學習點滴

2025年1月7日星期二

shioaji

申請key, (api & secret) from https://www.sinotrade.com.tw/newweb/SinoTrade_login/
install python 3.8 以上
pip install shioaji & pip install -U shioaji
hello world

edit .env

API_KEY=your_api_key
SECRET_KEY=your_secret_key

edit python

import shioaji as sj
import pandas as pd
import threading
import time
import schedule
from datetime import datetime
import os
from dotenv import load_dotenv

api = sj.Shioaji()
load_dotenv()

API_KEY = os.getenv("API_KEY")

SECRET_KEY = os.getenv("SECRET_KEY")

api.login(api_key=API_KEY, secret_key=SECRET_KEY)

api.logout()

# 创建空的 DataFrame 和缓存
columns = ['timestamp', 'open', 'avg_price', 'close', 'high', 'low', 'volume', 'total_volume', 'price_chg', 'pct_chg']
quote_df = pd.DataFrame(columns=columns)
quote_data = []

# 回调函数

def on_quote(exchange, quote):

global quote_data

new_row = {

'timestamp': pd.to_datetime(quote.datetime),

# 'open': float(quote.open), #開盤

'avg_price': float(quote.avg_price),

'close': float(quote.close),

'high': float(quote.high),

'low': float(quote.low),

# 'amount': float(quote.amount),

# 'total_amount': float(quote.total_amount),

'volume': quote.volume, #單量

'total_volume': quote.total_volume,

'price_chg': float(quote.price_chg), #價差

'pct_chg': float(quote.pct_chg) #百分比

}

quote_data.append(new_row) #加入data[]

# 定期将数据从缓存写入 DataFrame

if len(quote_data) >= 100: #超過100筆寫入data frame

update_dataframe()

def update_dataframe():

global quote_df, quote_data

if quote_data:

quote_df = pd.concat([quote_df, pd.DataFrame(quote_data)], ignore_index=True)

quote_data = [] # 清空缓存

print(quote_df.tail()) #印出來如果超過100筆

# 定时任务每分鐘

def print_quote():

global quote_df

if not quote_df.empty:

print("Latest quote:")

print(quote_df.tail()) # tail印多少?

else:

print("No quote data available yet.")

# 设置行情订阅 api = sj.Shioaji()

contract = api.Contracts.Stocks["2408"]

api.quote.subscribe(contract, quote_type=sj.constant.QuoteType.Quote, version=sj.constant.QuoteVersion.v1)

api.quote.set_on_quote_stk_v1_callback(on_quote) #callback

# 定时输出

schedule.every(1).minutes.do(print_quote)

# 主线程运行

try:

while True:

schedule.run_pending()

time.sleep(1)

except KeyboardInterrupt:

print("Stopping program...")

# AttributeError: 'SolaceAPI' object has no attribute 'unsubscribe_all'

api.quote.unsubscribe_all()

quote_df.to_csv('quote_data.csv', index=False)

print("Data saved to 'quote_data.csv'")

2024年12月27日星期五

弱掃調整

原始nginx設定

ssl_protocols TLSv1.3 TLSv1.2;

# ssl_protocols TLSv1.3;

# ssl_ciphers EECDH+AESGCM:EECDH+AES256;

ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:EECDH+AES256:!MD5:!SHA1:!SHA256:!SHA384";

測試工具

https://www.ssllabs.com/ssltest/

https://certlogik.com/decoder/

nmap --script ssl-enum-ciphers -p 443 xxx.tw

sslscan xxx.tw

openssl s_client -cipher ECDHE-RSA-AES256-SHA384 -connect url.xxx.tw:443

弱點名稱

弱點描述(英文)

弱點描述(中文)

修補建議(英文)

修補建議(中文)

參數資訊

Lodash Other Vulnerability

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Lodash 在4.17.21以前的版本在toNumber, trim, trimend函式具有正規表達阻斷式服務攻擊(ReDoS)的弱點

升級至4.17.21版

lodash v4.17.10-4.17.10lodash v4.17.10-4.17.10

Lodash Improper Neutralization of Special Elements used in a Command ('Command Injection') Vulnerability

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Lodash於4.17.21版本以前在樣板函式中具有命令注入的弱點

升級至4.17.21版本

lodash v4.17.10-4.17.10

Lodash Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Vulnerability

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Lodash於4.17.20以前的版本具有原型鏈污染漏洞

升級至4.17.21版本

lodash v4.17.10-4.17.10

Lodash Allocation of Resources Without Limits or Throttling Vulnerability

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Lodash於4.17.11版本在處理過長的正規表達式時，恐導致阻斷式服務攻擊

因4.17.11版本仍有其他已知弱點，故建議升級至4.17.21版本

lodash v4.17.10-4.17.10

Lodash CVE-2018-16487 Vulnerability

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Lodash 4.17.11 具有原型鏈污染漏洞弱點

因4.17.11具有其他已知漏洞，故建議升級至4.17.21

lodash v4.17.10-4.17.10

TLS/SSL Weak Cipher Suites

The remote host supports TLS/SSL cipher suites with weak or insecure properties.

發現目標主機支援強度不足的加密演算法

Reconfigure the affected application to avoid use of weak cipher suites.

重新調整伺服器，避免使用強度不足的演算法，相關資訊可參考報告欄位的「參數資訊」

Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

Vulnerable JavaScript libraries

You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.

使用已知存在漏洞的Javascript函式庫。此版本Javascript函式庫可能存在一個或多個以上知已知漏洞，詳情可參考該函式庫網站。

Upgrade to the latest version.

更新至最新版函式庫。

Lodash 4.17.10

URL: https://domain.gsn.gov.tw/gsn/
Detection method: The library's name and version were determined based on its dynamic behavior.
CVE-ID: CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2018-16487, CVE-2019-1010266
Description: Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. / Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. / Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. / Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. / A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. / lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
References:

https://nvd.nist.gov/vuln/detail/CVE-2021-23337
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-28500
https://nvd.nist.gov/vuln/detail/CVE-2019-10744
https://nvd.nist.gov/vuln/detail/CVE-2018-16487
https://nvd.nist.gov/vuln/detail/CVE-2019-1010266

SSL Certificate Is About To Expire

One of the TLS/SSL certificates used by your server is about to expire.

Once the certificate has expired, most web browsers will present end-users with a security warning, asking them to manually confirm the authenticity of your certificate chain. Software or automated systems may silently refuse to connect to the server.

This alert is not necessarily caused by the server (leaf) certificate, but may have been triggered by an intermediate certificate. Please refer to the certificate serial number in the alert details to identify the affected certificate.

網站使用的安全憑證即將過期(低於60天)。

Contact your Certificate Authority to renew the SSL certificate.

向憑證頒發機構續訂憑證。

The TLS/SSL certificate (serial: 029ae1a7b78ce1460ebb1cec62340f8c) will expire in less than 60 days. The certificate validity period is from Fri Oct 25 2024 21:27:11 GMT+0800 ( ) to Thu Jan 23 2025 21:27:10 GMT+0800 ( ) (49 days left)

TLS/SSL Weak Cipher Suites

The remote host supports TLS/SSL cipher suites with weak or insecure properties.

發現目標主機支援強度不足的加密演算法

Reconfigure the affected application to avoid use of weak cipher suites.

重新調整伺服器，避免使用強度不足的演算法，相關資訊可參考報告欄位的「參數資訊」

Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256

TLS/SSL Weak Cipher Suites

The remote host supports TLS/SSL cipher suites with weak or insecure properties.

發現目標主機支援強度不足的加密演算法

Reconfigure the affected application to avoid use of weak cipher suites.

重新調整伺服器，避免使用強度不足的演算法，相關資訊可參考報告欄位的「參數資訊」

Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA

jQuery UI Dialog Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( ''refresh'' )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

jQuery-UI 是官方的 jQuery 使用者介面函式庫。在 1.13.0 版之前，接受來自不受信任來源的 `.position()` 工具的 `of` 選項的值可能會執行不受信任的程式碼。該問題已在 jQuery UI 1.13.0 中修復。任何傳遞給 `of` 選項的字串值現在都會被視為 CSS 選擇器。解決方法是不接受來自不信任來源的 `of` 選項的值。

建議升級jquery-ui至1.13.2(含)以上的版本

jquery-ui-dialog v1.13.1-1.13.1

jQuery UI Tooltip Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability

jQuery-UI 是官方的 jQuery 使用者介面函式庫。在 1.13.0 版之前，接受來自不可信任來源的 Datepicker widget `altField` 選項的值可能會執行不可信任的程式碼。該問題已在 jQuery UI 1.13.0 中修復。現在，傳遞給 `altField` 選項的任何字串值都會被視為 CSS 選擇器。解決方法是不接受來自不信任來源的 `altField` 選項值。

建議升級jquery-ui至1.13.2(含)以上的版本

jquery-ui-tooltip v1.13.1-1.13.1

TLS/SSL Weak Cipher Suites

The remote host supports TLS/SSL cipher suites with weak or insecure properties.

發現目標主機支援強度不足的加密演算法

Reconfigure the affected application to avoid use of weak cipher suites.

重新調整伺服器，避免使用強度不足的演算法，相關資訊可參考報告欄位的「參數資訊」

Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

TLS/SSL Weak Cipher Suites

The remote host supports TLS/SSL cipher suites with weak or insecure properties.

發現目標主機支援強度不足的加密演算法

Reconfigure the affected application to avoid use of weak cipher suites.

重新調整伺服器，避免使用強度不足的演算法，相關資訊可參考報告欄位的「參數資訊」

Weak TLS/SSL Cipher Suites: (offered via TLS1.2 on port 443):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS/SSL Weak Cipher Suites

The remote host supports TLS/SSL cipher suites with weak or insecure properties.

發現目標主機支援強度不足的加密演算法

Reconfigure the affected application to avoid use of weak cipher suites.

重新調整伺服器，避免使用強度不足的演算法，相關資訊可參考報告欄位的「參數資訊」

2023年5月17日星期三

Fortify 代码扫描安装使用教程

回忆式~过去.

已于 2022-09-14 17:07:10 修改

19956

分类专栏：安全测试工具测试文章标签：安全测试工具

版权

安全测试

同时被 3 个专栏收录

6 篇文章5 订阅

订阅专栏

工具

13 篇文章0 订阅

订阅专栏

测试

14 篇文章5 订阅

订阅专栏

前言

Fortify 能够提供静态和动态应用程序安全测试技术，以及运行时应用程序监控和保护功能。为实现高效安全监测，Fortify具有源代码安全分析，可精准定位漏洞产生的路径，以及具有1分钟1万行的扫描速度。

Fortify SCA 支持丰富的开发环境、语言、平台和框架，可对开发与生产混合环境进行安全检查。 27 种编程语言超过 911,000 个组件级 API 可检测超过 961 个漏洞类别支持所有主流平台、构建环境和 IDE

对开发人员友好的语言覆盖范围 – 支持 ABAP/BSP、ActionScript、Apex、ASP.NET、C# (.NET)、C/C++、Classic ASP（含 VBScript）、COBOL、ColdFusion CFML、Go、HTML、Java（包括 Android）、JavaScript/AJAX、JSP、Kotlin、MXML(Flex)、Objective C/C++、PHP、PL/SQL、Python、Ruby、Swift、T-SQL、VB.NET、VBScript、Visual Basic 和 XML

支持的 IDE – Eclipse、IntelliJ Ultimate、IntelliJ Community Android Studio、IBM Rational Application Developer、IBM Rational Software Architect、Microsoft Visual Studio

支持的构建工具 – Ant、Jenkins、Maven、MSBuild、Xcodebuild

支持的缺陷管理平台 – Jira、ALM、Bugzilla

支持的代码管理工具 – Git、SVN、TFS

漏洞覆盖范围，包括 1000 多个 SAST 漏洞分类，以确保符合 OWASP Top 10、CWE/SANS Top 25、DISA STIG 和 PCI DSS 等标准。

正文

百度网盘资源，需要自取

链接: https://pan.baidu.com/s/1UsY2Jv7HpMPKLXzHW5YSKA密码: 3qt7

下载好安装包后，双击安装应用程序

点击Next进行下一步

接受协议，点击Next

选择安装位置或者默认位置，点击Next

勾选你要安装的插件，点击Next下一步

选择\fortify.license，点击下一步

选择更新服务器，这里可以不用填写

移除之前版本选择No

安装实例代码项目选择No

准备安装，点击Next即可进行安装

安装完成后需要把规则库下的文件解压或者复制到安装目录的Core\config下

应用程序搜索Scan Wizard，双击Audit Workbench启动

点击选择Advanced Scan，选要扫描的源代码

如果扫的是比较大的一些项目，代码文件比较大，可以选择拆开一个文件夹一个文件夹的去扫，这样也会快一点

点击Next

点击configure rulepacks选择要扫描的选项，根据自己的情况而定

选择配置内存大小，扫码过程中常见的情况是内存不足导致带不动，可以考虑换台配置高的或者增加虚拟内存大小

根据情况而选定

接下来点击scan即可进行扫描

扫描完成后，会弹出通知框，可以查看是否存在错误

点击OK，就可以查看报告了

可以点击选择结果查看问题，会自动定位到有问题的代码位置

也可以通过属性查看问题详情

点击Reports可将报告导出到本地，可选择导出的内容和样式

本文链接：https://blog.csdn.net/qq_41648820/article/details/116937035

————————————————

原文链接：https://blog.csdn.net/qq_41648820/article/details/116937035

訂閱：文章 (Atom)

2025年1月7日 星期二

shioaji

2024年12月27日 星期五

弱掃調整

2023年5月17日 星期三

Fortify 代码扫描安装使用教程

2025年1月7日星期二

2024年12月27日星期五

2023年5月17日星期三