finish', () => {
        const event = {
            ip: req.ip,
            method: req.method,
            url: req.url,
            statusCode: res.statusCode,
            responseTime: Date.now() - startTime,
            userAgent: req.get('User-Agent'),
            blocked: false
        };

        monitoring.collectEvent(event);
    });

    next();
}

app.use(monitoringMiddleware);