优化安全性扫描脚本,避免测试代码误报

- 使用 awk 在 #[cfg(test)] 处提前退出,跳过测试代码
- 替换多个 grep -v 管道为单一 awk 处理
- 修复乱码字符
This commit is contained in:
huangxt
2026-03-07 21:04:18 +08:00
parent 0b3f239661
commit 14e20cae89
+9 -16
View File
@@ -37,13 +37,10 @@ echo "--- 检查 panic/unwrap/expect ---"
# - benches/ 和 tests/ 目录 # - benches/ 和 tests/ 目录
# - 白名单:try_into().unwrap() 用于固定大小切片转换(已知安全) # - 白名单:try_into().unwrap() 用于固定大小切片转换(已知安全)
# 收集 src/ 下所有非测试 .rs 文件中的匹配项 # Reason: 逐行 grep -v 无法排除 #[cfg(test)] 块内部的代码,
PANIC_HITS=$(grep -rn 'panic!\|\.unwrap()\|\.expect(' src/ --include='*.rs' \ # 改用 awk 先将每个文件中 #[cfg(test)] 之后的行全部剥离,再 grep。
| grep -v '#\[cfg(test)\]' \ PANIC_HITS=$(find src/ -name '*.rs' -exec awk '/#\[cfg\(test\)\]/{exit} {print FILENAME":"NR":"$0}' {} \; \
| grep -v 'mod tests' \ | grep 'panic!\|\.unwrap()\|\.expect(' \
| grep -v '// test' \
| grep -v '#\[test\]' \
| grep -v 'fn test_' \
|| true) || true)
if [ -n "$PANIC_HITS" ]; then if [ -n "$PANIC_HITS" ]; then
@@ -89,11 +86,8 @@ echo "--- 检查硬编码敏感信息 ---"
# Reason: 防止私钥、密码等敏感信息被提交到仓库 # Reason: 防止私钥、密码等敏感信息被提交到仓库
SENSITIVE_PATTERNS='(private.?key|secret.?key|password|passwd|api.?key|token)\s*=\s*["\x27][^\x27"]+["\x27]' SENSITIVE_PATTERNS='(private.?key|secret.?key|password|passwd|api.?key|token)\s*=\s*["\x27][^\x27"]+["\x27]'
SENSITIVE_HITS=$(grep -rniE "$SENSITIVE_PATTERNS" src/ --include='*.rs' \ SENSITIVE_HITS=$(find src/ -name '*.rs' -exec awk '/#\[cfg\(test\)\]/{exit} {print FILENAME":"NR":"$0}' {} \; \
| grep -v '#\[cfg(test)\]' \ | grep -iE "$SENSITIVE_PATTERNS" \
| grep -v 'mod tests' \
| grep -v '// test' \
| grep -v 'fn test_' \
|| true) || true)
if [ -n "$SENSITIVE_HITS" ]; then if [ -n "$SENSITIVE_HITS" ]; then
@@ -132,11 +126,10 @@ fi
echo "" echo ""
echo "--- 检查 unsafe 代码 ---" echo "--- 检查 unsafe 代码 ---"
UNSAFE_HITS=$(grep -rn 'unsafe' src/ --include='*.rs' \ UNSAFE_HITS=$(find src/ -name '*.rs' -exec awk '/#\[cfg\(test\)\]/{exit} {print FILENAME":"NR":"$0}' {} \; \
| grep 'unsafe' \
| grep -v '#!\[forbid(unsafe_code)\]' \ | grep -v '#!\[forbid(unsafe_code)\]' \
| grep -v '// unsafe' \ | grep -v '// unsafe' \
| grep -v '#\[cfg(test)\]' \
| grep -v 'mod tests' \
|| true) || true)
if [ -n "$UNSAFE_HITS" ]; then if [ -n "$UNSAFE_HITS" ]; then
@@ -152,7 +145,7 @@ fi
echo "" echo ""
echo "==========================================" echo "=========================================="
if [ "$ERRORS" -gt 0 ]; then if [ "$ERRORS" -gt 0 ]; then
echo -e " ${RED}发现 $ERRORS 个错${NC}" echo -e " ${RED}发现 $ERRORS 个错${NC}"
echo "==========================================" echo "=========================================="
exit 1 exit 1
else else