Spaces:

teoat
/

zenith-backend

Paused

App Files Files Community

zenith-backend / app /services /advanced_security.py

teoat

fix(backend): fix port and health check robustness

d29a5a0 verified 3 months ago

raw

history blame contribute delete

22.7 kB

	"""
	Advanced Security Hardening Suite
	Zenith Fraud Detection Platform - Enterprise-Grade Security
	"""

	import time
	import logging
	from datetime import datetime
	from typing import Any
	from dataclasses import dataclass
	import re

	from app.services.monitoring_collector import MonitoringCollector


	@dataclass
	class SecurityEvent:
	"""Security event data structure"""

	timestamp: datetime
	event_type: str
	severity: str
	source_ip: str
	user_agent: str
	details: dict[str, Any]
	risk_score: int


	class AdvancedSecurityManager:
	"""Advanced security management with AI-powered threat detection"""

	def __init__(self):
	self.monitoring_collector = MonitoringCollector()
	self.blocked_ips = set()
	self.suspicious_patterns = []
	self.security_events = []
	self.rate_limit_store = {}
	self.anomaly_detector = AnomalyDetector()
	self.logger = logging.getLogger(__name__)

	async def initialize(self):
	"""Initialize advanced security features"""
	await self.load_security_policies()
	await self.setup_threat_intelligence()
	await self.configure_advanced_rules()
	self.logger.info("Advanced security manager initialized")

	async def analyze_request_security(self, request_data: dict[str, Any]) -> SecurityEvent:
	"""Advanced request security analysis"""
	security_score = 0
	security_issues = []

	# IP-based analysis
	ip_analysis = await self.analyze_ip_risk(request_data.get("client_ip", ""))
	security_score += ip_analysis["risk_score"]
	security_issues.extend(ip_analysis["issues"])

	# Request pattern analysis
	pattern_analysis = await self.analyze_request_patterns(request_data)
	security_score += pattern_analysis["risk_score"]
	security_issues.extend(pattern_analysis["issues"])

	# Payload analysis for attacks
	payload_analysis = await self.analyze_payload_security(request_data)
	security_score += payload_analysis["risk_score"]
	security_issues.extend(payload_analysis["issues"])

	# User behavior analysis
	behavior_analysis = await self.analyze_user_behavior(request_data)
	security_score += behavior_analysis["risk_score"]
	security_issues.extend(behavior_analysis["issues"])

	# Create security event
	event = SecurityEvent(
	timestamp=datetime.utcnow(),
	event_type="REQUEST_SECURITY_ANALYSIS",
	severity=self._calculate_severity(security_score),
	source_ip=request_data.get("client_ip", ""),
	user_agent=request_data.get("user_agent", ""),
	details={
	"security_score": security_score,
	"issues": security_issues,
	"endpoint": request_data.get("endpoint", ""),
	"method": request_data.get("method", ""),
	},
	risk_score=security_score,
	)

	# Log security event
	await self.log_security_event(event)

	# Auto-block if high risk
	if security_score > 80:
	await self.auto_block_ip(request_data.get("client_ip", ""), "High risk score detected")

	return event

	async def analyze_ip_risk(self, ip: str) -> dict[str, Any]:
	"""Advanced IP risk analysis"""
	risk_score = 0
	issues = []

	# Check against blocked IPs
	if ip in self.blocked_ips:
	risk_score += 100
	issues.append("IP already blocked")

	# Check for known malicious patterns
	if self._is_suspicious_ip(ip):
	risk_score += 50
	issues.append("Suspicious IP pattern detected")

	# Geolocation risk analysis (simulated)
	if self._is_high_risk_country(ip):
	risk_score += 20
	issues.append("High-risk geographical location")

	# Proxy/VPN detection (simulated)
	if self._is_proxy_or_vpn(ip):
	risk_score += 15
	issues.append("Proxy/VPN usage detected")

	return {"risk_score": risk_score, "issues": issues}

	async def analyze_request_patterns(self, request_data: dict[str, Any]) -> dict[str, Any]:
	"""Advanced request pattern analysis"""
	risk_score = 0
	issues = []

	endpoint = request_data.get("endpoint", "")
	method = request_data.get("method", "")
	headers = request_data.get("headers", {})

	# Check for attack patterns in endpoint
	if self._contains_attack_patterns(endpoint):
	risk_score += 40
	issues.append("Attack pattern detected in endpoint")

	# Check for suspicious headers
	suspicious_headers = self._detect_suspicious_headers(headers)
	if suspicious_headers:
	risk_score += 20 * len(suspicious_headers)
	issues.extend([f"Suspicious header: {h}" for h in suspicious_headers])

	# Rate limiting analysis
	ip = request_data.get("client_ip", "")
	if self._is_rate_limited(ip):
	risk_score += 30
	issues.append("Rate limit exceeded")

	# Check for unusual request methods
	if method not in ["GET", "POST", "PUT", "DELETE", "PATCH"]:
	risk_score += 25
	issues.append("Unusual HTTP method")

	return {"risk_score": risk_score, "issues": issues}

	async def analyze_payload_security(self, request_data: dict[str, Any]) -> dict[str, Any]:
	"""Advanced payload security analysis"""
	risk_score = 0
	issues = []

	payload = request_data.get("body", "")
	query_params = request_data.get("query_params", {})

	# SQL injection detection (advanced)
	sql_injection_risks = self._detect_advanced_sql_injection(payload, query_params)
	if sql_injection_risks:
	risk_score += 60
	issues.extend(sql_injection_risks)

	# XSS detection (advanced)
	xss_risks = self._detect_advanced_xss(payload)
	if xss_risks:
	risk_score += 50
	issues.extend(xss_risks)

	# Command injection detection
	command_injection_risks = self._detect_command_injection(payload)
	if command_injection_risks:
	risk_score += 70
	issues.extend(command_injection_risks)

	# File upload security
	if request_data.get("files"):
	upload_risks = await self._analyze_file_uploads(request_data["files"])
	risk_score += upload_risks["risk_score"]
	issues.extend(upload_risks["issues"])

	return {"risk_score": risk_score, "issues": issues}

	async def analyze_user_behavior(self, request_data: dict[str, Any]) -> dict[str, Any]:
	"""AI-powered user behavior analysis"""
	risk_score = 0
	issues = []

	user_id = request_data.get("user_id")
	if not user_id:
	return {"risk_score": 0, "issues": []}

	# Anomalous behavior detection
	behavior_score = await self.anomaly_detector.detect_anomaly(user_id, request_data)
	risk_score += behavior_score

	if behavior_score > 30:
	issues.append("Anomalous user behavior detected")

	# Session security analysis
	session_risks = await self._analyze_session_security(user_id, request_data)
	risk_score += session_risks["risk_score"]
	issues.extend(session_risks["issues"])

	return {"risk_score": risk_score, "issues": issues}

	def _is_suspicious_ip(self, ip: str) -> bool:
	"""Check for suspicious IP patterns"""
	# Common bot/scanner patterns
	suspicious_patterns = [
	r"^10\.", # Private ranges (shouldn't be external)
	r"^192\.168\.", # Private ranges
	r"^172\.1[6-9]\.", # Private ranges
	r"^172\.2[0-9]\.", # Private ranges
	r"^172\.3[0-1]\.", # Private ranges
	]

	for pattern in suspicious_patterns:
	if re.match(pattern, ip):
	return True

	return False

	def _is_high_risk_country(self, ip: str) -> bool:
	"""Simulated high-risk country detection"""
	# In production, use real geolocation database
	# high_risk_countries = ["CN", "RU", "KP", "IR"]
	# Simulated check
	return False

	def _is_proxy_or_vpn(self, ip: str) -> bool:
	"""Simulated proxy/VPN detection"""
	# In production, use real proxy detection services
	return False

	def _contains_attack_patterns(self, endpoint: str) -> bool:
	"""Check endpoint for attack patterns"""
	attack_patterns = [
	"\.\./", # Directory traversal
	"<script", # XSS attempt
	"union.*select", # SQL injection
	"cmd=", # Command injection
	"../", # Path traversal
	"admin", # Admin access attempt
	"wp-admin", # WordPress admin
	"phpmyadmin", # Database admin
	]

	for pattern in attack_patterns:
	if re.search(pattern, endpoint, re.IGNORECASE):
	return True

	return False

	def _detect_suspicious_headers(self, headers: dict[str, str]) -> list[str]:
	"""Detect suspicious HTTP headers"""
	suspicious_headers = []

	# Known malicious headers
	malicious_headers = [
	"X-Forwarded-For: 127.0.0.1",
	"X-Real-IP: 127.0.0.1",
	"X-Originating-IP",
	"X-Cluster-Client-IP",
	]

	for header, value in headers.items():
	header_line = f"{header}: {value}"
	for malicious in malicious_headers:
	if malicious.lower() in header_line.lower():
	suspicious_headers.append(header)

	return suspicious_headers

	def _is_rate_limited(self, ip: str) -> bool:
	"""Advanced rate limiting check"""
	current_time = time.time()
	window_size = 300 # 5 minutes
	max_requests = 100

	if ip not in self.rate_limit_store:
	self.rate_limit_store[ip] = []

	# Remove old requests
	self.rate_limit_store[ip] = [
	req_time for req_time in self.rate_limit_store[ip] if current_time - req_time < window_size
	]

	# Add current request
	self.rate_limit_store[ip].append(current_time)

	return len(self.rate_limit_store[ip]) > max_requests

	def _detect_advanced_sql_injection(self, payload: str, query_params: dict[str, Any]) -> list[str]:
	"""Advanced SQL injection detection"""
	risks = []

	# Advanced SQL injection patterns
	advanced_patterns = [
	r"(\%27\|\')(\s\|%20)(or\|and)(\s\|%20).\=.\s--", # Classic SQLi
	r"union(\s\|%20)(all\|%20)*(select\|%20)", # Union-based
	r"select(\s\|%20).from(\s\|%20).information_schema", # Information schema
	r"(\%27\|\').or(\s\|%20).\=.\s(or\|%20).\=", # Boolean-based
	r"waitfor(\s*\|%20)delay", # Time-based
	r"sleep$\d+$", # Time-based MySQL
	r"benchmark\(", # Time-based MySQL
	r"pg_sleep\(", # Time-based PostgreSQL
	]

	test_data = payload + str(query_params)

	for pattern in advanced_patterns:
	if re.search(pattern, test_data, re.IGNORECASE):
	risks.append(f"Advanced SQL injection pattern: {pattern}")

	return risks

	def _detect_advanced_xss(self, payload: str) -> list[str]:
	"""Advanced XSS detection"""
	risks = []

	# Advanced XSS patterns
	advanced_patterns = [
	r"<script[^>]>.?</script>", # Script tags
	r"javascript:", # JavaScript protocol
	r"on\w+\s*=", # Event handlers
	r"<iframe[^>]*src", # Iframe injection
	r"<object[^>]*data", # Object injection
	r"<embed[^>]*src", # Embed injection
	r"<link[^>]*href", # Link injection
	r"<meta[^>]*http-equiv", # Meta injection
	r"expression\(", # CSS expression
	r"@import", # CSS import
	r"<svg[^>]*<script", # SVG injection
	r"data:text/html", # Data URI
	]

	for pattern in advanced_patterns:
	if re.search(pattern, payload, re.IGNORECASE):
	risks.append(f"Advanced XSS pattern: {pattern}")

	return risks

	def _detect_command_injection(self, payload: str) -> list[str]:
	"""Advanced command injection detection"""
	risks = []

	# Command injection patterns
	command_patterns = [
	r";\s*(rm\|del\|format\|fdisk)", # Destructive commands
	r"(\\|\\|\|&)\s*(rm\|del\|format\|fdisk)", # Piped destructive commands
	r"\$\(", # Command substitution
	r"`[^`]*`", # Backticks
	r"curl(\s\|%20).\\|\s*sh", # Download and execute
	r"wget(\s\|%20).\\|\s*sh", # Download and execute
	r"eval\s*\(", # PHP eval
	r"system\s*\(", # PHP system
	r"exec\s*\(", # PHP exec
	r"shell_exec\s*\(", # PHP shell_exec
	]

	for pattern in command_patterns:
	if re.search(pattern, payload, re.IGNORECASE):
	risks.append(f"Command injection pattern: {pattern}")

	return risks

	async def _analyze_file_uploads(self, files: list[dict[str, Any]]) -> dict[str, Any]:
	"""Advanced file upload security analysis"""
	risk_score = 0
	issues = []

	dangerous_extensions = [
	".php",
	".phtml",
	".php3",
	".php4",
	".php5",
	".asp",
	".aspx",
	".jsp",
	".exe",
	".bat",
	".cmd",
	".sh",
	".ps1",
	".vbs",
	".jar",
	]

	for file_info in files:
	filename = file_info.get("filename", "")
	file_size = file_info.get("size", 0)

	# Check file extension
	file_ext = "." + filename.split(".")[-1].lower() if "." in filename else ""
	if file_ext in dangerous_extensions:
	risk_score += 40
	issues.append(f"Dangerous file extension: {file_ext}")

	# Check file size
	if file_size > 50 * 1024 * 1024: # 50MB limit
	risk_score += 20
	issues.append(f"Large file upload: {file_size} bytes")

	# Check filename for suspicious patterns
	if any(pattern in filename.lower() for pattern in ["webshell", "backdoor", "shell", "cmd"]):
	risk_score += 60
	issues.append(f"Suspicious filename: {filename}")

	return {"risk_score": risk_score, "issues": issues}

	async def _analyze_session_security(self, user_id: str, request_data: dict[str, Any]) -> dict[str, Any]:
	"""Advanced session security analysis"""
	risk_score = 0
	issues = []

	# Check for session hijacking indicators
	_ip = request_data.get("client_ip", "")
	user_agent = request_data.get("user_agent", "")

	# In production, check against stored session data
	# For now, simulate session checks

	# Multiple concurrent sessions
	session_count = await self._get_user_session_count(user_id)
	if session_count > 5:
	risk_score += 25
	issues.append(f"Multiple concurrent sessions: {session_count}")

	# Suspicious user agent changes
	if await self._has_user_agent_changed(user_id, user_agent):
	risk_score += 30
	issues.append("User agent changed during session")

	return {"risk_score": risk_score, "issues": issues}

	async def _get_user_session_count(self, user_id: str) -> int:
	"""Get current session count for user"""
	# Simulated - in production, check session store
	return 1

	async def _has_user_agent_changed(self, user_id: str, user_agent: str) -> bool:
	"""Check if user agent changed during session"""
	# Simulated - in production, check against session store
	return False

	def _calculate_severity(self, risk_score: int) -> str:
	"""Calculate security event severity"""
	if risk_score >= 80:
	return "CRITICAL"
	elif risk_score >= 60:
	return "HIGH"
	elif risk_score >= 40:
	return "MEDIUM"
	elif risk_score >= 20:
	return "LOW"
	else:
	return "INFO"

	async def log_security_event(self, event: SecurityEvent):
	"""Log security event and update monitoring"""
	self.security_events.append(event)

	# Update monitoring collector
	self.monitoring_collector.record_security_event(
	event.event_type,
	{
	"severity": event.severity,
	"source_ip": event.source_ip,
	"risk_score": event.risk_score,
	"details": event.details,
	},
	)

	# Log to file
	self.logger.warning(f"Security Event: {event.event_type} - {event.severity} - Score: {event.risk_score}")

	async def auto_block_ip(self, ip: str, reason: str):
	"""Automatically block suspicious IP"""
	self.blocked_ips.add(ip)

	# Log block event
	await self.monitoring_collector.record_security_event(
	"IP_BLOCKED",
	{"ip_address": ip, "reason": reason, "timestamp": datetime.utcnow().isoformat(), "auto_blocked": True},
	)

	self.logger.warning(f"IP auto-blocked: {ip} - Reason: {reason}")

	async def load_security_policies(self):
	"""Load security policies and rules"""
	# Load from configuration or database
	self.suspicious_patterns = [
	r"select.from.information_schema",
	r"union.select.from",
	r"<script.>.</script>",
	r"javascript:",
	r"eval\s*\(",
	r"system\s*\(",
	]

	async def setup_threat_intelligence(self):
	"""Setup threat intelligence feeds"""
	# Connect to threat intelligence APIs
	# Load known malicious IPs, domains, patterns
	pass

	async def configure_advanced_rules(self):
	"""Configure advanced security rules"""
	# Setup custom security rules
	# Configure alert thresholds
	pass


	class AnomalyDetector:
	"""AI-powered anomaly detection for user behavior"""

	def __init__(self):
	self.user_profiles = {}
	self.behavior_patterns = {}

	async def detect_anomaly(self, user_id: str, request_data: dict[str, Any]) -> int:
	"""Detect behavioral anomalies"""
	anomaly_score = 0

	# Build user profile if not exists
	if user_id not in self.user_profiles:
	self.user_profiles[user_id] = await self._create_user_profile(user_id)

	# Analyze request patterns
	pattern_anomaly = await self._analyze_request_patterns(user_id, request_data)
	anomaly_score += pattern_anomaly

	# Analyze time patterns
	time_anomaly = await self._analyze_time_patterns(user_id, request_data)
	anomaly_score += time_anomaly

	# Analyze location patterns
	location_anomaly = await self._analyze_location_patterns(user_id, request_data)
	anomaly_score += location_anomaly

	return min(anomaly_score, 100) # Cap at 100

	async def _create_user_profile(self, user_id: str) -> dict[str, Any]:
	"""Create user behavior profile"""
	return {"request_patterns": {}, "time_patterns": [], "location_patterns": [], "created_at": datetime.utcnow()}

	async def _analyze_request_patterns(self, user_id: str, request_data: dict[str, Any]) -> int:
	"""Analyze request pattern anomalies"""
	# Simulated pattern analysis
	return 15

	async def _analyze_time_patterns(self, user_id: str, request_data: dict[str, Any]) -> int:
	"""Analyze time-based anomalies"""
	# Simulated time pattern analysis
	return 10

	async def _analyze_location_patterns(self, user_id: str, request_data: dict[str, Any]) -> int:
	"""Analyze location-based anomalies"""
	# Simulated location analysis
	return 5


	# Global security manager instance
	advanced_security_manager = AdvancedSecurityManager()


	async def get_advanced_security_manager() -> AdvancedSecurityManager:
	"""Get advanced security manager instance"""
	if not hasattr(advanced_security_manager, "initialized"):
	await advanced_security_manager.initialize()
	advanced_security_manager.initialized = True

	return advanced_security_manager


	# Security middleware for FastAPI
	class AdvancedSecurityMiddleware:
	"""Advanced security middleware for request filtering"""

	def __init__(self, app):
	self.app = app

	async def __call__(self, scope, receive, send):
	if scope["type"] == "http":
	# Extract request data
	request_data = await self._extract_request_data(scope, receive)

	# Get security manager
	security_manager = await get_advanced_security_manager()

	# Analyze request security
	security_event = await security_manager.analyze_request_security(request_data)

	# Block if high risk
	if security_event.risk_score > 80:
	await self._send_blocked_response(send)
	return

	await self.app(scope, receive, send)

	async def _extract_request_data(self, scope, receive) -> dict[str, Any]:
	"""Extract request data for security analysis"""
	# Simplified request data extraction
	return {
	"client_ip": scope.get("client", ("", 0))[0],
	"method": scope["method"],
	"endpoint": scope["path"],
	"headers": dict(scope.get("headers", [])),
	"query_params": {}, # Extract from query string
	"body": "", # Extract from receive
	}

	async def _send_blocked_response(self, send):
	"""Send blocked response to suspicious requests"""
	response = {
	"type": "http.response.start",
	"status": 403,
	"headers": [[b"content-type", b"application/json"]],
	}
	await send(response)

	body = json.dumps(
	{
	"error": "Access Denied",
	"message": "Security violation detected",
	"timestamp": datetime.utcnow().isoformat(),
	}
	).encode()

	await send(
	{
	"type": "http.response.body",
	"body": body,
	}
	)