Hugging Face's logo

Spaces:
capta1n
/
project8
Running

App Files Community
capta1n commited on
Commit
0cbce5e
·
verified ·
1 Parent(s): cb2a32b

Add 3 files

Browse files
Files changed (3) hide show
  1. README.md +5 -3
  2. index.html +1141 -19
  3. prompts.txt +1 -0
README.md CHANGED
@@ -1,10 +1,12 @@
1
  ---
2
- title: Project8
3
- emoji: 🐠
4
  colorFrom: gray
5
  colorTo: purple
6
  sdk: static
7
  pinned: false
 
 
8
  ---
9
 
10
- Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
 
1
  ---
2
+ title: project8
3
+ emoji: 🐳
4
  colorFrom: gray
5
  colorTo: purple
6
  sdk: static
7
  pinned: false
8
+ tags:
9
+ - deepsite
10
  ---
11
 
12
+ Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
index.html CHANGED
@@ -1,19 +1,1141 @@
1
- <!doctype html>
2
- <html>
3
- <head>
4
- <meta charset="utf-8" />
5
- <meta name="viewport" content="width=device-width" />
6
- <title>My static Space</title>
7
- <link rel="stylesheet" href="style.css" />
8
- </head>
9
- <body>
10
- <div class="card">
11
- <h1>Welcome to your static Space!</h1>
12
- <p>You can modify this app directly by editing <i>index.html</i> in the Files and versions tab.</p>
13
- <p>
14
- Also don't forget to check the
15
- <a href="https://huggingface.co/docs/hub/spaces" target="_blank">Spaces documentation</a>.
16
- </p>
17
- </div>
18
- </body>
19
- </html>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <!DOCTYPE html>
2
+ <html lang="zh-CN">
3
+ <head>
4
+ <meta charset="UTF-8">
5
+ <meta name="viewport" content="https://cdn.tailwindcss.com">
6
+ <title>AI SDL 数字分身 - 风险项目详情</title>
7
+ <script src="https://cdn.tailwindcss.com"></script>
8
+ <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
9
+ <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/highlight.min.js"></script>
10
+ <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/styles/atom-one-dark.min.css">
11
+ <style>
12
+ .risk-critical { background-color: #fee2e2; border-left: 4px solid #ef4444; }
13
+ .risk-high { background-color: #ffedd5; border-left: 4px solid #f97316; }
14
+ .risk-medium { background-color: #fef9c3; border-left: 4px solid #eab308; }
15
+ .risk-low { background-color: #ecfdf5; border-left: 4px solid #10b981; }
16
+
17
+ .content-container {
18
+ display: grid;
19
+ grid-template-columns: 1fr 1fr;
20
+ gap: 1rem;
21
+ height: calc(100vh - 200px);
22
+ overflow: hidden;
23
+ }
24
+
25
+ .content-panel {
26
+ overflow-y: auto;
27
+ padding: 1rem;
28
+ border: 1px solid #e5e7eb;
29
+ border-radius: 0.5rem;
30
+ height: 100%;
31
+ }
32
+
33
+ .code-block {
34
+ position: relative;
35
+ }
36
+
37
+ .code-block pre {
38
+ margin: 0;
39
+ border-radius: 0.375rem;
40
+ }
41
+
42
+ .vulnerable-line {
43
+ background-color: #fee2e2;
44
+ display: inline-block;
45
+ width: 100%;
46
+ }
47
+
48
+ .fix-suggestion {
49
+ position: absolute;
50
+ top: 100%;
51
+ left: 0;
52
+ width: 100%;
53
+ background: white;
54
+ border: 1px solid #e5e7eb;
55
+ border-radius: 0.375rem;
56
+ padding: 1rem;
57
+ box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1);
58
+ z-index: 10;
59
+ display: none;
60
+ }
61
+
62
+ .mermaid {
63
+ width: 100%;
64
+ overflow: auto;
65
+ }
66
+
67
+ .risk-marker {
68
+ fill: #ef4444;
69
+ stroke: #ef4444;
70
+ }
71
+
72
+ .highlight-risk {
73
+ background-color: #fee2e2;
74
+ padding: 0.1rem 0.2rem;
75
+ border-radius: 0.2rem;
76
+ }
77
+
78
+ .tab-content {
79
+ display: none;
80
+ }
81
+
82
+ .tab-content.active {
83
+ display: block;
84
+ }
85
+
86
+ .nav-tabs .active {
87
+ border-bottom: 2px solid #3b82f6;
88
+ color: #3b82f6;
89
+ font-weight: 600;
90
+ }
91
+ </style>
92
+ </head>
93
+ <body class="bg-gray-50">
94
+ <div class="container mx-auto px-4 py-8">
95
+ <!-- Header -->
96
+ <div class="flex justify-between items-center mb-8">
97
+ <div>
98
+ <h1 class="text-3xl font-bold text-gray-800">AI SDL 数字分身</h1>
99
+ <p class="text-gray-600">风险项目详情分析</p>
100
+ </div>
101
+ <div class="flex items-center space-x-4">
102
+ <div class="relative">
103
+ <input type="text" placeholder="搜索项目..." class="pl-10 pr-4 py-2 border rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500">
104
+ <svg class="w-5 h-5 text-gray-400 absolute left-3 top-2.5" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
105
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path>
106
+ </svg>
107
+ </div>
108
+ <button class="bg-blue-600 text-white px-4 py-2 rounded-lg hover:bg-blue-700 transition-colors">
109
+ 返回项目列表
110
+ </button>
111
+ </div>
112
+ </div>
113
+
114
+ <!-- Project Overview -->
115
+ <div class="bg-white rounded-xl shadow-md p-6 mb-8">
116
+ <div class="flex justify-between items-start mb-6">
117
+ <div>
118
+ <h2 class="text-2xl font-bold text-gray-800">项目名称: 支付宝国补项目</h2>
119
+ <div class="flex items-center mt-2">
120
+ <span class="bg-red-100 text-red-800 text-xs font-medium px-2.5 py-0.5 rounded-full">高风险</span>
121
+ <span class="ml-2 text-gray-600">最后更新: 2023-06-15 14:30</span>
122
+ </div>
123
+ </div>
124
+ <div class="flex space-x-2">
125
+ <button class="flex items-center text-blue-600 hover:text-blue-800">
126
+ <svg class="w-5 h-5 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
127
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15.172 7l-6.586 6.586a2 2 0 102.828 2.828l6.414-6.586a4 4 0 00-5.656-5.656l-6.415 6.585a6 6 0 108.486 8.486L20.5 13"></path>
128
+ </svg>
129
+ 导出报告
130
+ </button>
131
+ <button class="flex items-center text-blue-600 hover:text-blue-800">
132
+ <svg class="w-5 h-5 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
133
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 5v.01M12 12v.01M12 19v.01M12 6a1 1 0 110-2 1 1 0 010 2zm0 7a1 1 0 110-2 1 1 0 010 2zm0 7a1 1 0 110-2 1 1 0 010 2z"></path>
134
+ </svg>
135
+ 更多操作
136
+ </button>
137
+ </div>
138
+ </div>
139
+
140
+ <div class="grid grid-cols-3 gap-6 mb-6">
141
+ <div class="bg-gray-50 p-4 rounded-lg">
142
+ <h3 class="font-medium text-gray-700 mb-2">项目参与人</h3>
143
+ <div class="flex flex-wrap gap-2">
144
+ <span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">形知</span>
145
+ <span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">铸梦</span>
146
+ <span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">洞悉</span>
147
+ <span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">隐迹</span>
148
+ <span class="bg-blue-100 text-blue-800 text-xs font-medium px-2.5 py-0.5 rounded">晨熙</span>
149
+ </div>
150
+ </div>
151
+ <div class="bg-gray-50 p-4 rounded-lg">
152
+ <h3 class="font-medium text-gray-700 mb-2">风险状态</h3>
153
+ <div class="flex items-center">
154
+ <div class="w-full bg-gray-200 rounded-full h-2.5">
155
+ <div class="bg-red-600 h-2.5 rounded-full" style="width: 65%"></div>
156
+ </div>
157
+ <span class="ml-2 text-sm font-medium text-gray-700">65% 修复</span>
158
+ </div>
159
+ </div>
160
+ <div class="bg-gray-50 p-4 rounded-lg">
161
+ <h3 class="font-medium text-gray-700 mb-2">风险分布</h3>
162
+ <div class="flex space-x-4">
163
+ <div class="flex items-center">
164
+ <div class="w-3 h-3 rounded-full bg-red-500 mr-1"></div>
165
+ <span class="text-sm">需求 2</span>
166
+ </div>
167
+ <div class="flex items-center">
168
+ <div class="w-3 h-3 rounded-full bg-orange-500 mr-1"></div>
169
+ <span class="text-sm">代码 3</span>
170
+ </div>
171
+ <div class="flex items-center">
172
+ <div class="w-3 h-3 rounded-full bg-yellow-500 mr-1"></div>
173
+ <span class="text-sm">测试 1</span>
174
+ </div>
175
+ </div>
176
+ </div>
177
+ </div>
178
+
179
+ <div class="mb-6">
180
+ <h3 class="font-medium text-gray-700 mb-2">风险概述</h3>
181
+ <div class="space-y-3">
182
+ <div class="risk-critical p-3 rounded">
183
+ <div class="flex justify-between items-center">
184
+ <span class="font-medium">需求环节: 越权访问风险</span>
185
+ <span class="text-sm bg-red-600 text-white px-2 py-0.5 rounded-full">未修复</span>
186
+ </div>
187
+ <p class="text-sm mt-1">用户权限校验不足,可能导致越权访问敏感数据</p>
188
+ </div>
189
+ <div class="risk-high p-3 rounded">
190
+ <div class="flex justify-between items-center">
191
+ <span class="font-medium">代码环节: SQL注入风险</span>
192
+ <span class="text-sm bg-orange-500 text-white px-2 py-0.5 rounded-full">修复中</span>
193
+ </div>
194
+ <p class="text-sm mt-1">OrderService.java 中直接拼接SQL语句,存在注入风险</p>
195
+ </div>
196
+ <div class="risk-medium p-3 rounded">
197
+ <div class="flex justify-between items-center">
198
+ <span class="font-medium">安全测试: 水平越权</span>
199
+ <span class="text-sm bg-yellow-500 text-white px-2 py-0.5 rounded-full">已修复</span>
200
+ </div>
201
+ <p class="text-sm mt-1">通过修改orderid参数可访问他人订单信息</p>
202
+ </div>
203
+ </div>
204
+ </div>
205
+ </div>
206
+
207
+ <!-- Navigation Tabs -->
208
+ <div class="border-b border-gray-200 mb-6">
209
+ <nav class="flex space-x-8 nav-tabs" aria-label="Tabs">
210
+ <button onclick="switchTab('requirements')" class="py-4 px-1 active inline-flex items-center text-sm font-medium">
211
+ <svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
212
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z"></path>
213
+ </svg>
214
+ 需求分析
215
+ </button>
216
+ <button onclick="switchTab('code')" class="py-4 px-1 inline-flex items-center text-sm font-medium">
217
+ <svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
218
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 20l4-16m4 4l4 4-4 4M6 16l-4-4 4-4"></path>
219
+ </svg>
220
+ 代码分析
221
+ </button>
222
+ <button onclick="switchTab('testing')" class="py-4 px-1 inline-flex items-center text-sm font-medium">
223
+ <svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
224
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19.428 15.428a2 2 0 00-1.022-.547l-2.387-.477a6 6 0 00-3.86.494l-.318.158a6 6 0 01-3.86.494L6.05 15.21a2 2 0 00-1.806.547M8 4h8l-1 1v5.172a2 2 0 00.586 1.414l5 5c1.26 1.26.367 3.414-1.415 3.414H4.828c-1.782 0-2.674-2.154-1.414-3.414l5-5A2 2 0 009 10.172V5L8 4z"></path>
225
+ </svg>
226
+ 安全测试
227
+ </button>
228
+ <button onclick="switchTab('release')" class="py-4 px-1 inline-flex items-center text-sm font-medium">
229
+ <svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
230
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2m-2-4h.01M17 16h.01"></path>
231
+ </svg>
232
+ 发布检查
233
+ </button>
234
+ <button onclick="switchTab('production')" class="py-4 px-1 inline-flex items-center text-sm font-medium">
235
+ <svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
236
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z"></path>
237
+ </svg>
238
+ 线上监控
239
+ </button>
240
+ </nav>
241
+ </div>
242
+
243
+ <!-- Tab Contents -->
244
+ <div>
245
+ <!-- Requirements Tab -->
246
+ <div id="requirements" class="tab-content active">
247
+ <div class="content-container">
248
+ <!-- Left Panel - Requirements Content -->
249
+ <div class="content-panel bg-white">
250
+ <h3 class="text-lg font-medium text-gray-800 mb-4">需求文档内容</h3>
251
+ <div class="prose max-w-none">
252
+ <p>支付宝国补项目旨在为政府补贴发放提供数字化解决方案,通过支付宝平台实现补贴的精准发放和核销。</p>
253
+
254
+ <h4>1. 项目背景</h4>
255
+ <p>随着政府数字化转型的推进,各类补贴发放需要更加高效、透明和可追溯的解决方案...</p>
256
+
257
+ <h4>2. 功能需求</h4>
258
+ <p class="highlight-risk">2.1 用户认证与授权</p>
259
+ <p>系统需要支持多级用户角色,包括普通用户、商户用户、政府管理员等。用户通过支付宝账号登录后,系统应根据用户类型显示不同功能模块。</p>
260
+
261
+ <p class="highlight-risk">2.2 补贴申请与审批</p>
262
+ <p>用户可以在线提交补贴申请,上传相关证明材料。政府管理员后台可以审批这些申请,审批通过后补贴金额将直接发放到用户支付宝账户。</p>
263
+
264
+ <p>2.3 补贴核销</p>
265
+ <p>用户在指定商户消费时,可以使用补贴金额进行支付。商户通过扫码枪扫描用户付款码完成交易...</p>
266
+
267
+ <h4>3. 技术架构</h4>
268
+ <div class="mermaid">
269
+ graph TD
270
+ A[用户端] -->|HTTPS| B(API Gateway)
271
+ B --> C[认证服务]
272
+ B --> D[补贴服务]
273
+ B --> E[支付服务]
274
+ D --> F[(MySQL)]
275
+ E --> G[(Redis)]
276
+ C --> H[(LDAP)]
277
+ style D stroke:#ef4444,stroke-width:2px
278
+ style C stroke:#ef4444,stroke-width:2px
279
+ </div>
280
+
281
+ <h4>4. 数据安全</h4>
282
+ <p>所有敏感数据传输必须加密,存储数据需要脱敏处理...</p>
283
+
284
+ <p>5. 性能要求</p>
285
+ <p>系统需要支持每秒1000+的并发请求,响应时间在500ms以内...</p>
286
+ </div>
287
+ </div>
288
+
289
+ <!-- Right Panel - Security Analysis -->
290
+ <div class="content-panel bg-white">
291
+ <h3 class="text-lg font-medium text-gray-800 mb-4">安全分析结果</h3>
292
+
293
+ <div class="mb-6">
294
+ <h4 class="font-medium text-gray-700 mb-2">STRIDE 威胁建模</h4>
295
+ <div class="mermaid">
296
+ graph LR
297
+ A[用户认证] -->|Spoofing| B(冒充管理员)
298
+ A -->|Tampering| C(篡改认证令牌)
299
+ D[补贴审批] -->|Information Disclosure| E(查看他人申请)
300
+ D -->|Elevation of Privilege| F(普通用户执行审批)
301
+ style B fill:#fee2e2,stroke:#ef4444
302
+ style E fill:#fee2e2,stroke:#ef4444
303
+ style F fill:#fee2e2,stroke:#ef4444
304
+ </div>
305
+ </div>
306
+
307
+ <div class="space-y-4">
308
+ <div class="risk-critical p-4 rounded-lg">
309
+ <h4 class="font-medium mb-2">风险点: 用户权限控制不足</h4>
310
+ <div class="grid grid-cols-2 gap-2 text-sm">
311
+ <div>
312
+ <p class="text-gray-600">业务场景:</p>
313
+ <p>用户认证与授权功能</p>
314
+ </div>
315
+ <div>
316
+ <p class="text-gray-600">风险类型:</p>
317
+ <p>越权访问(EoP)</p>
318
+ </div>
319
+ <div>
320
+ <p class="text-gray-600">风险点:</p>
321
+ <p>角色权限划分不明确</p>
322
+ </div>
323
+ <div>
324
+ <p class="text-gray-600">严重程度:</p>
325
+ <p>高危</p>
326
+ </div>
327
+ </div>
328
+ <div class="mt-2">
329
+ <p class="text-gray-600">整改建议:</p>
330
+ <p>1. 明确定义各角色权限边界<br>2. 实现基于RBAC的权限控制系统<br>3. 所有敏感操作增加权限校验</p>
331
+ </div>
332
+ <button onclick="highlightText('2.1 用户认证与授权')" class="mt-2 text-blue-600 text-sm hover:underline">
333
+ 定位到需求文档
334
+ </button>
335
+ </div>
336
+
337
+ <div class="risk-high p-4 rounded-lg">
338
+ <h4 class="font-medium mb-2">风险点: 敏感信息泄露</h4>
339
+ <div class="grid grid-cols-2 gap-2 text-sm">
340
+ <div>
341
+ <p class="text-gray-600">业务场景:</p>
342
+ <p>补贴申请与审批</p>
343
+ </div>
344
+ <div>
345
+ <p class="text-gray-600">风险类型:</p>
346
+ <p>信息泄露(ID)</p>
347
+ </div>
348
+ <div>
349
+ <p class="text-gray-600">风险点:</p>
350
+ <p>审批流程可查看他人申请</p>
351
+ </div>
352
+ <div>
353
+ <p class="text-gray-600">严重程度:</p>
354
+ <p>中高危</p>
355
+ </div>
356
+ </div>
357
+ <div class="mt-2">
358
+ <p class="text-gray-600">整改建议:</p>
359
+ <p>1. 实现数据级权限控制<br>2. 审批列表过滤只显示有权限的数据<br>3. 敏感字段脱敏处理</p>
360
+ </div>
361
+ <button onclick="highlightText('2.2 补贴申请与审批')" class="mt-2 text-blue-600 text-sm hover:underline">
362
+ 定位到需求文档
363
+ </button>
364
+ </div>
365
+ </div>
366
+ </div>
367
+ </div>
368
+ </div>
369
+
370
+ <!-- Code Tab -->
371
+ <div id="code" class="tab-content">
372
+ <div class="content-container">
373
+ <!-- Left Panel - Code Content -->
374
+ <div class="content-panel bg-white">
375
+ <div class="flex justify-between items-center mb-4">
376
+ <h3 class="text-lg font-medium text-gray-800">代码内容</h3>
377
+ <div class="flex space-x-2">
378
+ <select class="border rounded px-2 py-1 text-sm">
379
+ <option>OrderService.java</option>
380
+ <option>UserService.java</option>
381
+ <option>AuthController.java</option>
382
+ </select>
383
+ <button class="bg-blue-100 text-blue-800 px-3 py-1 rounded text-sm">
384
+ 全部展开
385
+ </button>
386
+ </div>
387
+ </div>
388
+
389
+ <div class="code-block">
390
+ <pre><code class="language-java">package com.alipay.subsidy.service;
391
+
392
+ import java.sql.*;
393
+ import java.util.List;
394
+
395
+ public class OrderService {
396
+ private Connection conn;
397
+
398
+ public OrderService() {
399
+ try {
400
+ conn = DriverManager.getConnection(
401
+ "jdbc:mysql://localhost:3306/subsidy",
402
+ "root",
403
+ "password"
404
+ );
405
+ } catch (SQLException e) {
406
+ e.printStackTrace();
407
+ }
408
+ }
409
+
410
+ public List&lt;Order&gt; getOrdersByUserId(String userId) {
411
+ List&lt;Order&gt; orders = new ArrayList&lt;&gt;();
412
+ try {
413
+ // 漏洞点: SQL注入风险
414
+ <span id="vuln-line-1" class="vulnerable-line">Statement stmt = conn.createStatement();
415
+ ResultSet rs = stmt.executeQuery("SELECT * FROM orders WHERE user_id = '" + userId + "'");</span>
416
+
417
+ while (rs.next()) {
418
+ Order order = new Order();
419
+ order.setId(rs.getString("id"));
420
+ order.setAmount(rs.getBigDecimal("amount"));
421
+ orders.add(order);
422
+ }
423
+ } catch (SQLException e) {
424
+ e.printStackTrace();
425
+ }
426
+ return orders;
427
+ }
428
+
429
+ public Order getOrderById(String orderId) {
430
+ Order order = null;
431
+ try {
432
+ // 漏洞点: 越权访问风险
433
+ <span id="vuln-line-2" class="vulnerable-line">Statement stmt = conn.createStatement();
434
+ ResultSet rs = stmt.executeQuery("SELECT * FROM orders WHERE id = '" + orderId + "'");</span>
435
+
436
+ if (rs.next()) {
437
+ order = new Order();
438
+ order.setId(rs.getString("id"));
439
+ order.setUserId(rs.getString("user_id"));
440
+ order.setAmount(rs.getBigDecimal("amount"));
441
+ }
442
+ } catch (SQLException e) {
443
+ e.printStackTrace();
444
+ }
445
+ return order;
446
+ }
447
+
448
+ public void updateOrderStatus(String orderId, String status) {
449
+ try {
450
+ // 漏洞点: 缺乏权限校验
451
+ <span id="vuln-line-3" class="vulnerable-line">PreparedStatement pstmt = conn.prepareStatement(
452
+ "UPDATE orders SET status = ? WHERE id = ?"
453
+ );
454
+ pstmt.setString(1, status);
455
+ pstmt.setString(2, orderId);
456
+ pstmt.executeUpdate();</span>
457
+ } catch (SQLException e) {
458
+ e.printStackTrace();
459
+ }
460
+ }
461
+ }</code></pre>
462
+ </div>
463
+ </div>
464
+
465
+ <!-- Right Panel - Security Analysis -->
466
+ <div class="content-panel bg-white">
467
+ <h3 class="text-lg font-medium text-gray-800 mb-4">安全分析结果</h3>
468
+
469
+ <div class="space-y-4">
470
+ <div class="risk-critical p-4 rounded-lg">
471
+ <div class="flex justify-between items-start">
472
+ <div>
473
+ <h4 class="font-medium mb-1">SQL注入漏洞</h4>
474
+ <p class="text-sm text-gray-600">OrderService.java - getOrdersByUserId()</p>
475
+ </div>
476
+ <span class="bg-red-600 text-white text-xs px-2 py-0.5 rounded-full">高危</span>
477
+ </div>
478
+
479
+ <div class="mt-2 grid grid-cols-2 gap-2 text-sm">
480
+ <div>
481
+ <p class="text-gray-600">漏洞类型:</p>
482
+ <p>SQL注入</p>
483
+ </div>
484
+ <div>
485
+ <p class="text-gray-600">风险接口:</p>
486
+ <p>/api/orders?userId={userId}</p>
487
+ </div>
488
+ </div>
489
+
490
+ <div class="mt-2">
491
+ <p class="text-gray-600">漏洞描述:</p>
492
+ <p class="text-sm">直接拼接用户输入的userId到SQL查询中,攻击者可以构造恶意输入执行任意SQL命令。</p>
493
+ </div>
494
+
495
+ <div class="mt-2">
496
+ <p class="text-gray-600">漏洞代码:</p>
497
+ <button onclick="highlightCode('vuln-line-1')" class="text-blue-600 text-sm hover:underline">
498
+ 定位到代码
499
+ </button>
500
+ </div>
501
+
502
+ <div class="mt-2">
503
+ <p class="text-gray-600">修复建议:</p>
504
+ <pre class="bg-gray-100 p-2 rounded text-sm"><code>// 使用预编译语句修复
505
+ PreparedStatement pstmt = conn.prepareStatement(
506
+ "SELECT * FROM orders WHERE user_id = ?"
507
+ );
508
+ pstmt.setString(1, userId);
509
+ ResultSet rs = pstmt.executeQuery();</code></pre>
510
+ </div>
511
+ </div>
512
+
513
+ <div class="risk-high p-4 rounded-lg">
514
+ <div class="flex justify-between items-start">
515
+ <div>
516
+ <h4 class="font-medium mb-1">越权访问漏洞</h4>
517
+ <p class="text-sm text-gray-600">OrderService.java - getOrderById()</p>
518
+ </div>
519
+ <span class="bg-orange-500 text-white text-xs px-2 py-0.5 rounded-full">中高危</span>
520
+ </div>
521
+
522
+ <div class="mt-2 grid grid-cols-2 gap-2 text-sm">
523
+ <div>
524
+ <p class="text-gray-600">漏洞类型:</p>
525
+ <p>水平越权</p>
526
+ </div>
527
+ <div>
528
+ <p class="text-gray-600">风险接口:</p>
529
+ <p>/api/orders/{orderId}</p>
530
+ </div>
531
+ </div>
532
+
533
+ <div class="mt-2">
534
+ <p class="text-gray-600">漏洞描述:</p>
535
+ <p class="text-sm">接口直接根据orderId查询订单信息,没有校验当前用户是否有权限访问该订单。</p>
536
+ </div>
537
+
538
+ <div class="mt-2">
539
+ <p class="text-gray-600">漏洞代码:</p>
540
+ <button onclick="highlightCode('vuln-line-2')" class="text-blue-600 text-sm hover:underline">
541
+ 定位到代码
542
+ </button>
543
+ </div>
544
+
545
+ <div class="mt-2">
546
+ <p class="text-gray-600">修复建议:</p>
547
+ <pre class="bg-gray-100 p-2 rounded text-sm"><code>// 增加权限校验
548
+ Order order = getOrderById(orderId);
549
+ if (order != null && !order.getUserId().equals(currentUserId)) {
550
+ throw new AccessDeniedException("无权访问该订单");
551
+ }
552
+ return order;</code></pre>
553
+ </div>
554
+ </div>
555
+ </div>
556
+ </div>
557
+ </div>
558
+ </div>
559
+
560
+ <!-- Security Testing Tab -->
561
+ <div id="testing" class="tab-content">
562
+ <div class="content-container">
563
+ <!-- Left Panel - Testing Content -->
564
+ <div class="content-panel bg-white">
565
+ <h3 class="text-lg font-medium text-gray-800 mb-4">测试用例与Payload</h3>
566
+
567
+ <div class="space-y-6">
568
+ <div>
569
+ <h4 class="font-medium mb-2">测试接口: /api/orders/{orderId}</h4>
570
+ <div class="code-block">
571
+ <pre><code class="language-http">GET /api/orders/1001 HTTP/1.1
572
+ Host: api.alipay-subsidy.com
573
+ Authorization: Bearer user1_token
574
+ Accept: application/json</code></pre>
575
+ </div>
576
+
577
+ <div class="mt-2">
578
+ <h5 class="font-medium text-sm mb-1">测试Payload:</h5>
579
+ <div class="code-block">
580
+ <pre><code class="language-http"># 修改orderId尝试访问他人订单
581
+ GET /api/orders/1002 HTTP/1.1
582
+ Host: api.alipay-subsidy.com
583
+ Authorization: Bearer user1_token
584
+ Accept: application/json
585
+
586
+ GET /api/orders/1003 HTTP/1.1
587
+ Host: api.alipay-subsidy.com
588
+ Authorization: Bearer user1_token
589
+ Accept: application/json</code></pre>
590
+ </div>
591
+ </div>
592
+
593
+ <div class="mt-2">
594
+ <h5 class="font-medium text-sm mb-1">测试结果:</h5>
595
+ <div class="code-block">
596
+ <pre><code class="language-json">{
597
+ "id": "1002",
598
+ "userId": "user2",
599
+ "amount": 150.00,
600
+ "items": [
601
+ {"name": "商品A", "price": 50.00},
602
+ {"name": "商品B", "price": 100.00}
603
+ ]
604
+ }</code></pre>
605
+ </div>
606
+ </div>
607
+ </div>
608
+
609
+ <div>
610
+ <h4 class="font-medium mb-2">测试接口: /api/orders?userId={userId}</h4>
611
+ <div class="code-block">
612
+ <pre><code class="language-http">GET /api/orders?userId=user1 HTTP/1.1
613
+ Host: api.alipay-subsidy.com
614
+ Authorization: Bearer user1_token
615
+ Accept: application/json</code></pre>
616
+ </div>
617
+
618
+ <div class="mt-2">
619
+ <h5 class="font-medium text-sm mb-1">SQL注入Payload:</h5>
620
+ <div class="code-block">
621
+ <pre><code class="language-http"># 基础注入测试
622
+ GET /api/orders?userId=user1' OR '1'='1 HTTP/1.1
623
+ Host: api.alipay-subsidy.com
624
+ Authorization: Bearer user1_token
625
+ Accept: application/json
626
+
627
+ # 联合查询获取其他表数据
628
+ GET /api/orders?userId=user1' UNION SELECT 1,username,password FROM users-- HTTP/1.1
629
+ Host: api.alipay-subsidy.com
630
+ Authorization: Bearer user1_token
631
+ Accept: application/json</code></pre>
632
+ </div>
633
+ </div>
634
+
635
+ <div class="mt-2">
636
+ <h5 class="font-medium text-sm mb-1">测试结果:</h5>
637
+ <div class="code-block">
638
+ <pre><code class="language-json">{
639
+ "error": "Internal Server Error",
640
+ "status": 500,
641
+ "message": "Error executing SQL query"
642
+ }</code></pre>
643
+ </div>
644
+ </div>
645
+ </div>
646
+ </div>
647
+ </div>
648
+
649
+ <!-- Right Panel - Security Analysis -->
650
+ <div class="content-panel bg-white">
651
+ <h3 class="text-lg font-medium text-gray-800 mb-4">安全测试分析</h3>
652
+
653
+ <div class="space-y-4">
654
+ <div class="risk-high p-4 rounded-lg">
655
+ <div class="flex justify-between items-start">
656
+ <div>
657
+ <h4 class="font-medium mb-1">水平越权漏洞</h4>
658
+ <p class="text-sm text-gray-600">订单信息越权访问</p>
659
+ </div>
660
+ <span class="bg-orange-500 text-white text-xs px-2 py-0.5 rounded-full">中高危</span>
661
+ </div>
662
+
663
+ <div class="mt-2">
664
+ <p class="text-gray-600">风险接口:</p>
665
+ <p class="text-sm font-mono">/api/orders/{orderId}</p>
666
+ </div>
667
+
668
+ <div class="mt-2">
669
+ <p class="text-gray-600">风险描述:</p>
670
+ <p class="text-sm">攻击者可以通过修改orderId参数访问其他用户的订单信息,导致敏感数据泄露。</p>
671
+ </div>
672
+
673
+ <div class="mt-2">
674
+ <p class="text-gray-600">攻击手法:</p>
675
+ <ol class="list-decimal list-inside text-sm space-y-1">
676
+ <li>攻击者登录自己的账号,获取一个合法的订单ID(如1001)</li>
677
+ <li>修改请求中的orderid参数,尝试访问其他订单ID(如1002、1003等)</li>
678
+ <li>服务器未进行权限校验,攻击者成功获取其他用户的订单信息</li>
679
+ <li>通过自动化工具(如Burp Suite或脚本),批量枚举订单ID获取大量用户数据</li>
680
+ </ol>
681
+ </div>
682
+
683
+ <div class="mt-2">
684
+ <p class="text-gray-600">修复建议:</p>
685
+ <p class="text-sm">1. 服务端增加订单所属用户校验<br>2. 实现数据级权限控制<br>3. 对订单ID增加访问频率限制</p>
686
+ </div>
687
+ </div>
688
+
689
+ <div class="risk-critical p-4 rounded-lg">
690
+ <div class="flex justify-between items-start">
691
+ <div>
692
+ <h4 class="font-medium mb-1">SQL注入漏洞</h4>
693
+ <p class="text-sm text-gray-600">订单查询SQL注入</p>
694
+ </div>
695
+ <span class="bg-red-600 text-white text-xs px-2 py-0.5 rounded-full">高危</span>
696
+ </div>
697
+
698
+ <div class="mt-2">
699
+ <p class="text-gray-600">风险接口:</p>
700
+ <p class="text-sm font-mono">/api/orders?userId={userId}</p>
701
+ </div>
702
+
703
+ <div class="mt-2">
704
+ <p class="text-gray-600">风险描述:</p>
705
+ <p class="text-sm">接口存在SQL注入漏洞,攻击者可以构造恶意输入执行任意SQL命令,可能导致数据库信息泄露甚至服务器被控制。</p>
706
+ </div>
707
+
708
+ <div class="mt-2">
709
+ <p class="text-gray-600">攻击Payload:</p>
710
+ <div class="code-block">
711
+ <pre><code class="language-sql">user1' UNION SELECT 1,username,password FROM users--</code></pre>
712
+ </div>
713
+ </div>
714
+
715
+ <div class="mt-2">
716
+ <p class="text-gray-600">修复建议:</p>
717
+ <p class="text-sm">1. 使用预编译语句(PreparedStatement)替代字符串拼接<br>2. 实施输入验证和参数化查询<br>3. 限制数据库账户权限</p>
718
+ </div>
719
+ </div>
720
+ </div>
721
+ </div>
722
+ </div>
723
+ </div>
724
+
725
+ <!-- Release Check Tab -->
726
+ <div id="release" class="tab-content">
727
+ <div class="content-container">
728
+ <!-- Left Panel - Release Content -->
729
+ <div class="content-panel bg-white">
730
+ <h3 class="text-lg font-medium text-gray-800 mb-4">发布安全检查</h3>
731
+
732
+ <div class="space-y-4">
733
+ <div class="p-4 border rounded-lg">
734
+ <h4 class="font-medium mb-2">安全检查项</h4>
735
+ <div class="space-y-3">
736
+ <div class="flex items-center">
737
+ <svg class="w-5 h-5 text-green-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
738
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"></path>
739
+ </svg>
740
+ <span>代码静态扫描通过</span>
741
+ </div>
742
+ <div class="flex items-center">
743
+ <svg class="w-5 h-5 text-green-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
744
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"></path>
745
+ </svg>
746
+ <span>依赖库无已知漏洞</span>
747
+ </div>
748
+ <div class="flex items-center">
749
+ <svg class="w-5 h-5 text-red-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
750
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"></path>
751
+ </svg>
752
+ <span>越权风险未完全修复</span>
753
+ </div>
754
+ <div class="flex items-center">
755
+ <svg class="w-5 h-5 text-yellow-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
756
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"></path>
757
+ </svg>
758
+ <span>SQL注入风险部分修复</span>
759
+ </div>
760
+ </div>
761
+ </div>
762
+
763
+ <div class="p-4 border rounded-lg">
764
+ <h4 class="font-medium mb-2">发布检查记录</h4>
765
+ <div class="text-sm space-y-2">
766
+ <div class="flex justify-between">
767
+ <span>2023-06-10 14:30</span>
768
+ <span class="text-red-600">安全检查不通过</span>
769
+ </div>
770
+ <div class="flex justify-between">
771
+ <span>2023-06-12 09:15</span>
772
+ <span class="text-yellow-500">部分风险未修复</span>
773
+ </div>
774
+ <div class="flex justify-between">
775
+ <span>2023-06-14 16:45</span>
776
+ <span class="text-yellow-500">关键风险仍存在</span>
777
+ </div>
778
+ </div>
779
+ </div>
780
+
781
+ <div class="p-4 border rounded-lg">
782
+ <h4 class="font-medium mb-2">发布决策</h4>
783
+ <div class="flex items-center">
784
+ <svg class="w-5 h-5 text-red-500 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
785
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"></path>
786
+ </svg>
787
+ <span class="font-medium">拒绝发布</span>
788
+ </div>
789
+ <p class="text-sm mt-2">存在未修复的高危风险,不符合安全发布标准。请修复所有高风险问题后重新申请发布。</p>
790
+ </div>
791
+ </div>
792
+ </div>
793
+
794
+ <!-- Right Panel - Security Analysis -->
795
+ <div class="content-panel bg-white">
796
+ <h3 class="text-lg font-medium text-gray-800 mb-4">未修复风险分析</h3>
797
+
798
+ <div class="space-y-4">
799
+ <div class="risk-critical p-4 rounded-lg">
800
+ <div class="flex justify-between items-start">
801
+ <div>
802
+ <h4 class="font-medium mb-1">需求环节: 越权访问风险</h4>
803
+ <p class="text-sm text-gray-600">用户权限控制不足</p>
804
+ </div>
805
+ <span class="bg-red-600 text-white text-xs px-2 py-0.5 rounded-full">未修复</span>
806
+ </div>
807
+
808
+ <div class="mt-2 text-sm">
809
+ <p>风险描述: 用户权限校验不足,可能导致越权访问敏感数据</p>
810
+ <p class="mt-1">影响范围: 补贴审批、订单查询等核心功能</p>
811
+ </div>
812
+
813
+ <div class="mt-2">
814
+ <p class="text-gray-600">修复进度:</p>
815
+ <div class="w-full bg-gray-200 rounded-full h-2.5 mt-1">
816
+ <div class="bg-red-600 h-2.5 rounded-full" style="width: 20%"></div>
817
+ </div>
818
+ <p class="text-xs mt-1 text-gray-600">仅完成需求分析,未进行代码实现</p>
819
+ </div>
820
+ </div>
821
+
822
+ <div class="risk-high p-4 rounded-lg">
823
+ <div class="flex justify-between items-start">
824
+ <div>
825
+ <h4 class="font-medium mb-1">代码环节: SQL注入风险</h4>
826
+ <p class="text-sm text-gray-600">OrderService.java</p>
827
+ </div>
828
+ <span class="bg-orange-500 text-white text-xs px-2 py-0.5 rounded-full">部分修复</span>
829
+ </div>
830
+
831
+ <div class="mt-2 text-sm">
832
+ <p>风险描述: 直接拼接SQL语句,存在注入风险</p>
833
+ <p class="mt-1">影响接口: /api/orders?userId={userId}</p>
834
+ </div>
835
+
836
+ <div class="mt-2">
837
+ <p class="text-gray-600">修复进度:</p>
838
+ <div class="w-full bg-gray-200 rounded-full h-2.5 mt-1">
839
+ <div class="bg-orange-500 h-2.5 rounded-full" style="width: 70%"></div>
840
+ </div>
841
+ <p class="text-xs mt-1 text-gray-600">主接口已修复,但部分边缘接口仍存在风险</p>
842
+ </div>
843
+ </div>
844
+
845
+ <div class="risk-medium p-4 rounded-lg">
846
+ <div class="flex justify-between items-start">
847
+ <div>
848
+ <h4 class="font-medium mb-1">安全测试: 水平越权</h4>
849
+ <p class="text-sm text-gray-600">订单信息越权访问</p>
850
+ </div>
851
+ <span class="bg-yellow-500 text-white text-xs px-2 py-0.5 rounded-full">已修复待验证</span>
852
+ </div>
853
+
854
+ <div class="mt-2 text-sm">
855
+ <p>风险描述: 通过修改orderid参数可访问他人订单信息</p>
856
+ <p class="mt-1">影响接口: /api/orders/{orderId}</p>
857
+ </div>
858
+
859
+ <div class="mt-2">
860
+ <p class="text-gray-600">修复进度:</p>
861
+ <div class="w-full bg-gray-200 rounded-full h-2.5 mt-1">
862
+ <div class="bg-yellow-500 h-2.5 rounded-full" style="width: 90%"></div>
863
+ </div>
864
+ <p class="text-xs mt-1 text-gray-600">代码已修复,等待安全团队验证</p>
865
+ </div>
866
+ </div>
867
+ </div>
868
+ </div>
869
+ </div>
870
+ </div>
871
+
872
+ <!-- Production Monitoring Tab -->
873
+ <div id="production" class="tab-content">
874
+ <div class="content-container">
875
+ <!-- Left Panel - Production Content -->
876
+ <div class="content-panel bg-white">
877
+ <h3 class="text-lg font-medium text-gray-800 mb-4">线上监控数据</h3>
878
+
879
+ <div class="space-y-6">
880
+ <div>
881
+ <h4 class="font-medium mb-2">安全事件记录</h4>
882
+ <div class="border rounded-lg overflow-hidden">
883
+ <table class="min-w-full divide-y divide-gray-200">
884
+ <thead class="bg-gray-50">
885
+ <tr>
886
+ <th class="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">时间</th>
887
+ <th class="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">事件类型</th>
888
+ <th class="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">状态</th>
889
+ </tr>
890
+ </thead>
891
+ <tbody class="bg-white divide-y divide-gray-200">
892
+ <tr>
893
+ <td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">2023-06-08 03:15</td>
894
+ <td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">异常登录尝试</td>
895
+ <td class="px-4 py-2 whitespace-nowrap">
896
+ <span class="px-2 py-1 text-xs rounded-full bg-green-100 text-green-800">已处理</span>
897
+ </td>
898
+ </tr>
899
+ <tr>
900
+ <td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">2023-06-10 14:30</td>
901
+ <td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">SQL注入攻击</td>
902
+ <td class="px-4 py-2 whitespace-nowrap">
903
+ <span class="px-2 py-1 text-xs rounded-full bg-red-100 text-red-800">待修复</span>
904
+ </td>
905
+ </tr>
906
+ <tr>
907
+ <td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">2023-06-12 09:15</td>
908
+ <td class="px-4 py-2 whitespace-nowrap text-sm text-gray-900">批量订单查询</td>
909
+ <td class="px-4 py-2 whitespace-nowrap">
910
+ <span class="px-2 py-1 text-xs rounded-full bg-yellow-100 text-yellow-800">监控中</span>
911
+ </td>
912
+ </tr>
913
+ </tbody>
914
+ </table>
915
+ </div>
916
+ </div>
917
+
918
+ <div>
919
+ <h4 class="font-medium mb-2">风险趋势</h4>
920
+ <div class="border rounded-lg p-4">
921
+ <div class="flex items-center justify-center h-64">
922
+ <p class="text-gray-500">风险趋势图表区域</p>
923
+ </div>
924
+ </div>
925
+ </div>
926
+ </div>
927
+ </div>
928
+
929
+ <!-- Right Panel - Security Analysis -->
930
+ <div class="content-panel bg-white">
931
+ <h3 class="text-lg font-medium text-gray-800 mb-4">线上风险分析</h3>
932
+
933
+ <div class="space-y-4">
934
+ <div class="risk-critical p-4 rounded-lg">
935
+ <div class="flex justify-between items-start">
936
+ <div>
937
+ <h4 class="font-medium mb-1">SQL注入攻击</h4>
938
+ <p class="text-sm text-gray-600">2023-06-10 14:30</p>
939
+ </div>
940
+ <span class="bg-red-600 text-white text-xs px-2 py-0.5 rounded-full">高危</span>
941
+ </div>
942
+
943
+ <div class="mt-2 text-sm">
944
+ <p>攻击描述: 攻击者尝试通过userId参数注入SQL命令</p>
945
+ <p class="mt-1">攻击Payload: <code class="bg-gray-100 px-1 rounded">user1' UNION SELECT 1,username,password FROM users--</code></p>
946
+ <p class="mt-1">影响范围: 订单查询接口</p>
947
+ </div>
948
+
949
+ <div class="mt-2">
950
+ <p class="text-gray-600">修复情况:</p>
951
+ <div class="flex items-center mt-1">
952
+ <svg class="w-5 h-5 text-yellow-500 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
953
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"></path>
954
+ </svg>
955
+ <span>已热修复,待版本更新</span>
956
+ </div>
957
+ </div>
958
+ </div>
959
+
960
+ <div class="risk-high p-4 rounded-lg">
961
+ <div class="flex justify-between items-start">
962
+ <div>
963
+ <h4 class="font-medium mb-1">批量订单查询</h4>
964
+ <p class="text-sm text-gray-600">2023-06-12 09:15</p>
965
+ </div>
966
+ <span class="bg-orange-500 text-white text-xs px-2 py-0.5 rounded-full">中高危</span>
967
+ </div>
968
+
969
+ <div class="mt-2 text-sm">
970
+ <p>攻击描述: 同一IP在短时间内发起大量订单查询请求</p>
971
+ <p class="mt-1">请求频率: 120次/分钟</p>
972
+ <p class="mt-1">影响范围: 订单查询接口</p>
973
+ </div>
974
+
975
+ <div class="mt-2">
976
+ <p class="text-gray-600">处理措施:</p>
977
+ <ol class="list-decimal list-inside text-sm space-y-1 mt-1">
978
+ <li>已临时封禁攻击IP</li>
979
+ <li>增加接口频率限制(60次/分钟)</li>
980
+ <li>增加异常行为监控告警</li>
981
+ </ol>
982
+ </div>
983
+ </div>
984
+
985
+ <div class="risk-medium p-4 rounded-lg">
986
+ <div class="flex justify-between items-start">
987
+ <div>
988
+ <h4 class="font-medium mb-1">异常登录尝试</h4>
989
+ <p class="text-sm text-gray-600">2023-06-08 03:15</p>
990
+ </div>
991
+ <span class="bg-yellow-500 text-white text-xs px-2 py-0.5 rounded-full">中危</span>
992
+ </div>
993
+
994
+ <div class="mt-2 text-sm">
995
+ <p>攻击描述: 来自异常地理位置的登录尝试</p>
996
+ <p class="mt-1">攻击IP: 192.168.34.56 (俄罗斯)</p>
997
+ <p class="mt-1">攻击方式: 密码爆破</p>
998
+ </div>
999
+
1000
+ <div class="mt-2">
1001
+ <p class="text-gray-600">处理结果:</p>
1002
+ <div class="flex items-center mt-1">
1003
+ <svg class="w-5 h-5 text-green-500 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
1004
+ <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"></path>
1005
+ </svg>
1006
+ <span>已阻止,账户安全</span>
1007
+ </div>
1008
+ </div>
1009
+ </div>
1010
+ </div>
1011
+ </div>
1012
+ </div>
1013
+ </div>
1014
+ </div>
1015
+ </div>
1016
+
1017
+ <script>
1018
+ // Initialize Mermaid
1019
+ mermaid.initialize({
1020
+ startOnLoad: true,
1021
+ theme: 'default',
1022
+ flowchart: { useMaxWidth: true }
1023
+ });
1024
+
1025
+ // Initialize Highlight.js
1026
+ document.addEventListener('DOMContentLoaded', (event) => {
1027
+ document.querySelectorAll('pre code').forEach((el) => {
1028
+ hljs.highlightElement(el);
1029
+ });
1030
+ });
1031
+
1032
+ // Switch tabs
1033
+ function switchTab(tabId) {
1034
+ // Hide all tab contents
1035
+ document.querySelectorAll('.tab-content').forEach(tab => {
1036
+ tab.classList.remove('active');
1037
+ });
1038
+
1039
+ // Remove active class from all tabs
1040
+ document.querySelectorAll('.nav-tabs button').forEach(tab => {
1041
+ tab.classList.remove('active');
1042
+ });
1043
+
1044
+ // Show selected tab content
1045
+ document.getElementById(tabId).classList.add('active');
1046
+
1047
+ // Add active class to clicked tab
1048
+ event.currentTarget.classList.add('active');
1049
+ }
1050
+
1051
+ // Highlight text in requirements
1052
+ function highlightText(text) {
1053
+ const elements = document.querySelectorAll('.highlight-risk');
1054
+ elements.forEach(el => {
1055
+ el.classList.remove('highlight-risk');
1056
+ });
1057
+
1058
+ const targetElements = document.querySelectorAll(`p:contains('${text}'), h4:contains('${text}')`);
1059
+ targetElements.forEach(el => {
1060
+ el.classList.add('highlight-risk');
1061
+ el.scrollIntoView({ behavior: 'smooth', block: 'center' });
1062
+ });
1063
+ }
1064
+
1065
+ // Highlight code line
1066
+ function highlightCode(lineId) {
1067
+ const elements = document.querySelectorAll('.vulnerable-line');
1068
+ elements.forEach(el => {
1069
+ el.classList.remove('vulnerable-line-highlight');
1070
+ });
1071
+
1072
+ const targetElement = document.getElementById(lineId);
1073
+ if (targetElement) {
1074
+ targetElement.classList.add('vulnerable-line-highlight');
1075
+ targetElement.scrollIntoView({ behavior: 'smooth', block: 'center' });
1076
+
1077
+ // Show fix suggestion if available
1078
+ const suggestion = targetElement.nextElementSibling;
1079
+ if (suggestion && suggestion.classList.contains('fix-suggestion')) {
1080
+ suggestion.style.display = 'block';
1081
+
1082
+ // Hide after 5 seconds
1083
+ setTimeout(() => {
1084
+ suggestion.style.display = 'none';
1085
+ }, 5000);
1086
+ }
1087
+ }
1088
+ }
1089
+
1090
+ // Polyfill for :contains selector
1091
+ (function() {
1092
+ const matches = Element.prototype.matches ||
1093
+ Element.prototype.matchesSelector ||
1094
+ Element.prototype.webkitMatchesSelector;
1095
+
1096
+ Element.prototype.matchesSelector = matches;
1097
+
1098
+ if (!Element.prototype.matches) {
1099
+ Element.prototype.matches = function(selector) {
1100
+ return this.matchesSelector(selector);
1101
+ };
1102
+ }
1103
+
1104
+ if (!Element.prototype.contains) {
1105
+ Element.prototype.contains = function(node) {
1106
+ if (!node) return false;
1107
+ if (this === node) return true;
1108
+ return this.contains(node.parentNode);
1109
+ };
1110
+ }
1111
+
1112
+ const elements = document.querySelectorAll('*');
1113
+
1114
+ Element.prototype.containsText = function(text) {
1115
+ return this.textContent.includes(text);
1116
+ };
1117
+
1118
+ document.querySelectorAll = function(selector) {
1119
+ const all = [];
1120
+
1121
+ if (selector.includes(':contains(')) {
1122
+ const [tag, text] = selector.split(':contains(');
1123
+ const searchText = text.replace(')', '');
1124
+
1125
+ for (let i = 0; i < elements.length; i++) {
1126
+ const el = elements[i];
1127
+
1128
+ if ((!tag || el.matches(tag)) && el.containsText(searchText)) {
1129
+ all.push(el);
1130
+ }
1131
+ }
1132
+
1133
+ return all;
1134
+ }
1135
+
1136
+ return this.querySelectorAll.apply(document, arguments);
1137
+ };
1138
+ })();
1139
+ </script>
1140
+ <p style="border-radius: 8px; text-align: center; font-size: 12px; color: #fff; margin-top: 16px;position: fixed; left: 8px; bottom: 8px; z-index: 10; background: rgba(0, 0, 0, 0.8); padding: 4px 8px;">Made with <img src="https://enzostvs-deepsite.hf.space/logo.svg" alt="DeepSite Logo" style="width: 16px; height: 16px; vertical-align: middle;display:inline-block;margin-right:3px;filter:brightness(0) invert(1);"><a href="https://enzostvs-deepsite.hf.space" style="color: #fff;text-decoration: underline;" target="_blank" >DeepSite</a> - 🧬 <a href="https://enzostvs-deepsite.hf.space?remix=capta1n/project8" style="color: #fff;text-decoration: underline;" target="_blank" >Remix</a></p></body>
1141
+ </html>
prompts.txt ADDED
@@ -0,0 +1 @@
 
 
1
+ 风险项目 AI SDL数字分身在每个环节发现的风险,最终将信息聚合成"某个项目在某个环节存在某风险" 的形式产出告警(项目是唯一维度,如果一个项目在多个环节存在风险需聚合在一起),例 支付宝国补项目在代码和需求环节存在越权和sql注入风险。 项目详情 告警出来的风险项目,点击进入详情页,将项目分为需求-代码-安全测试-发布-线上5个模块,每个模块都包含内容--安全分析结果,需要在内容上动态展示分析过程和同步展示风险对应的内容,因为安全分析是对内容进行分析最终产出安全分析结果。 项目概要内容: 项目名称:支付宝国补项目 项目参与人:形知、铸梦、洞悉、隐迹、晨熙 风险概述:总结每个环节发现的风险以及修复进度 需求模块: ● 内容:展示项目对应的需求文档文字内容(长度是两千字)包含对应的技术架构图 ● 分析结果:需求对应的STRIDE威胁建模图需包含风险功能标记(集成mermaid.js)、安全风险:业务场景-风险点-风险类型-整改建议 代码模块: ● 内容:展示项目对应的多文件全部代码内容和接口地址,代码内容是java代码 ● 分析结果:安全风险:漏洞名称、风险接口、漏洞类型、漏洞级别、漏洞描述、漏洞代码、修复建议(展示推荐的修复代码) 安全测试: ● 内容:展示对应的风险接口以及每个风险接口对应的攻击payload和攻击结果 ● 分析结果:风险接口地址、风险描述、攻击payload请求内容、攻击手法(1、攻击者登录自己的账号,获取一个合法的订单 ID(如 1001)2、修改请求中的 orderid 参数,尝试访问其他订单 ID(如 1002、1003 等)3、如果服务器未进行权限校验,攻击者将成功获取其他用户的订单信息4、通过自动化工具(如 Burp Suite 或编写脚本),攻击者可以批量枚举订单 ID,获取大量用户的敏感数据。) 发布: ● 内容:展示在发布环节进行安全检查的内容,检查之前环节积累下来的风险是否修复 ● 分析结果:未修复的风险,在之前的每个环节发现但未修复的风险,例代码环节的越权风险未修复、发布决策:拒绝发布 线上: ● 内容:展示发现的漏洞或者入侵事件风险 ● 分析结果:展示漏洞的修复情况 设计要求 每个模块的布局都是左右布局,左边展示原始内容、右边展示安全分析结果,并且不同风险等级展示不同的颜色 需求模块: 1. 完整展示项目对应的需求内容,需求内容的长度是一千字并且风险需求内容红色高亮展示 2. 技术架构图支持缩放/平移(集成mermaid.js) 3. 威胁建模图是对需求文档进行STRIDE威胁建模分析后集成mermaid.js展示威胁建模图,并且在图上标记出风险点 4. 安全风险分析点击可以定位到对应的需求文档内容 代码模块: 1. 代码高亮显示(支持多种语言) 2. 漏洞代码行用红色高亮展示,点击弹出修复建议浮层 3. 分析出来的漏洞代码点击后可以直接定位并且高亮对应的原文代码 安全测试模块: 1. Payload展示采用代码块样式并支持修复