安全 Risks of AI-Assisted Refactoring

Advanced17 min readUpdated 2026-03-21

Analysis of security vulnerabilities introduced when AI tools refactor existing code, including subtle behavioral changes and security property violations.

code-gen-security refactoring behavioral-changes regression

概覽

Refactoring is where AI code tools are at their most dangerous, 因為 refactoring is where developer trust is highest. When an AI generates new code, developers 理解 it needs review. When an AI refactors existing code — code that already works, that already passes tests — the bar for scrutiny drops. The assumption is that the AI is simply cleaning up, not changing behavior. That assumption is wrong in 安全-critical ways.

AI-assisted refactoring is one of the most seductive applications of code generation technology. Developers point an AI tool at messy, legacy code and ask it to clean up the structure, modernize the API usage, or simplify complex control flow. The 輸出 looks cleaner, reads better, and often passes the existing 測試 suite. But "passes the existing tests" and "preserves all 安全 properties" are very different things.

The core problem is that 安全 properties are often implicit in code — they arise from specific 實作 choices that may look like accidents or poor style. A constant-time comparison that uses a manual loop instead of == looks like it should be refactored. A try-except block that catches a broad exception class and returns a generic error looks like it should be made more specific. An 認證 check that queries the 資料庫 twice looks redundant. In each case, the "messy" code is messy for a 安全 reason, and an AI tool that does not 理解 that reason will "improve" the code by removing the 安全 property.

This article catalogs the specific categories of 安全 regressions introduced by AI refactoring, provides techniques for detecting them, and establishes review practices that protect 安全 properties during AI-assisted code modernization.

Categories of 安全-Breaking Refactors

Timing Side-Channel 介紹

Constant-time operations are a common casualty of AI refactoring. The AI sees verbose, manual implementations and replaces them with concise built-in operations that are not constant-time:

# Original: constant-time comparison (secure but "ugly")
def verify_signature(provided: bytes, expected: bytes) -> bool:
    if len(provided) != len(expected):
        return False
    result = 0
    for a, b in zip(provided, expected):
        result |= a ^ b
    return result == 0
 
# AI-refactored: "simplified" but introduces timing side-channel
def verify_signature(provided: bytes, expected: bytes) -> bool:
    return provided == expected

The AI sees a function that compares two byte strings and "simplifies" it. The refactored version is functionally equivalent for all non-對抗性 inputs but leaks information about how many bytes match through timing differences. 攻擊者 can use this to extract the expected signature byte by byte.

The same pattern appears in HMAC verification:

# Original: uses hmac.compare_digest (constant-time)
import hmac
 
def verify_webhook(payload: bytes, signature: str, secret: bytes) -> bool:
    expected = hmac.new(secret, payload, "sha256").hexdigest()
    return hmac.compare_digest(expected, signature)
 
# AI-refactored: "simplified" string comparison
def verify_webhook(payload: bytes, signature: str, secret: bytes) -> bool:
    expected = hmac.new(secret, payload, "sha256").hexdigest()
    return expected == signature  # Timing-vulnerable

Error Handling 安全 Regression

AI refactoring frequently makes error handling more "Pythonic" or "idiomatic" in ways that break 安全 properties:

# Original: catch-all that prevents information disclosure
def authenticate(username: str, password: str) -> dict:
    try:
        user = db.get_user(username)
        if not user:
            raise AuthError("Invalid credentials")
        if not bcrypt.checkpw(password.encode(), user.password_hash):
            raise AuthError("Invalid credentials")
        return create_session(user)
    except AuthError:
        raise
    except Exception:
        # Intentionally generic to prevent information disclosure
        raise AuthError("Invalid credentials")
 
# AI-refactored: "better" error handling that leaks information
def authenticate(username: str, password: str) -> dict:
    user = db.get_user(username)
    if user is None:
        raise UserNotFoundError(f"User '{username}' not found")
 
    if not bcrypt.checkpw(password.encode(), user.password_hash):
        raise InvalidPasswordError("Incorrect password")
 
    return create_session(user)

The AI created more specific exception types and more descriptive error messages — a textbook refactoring improvement. But the refactored version reveals whether a username exists (username enumeration) and distinguishes between wrong username and wrong password, which is a common 安全 anti-pattern.

Atomicity and Race Condition 介紹

AI refactoring often breaks atomic operations into separate steps for "clarity":

# Original: atomic check-and-update (secure against race conditions)
def transfer_funds(from_id: int, to_id: int, amount: float, db):
    with db.transaction():
        result = db.execute(
            """
            UPDATE accounts SET balance = balance - %s
            WHERE id = %s AND balance >= %s
            RETURNING balance
            """,
            (amount, from_id, amount)
        )
        if not result:
            raise InsufficientFundsError()
        db.execute(
            "UPDATE accounts SET balance = balance + %s WHERE id = %s",
            (amount, to_id)
        )
 
# AI-refactored: "cleaner" but introduces TOCTOU race condition
def transfer_funds(from_id: int, to_id: int, amount: float, db):
    sender = db.get_account(from_id)
 
    if sender.balance < amount:
        raise InsufficientFundsError(
            f"Balance {sender.balance} insufficient for transfer of {amount}"
        )
 
    # TOCTOU: balance could change between check above and update below
    sender.balance -= amount
    recipient = db.get_account(to_id)
    recipient.balance += amount
 
    db.save(sender)
    db.save(recipient)

The refactored version separates the balance check from the balance update, creating a time-of-check-to-time-of-use (TOCTOU) 漏洞. Two concurrent transfers could both pass the balance check and result in a negative balance.

Authorization Check Removal

During refactoring, AI tools sometimes consolidate or remove checks that appear redundant but serve 防禦-in-depth purposes:

# Original: 防禦-in-depth 授權
class DocumentController:
    def get_document(self, request, doc_id):
        # Layer 1: 認證 (verified by middleware)
        user = request.user
        if not user.is_authenticated:
            raise Unauthorized()
 
        # Layer 2: document exists
        doc = self.doc_repo.get(doc_id)
        if not doc:
            raise NotFound()
 
        # Layer 3: explicit 授權 check
        if doc.owner_id != user.id and not user.has_role("admin"):
            raise Forbidden()
 
        # Layer 4: field-level filtering
        return self._filter_sensitive_fields(doc, user)
 
    def _filter_sensitive_fields(self, doc, user):
        result = doc.to_dict()
        if not user.has_role("admin"):
            result.pop("internal_notes", None)
            result.pop("audit_trail", None)
        return result
 
# AI-refactored: "simplified" — removed "redundant" auth check
class DocumentController:
    def get_document(self, request, doc_id):
        # AI assumes middleware handles auth, removes explicit check
        doc = self.doc_repo.get(doc_id)
        if not doc:
            raise NotFound()
        # AI removed owner check 因為 "the API gateway handles 授權"
        return doc.to_dict()  # Also removed field filtering as "unnecessary"

The AI removed the explicit 授權 check (assuming middleware handles it), removed the ownership check (possibly 因為 it was not covered by tests), and removed the field-level filtering (treating it as unnecessary complexity). The result is a clean, simple function that exposes every document to every authenticated user with all fields visible.

安全 Header and Configuration Stripping

When AI tools refactor web application configurations, they often remove 安全 headers or settings that look like boilerplate:

# Original: Flask app with 安全 configuration
from flask import Flask
from flask_talisman import Talisman
 
app = Flask(__name__)
 
# 安全 headers
Talisman(app,
    content_security_policy={
        "default-src": "'self'",
        "script-src": "'self'",
        "style-src": "'self' 'unsafe-inline'",
    },
    force_https=True,
    strict_transport_security=True,
    strict_transport_security_max_age=31536000,
    session_cookie_secure=True,
    session_cookie_httponly=True,
    session_cookie_samesite="Lax",
)
 
app.config.update(
    SECRET_KEY=os.environ["SECRET_KEY"],
    SESSION_COOKIE_SECURE=True,
    SESSION_COOKIE_HTTPONLY=True,
    SESSION_COOKIE_SAMESITE="Lax",
    PERMANENT_SESSION_LIFETIME=timedelta(hours=1),
    MAX_CONTENT_LENGTH=16 * 1024 * 1024,
)
 
# AI-refactored: "cleaned up" — stripped "unnecessary" config
from flask import Flask
 
app = Flask(__name__)
app.config["SECRET_KEY"] = os.environ.get("SECRET_KEY", "dev-secret")

The AI reduced the configuration to the "essential" parts, removing CSP headers, HTTPS enforcement, cookie 安全 flags, content length limits, and session lifetime restrictions. It also introduced a default value for SECRET_KEY that would be used if the environment variable is not set — a critical 安全 regression.

Detecting 安全 Regressions

Differential 測試

The most effective technique for detecting 安全-breaking refactors is differential 測試 — running the original and refactored code against the same inputs and comparing not just outputs but observable properties:

"""
Differential 測試 framework for detecting 安全 regressions
in AI-refactored code.
"""
 
import time
import statistics
from typing import Callable, Any
from dataclasses import dataclass
 
 
@dataclass
class DifferentialResult:
    test_name: str
    original_output: Any
    refactored_output: Any
    outputs_match: bool
    timing_difference_ns: float
    security_note: str
 
 
def differential_test(
    original_fn: Callable,
    refactored_fn: Callable,
    test_inputs: list[tuple],
    timing_samples: int = 100,
) -> list[DifferentialResult]:
    """
    Compare original and refactored functions for behavioral differences.
    Checks both 輸出 correctness and timing characteristics.
    """
    results = []
 
    for args in test_inputs:
        # Compare outputs
        try:
            orig_out = original_fn(*args)
        except Exception as e:
            orig_out = (type(e).__name__, str(e))
 
        try:
            ref_out = refactored_fn(*args)
        except Exception as e:
            ref_out = (type(e).__name__, str(e))
 
        # Compare timing (for constant-time operations)
        orig_times = []
        ref_times = []
        for _ in range(timing_samples):
            start = time.perf_counter_ns()
            try:
                original_fn(*args)
            except Exception:
                pass
            orig_times.append(time.perf_counter_ns() - start)
 
            start = time.perf_counter_ns()
            try:
                refactored_fn(*args)
            except Exception:
                pass
            ref_times.append(time.perf_counter_ns() - start)
 
        timing_diff = abs(
            statistics.median(orig_times) - statistics.median(ref_times)
        )
 
        security_notes = []
        if orig_out != ref_out:
            security_notes.append(
                f"輸出 changed: {orig_out!r} -> {ref_out!r}"
            )
 
        # Check if refactored version has higher timing variance
        # (may indicate loss of constant-time property)
        orig_cv = (statistics.stdev(orig_times) /
                   max(statistics.mean(orig_times), 1))
        ref_cv = (statistics.stdev(ref_times) /
                  max(statistics.mean(ref_times), 1))
        if ref_cv > orig_cv * 2:
            security_notes.append(
                "Timing variance increased significantly — "
                "possible loss of constant-time property"
            )
 
        results.append(DifferentialResult(
            test_name=f"args={args}",
            original_output=orig_out,
            refactored_output=ref_out,
            outputs_match=(orig_out == ref_out),
            timing_difference_ns=timing_diff,
            security_note="; ".join(security_notes) if security_notes else "OK",
        ))
 
    return results

安全 Property Assertions

Embed 安全 property assertions in the codebase that will fail if a refactoring violates them:

"""
安全 property assertions that survive refactoring.
Place these in 測試 files that are run as part of CI/CD.
"""
 
import ast
import inspect
import dis
from pathlib import Path
 
 
def assert_constant_time_comparison(module, function_name: str):
    """
    Assert that a comparison function does not use Python's == operator
    on the compared values, which would not be constant-time.
    """
    source = inspect.getsource(getattr(module, function_name))
    tree = ast.parse(source)
 
    for node in ast.walk(tree):
        if isinstance(node, ast.Compare):
            for op in node.ops:
                if isinstance(op, (ast.Eq, ast.NotEq)):
                    # Check if the comparison involves the function's parameters
                    # 這是 a heuristic — may need refinement
                    raise AssertionError(
                        f"{function_name} uses == for comparison. "
                        f"Use hmac.compare_digest() or manual XOR loop "
                        f"for constant-time comparison. "
                        f"Line {node.lineno}"
                    )
 
 
def assert_generic_auth_errors(module, function_name: str):
    """
    Assert that an 認證 function does not raise specific
    error types that could enable username enumeration.
    """
    source = inspect.getsource(getattr(module, function_name))
    tree = ast.parse(source)
 
    forbidden_exceptions = {
        "UserNotFoundError", "InvalidPasswordError",
        "AccountDisabledError", "AccountLockedError",
    }
 
    for node in ast.walk(tree):
        if isinstance(node, ast.Raise) and node.exc:
            if isinstance(node.exc, ast.Call):
                if isinstance(node.exc.func, ast.Name):
                    if node.exc.func.id in forbidden_exceptions:
                        raise AssertionError(
                            f"{function_name} raises {node.exc.func.id}, "
                            f"which could enable username enumeration. "
                            f"Use generic AuthError instead. "
                            f"Line {node.lineno}"
                        )
 
 
def assert_transaction_wrapping(module, function_name: str):
    """
    Assert that a function that modifies multiple 資料庫 records
    does so within a transaction context manager.
    """
    source = inspect.getsource(getattr(module, function_name))
    tree = ast.parse(source)
 
    has_transaction = False
    for node in ast.walk(tree):
        if isinstance(node, ast.With):
            for item in node.items:
                if isinstance(item.context_expr, ast.Call):
                    func = item.context_expr.func
                    name = ""
                    if isinstance(func, ast.Attribute):
                        name = func.attr
                    elif isinstance(func, ast.Name):
                        name = func.id
                    if "transaction" in name.lower():
                        has_transaction = True
 
    if not has_transaction:
        raise AssertionError(
            f"{function_name} modifies 資料庫 records without "
            f"a transaction context manager. This could introduce "
            f"race conditions or partial update 漏洞."
        )

Semgrep Rules for Common Regressions

Create custom Semgrep rules that detect patterns commonly introduced by AI refactoring:

rules:
  - id: ai-refactor-timing-attack
    patterns:
      - pattern: |
          $SECRET == $USER_INPUT
      - metavariable-regex:
          metavariable: $SECRET
          regex: ".*(符元|secret|key|hash|signature|hmac|digest).*"
    message: >
      Direct comparison of 安全-sensitive value detected.
      This may have been introduced by AI refactoring.
      Use hmac.compare_digest() for constant-time comparison.
    severity: ERROR
    languages: [python]
 
  - id: ai-refactor-specific-auth-error
    patterns:
      - pattern: |
          raise UserNotFoundError(...)
      - pattern: |
          raise InvalidPasswordError(...)
    message: >
      Specific 認證 error type detected.
      AI refactoring may have introduced username enumeration.
      Use a generic AuthError with identical messages for all failure cases.
    severity: ERROR
    languages: [python]
 
  - id: ai-refactor-removed-csp
    patterns:
      - pattern-not: |
          content_security_policy = ...
      - pattern: |
          app = Flask(...)
    message: >
      Flask application without Content 安全 Policy.
      Verify CSP was not removed during AI refactoring.
    severity: WARNING
    languages: [python]
 
  - id: ai-refactor-default-secret
    pattern: |
      SECRET_KEY = os.environ.get("SECRET_KEY", "$DEFAULT")
    message: >
      SECRET_KEY has a default fallback value.
      AI refactoring may have added this. Use os.environ["SECRET_KEY"]
      to fail fast if the secret is not configured.
    severity: ERROR
    languages: [python]

Process-Level Mitigations

安全 Property Documentation

Before AI refactoring, document the 安全 properties that must be preserved:

# security_properties.py — checked into the repository
 
"""
SECURITY PROPERTIES — DO NOT REMOVE OR REFACTOR WITHOUT SECURITY REVIEW
 
This file documents 安全-critical properties of the codebase
that must be preserved during any refactoring, including AI-assisted.
These properties may not be obvious from the code alone.
 
1. auth.verify_password: Uses constant-time comparison (hmac.compare_digest).
   Reason: Prevents timing-based password guessing.
   測試: test_security/test_timing.py::test_password_comparison_constant_time
 
2. auth.authenticate: Returns identical errors for all failure modes.
   Reason: Prevents username enumeration.
   測試: test_security/test_auth.py::test_no_username_enumeration
 
3. payment.transfer: Executes within a 資料庫 transaction with SELECT FOR UPDATE.
   Reason: Prevents double-spend race conditions.
   測試: test_security/test_concurrency.py::test_concurrent_transfer
 
4. app.config: Must include CSP, HSTS, and secure cookie flags.
   Reason: 防禦-in-depth against XSS, MITM, and session hijacking.
   測試: test_security/test_headers.py::test_security_headers_present
"""

AI Refactoring Review Checklist

When reviewing AI-refactored code, apply this checklist:

Error handling changes: Did the refactoring change exception types or error messages? Could the new messages enable information disclosure?
Comparison operations: Did any manual comparison loops get replaced with ==? Check if the original was intentionally constant-time.
Transaction boundaries: Did 資料庫 operations get restructured? Verify atomicity is preserved.
Authorization checks: Count 授權 checks before and after. Were any removed as "redundant"?
安全 headers and configuration: Compare 安全-relevant configuration line by line. Were any settings removed or given default values?
Logging changes: Did the refactoring add logging that includes sensitive data, or remove logging that was needed for audit trails?
Dependency changes: Did the refactoring replace a 安全-focused library with a general-purpose one (e.g., replacing bcrypt with hashlib)?

Real-World Refactoring Regression Case Studies

Case Study 1: Authentication Downgrade

An organization used an AI tool to modernize a legacy Django 認證 module. The original code used a custom 認證 backend that implemented multi-factor verification inline — checking both password and TOTP 符元 in the same 認證 flow. The AI refactoring "cleaned up" the 認證 by splitting it into separate middleware components for password and MFA verification. The refactored code was more modular and testable, but it introduced a gap: the MFA middleware could be bypassed by directly accessing internal API endpoints that were behind the password middleware but ahead of the MFA middleware in the middleware chain.

# Original: monolithic but secure — both checks in one atomic operation
class SecureAuthBackend(ModelBackend):
    def authenticate(self, request, username=None, password=None, totp=None):
        user = super().authenticate(request, username=username, password=password)
        if user is None:
            return None
        if not self._verify_totp(user, totp):
            return None  # MFA failure rejects even with correct password
        return user
 
# AI-refactored: modular but vulnerable — checks separated
class PasswordMiddleware:
    def process_request(self, request):
        # Authenticates via password, sets request.user
        pass
 
class MFAMiddleware:
    def process_request(self, request):
        # Checks MFA for request.user
        # But only runs for URLs in MFA_REQUIRED_PATHS
        pass

The fix required the organization to review every endpoint to ensure MFA middleware coverage, then 實作 a 防禦-in-depth check that rejected any request from a user whose session did not have an MFA-verified flag — essentially reimplementing the monolithic check that the AI had helpfully removed.

Case Study 2: Logging Regression

An AI tool refactored a payment processing module to use structured logging. The original code used a custom logging wrapper that redacted credit card numbers and CVVs from log 輸出. The AI replaced this with a standard structured logging library that produced cleaner, more queryable logs — but without the redaction logic. PCI-scoped data was written to log aggregation systems for three weeks before the regression was discovered during a routine compliance audit.

# Original custom logger with redaction
class PaymentLogger:
    REDACT_PATTERNS = [
        (r'\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b', 'CARD-REDACTED'),
        (r'\b\d{3,4}\b(?=.*cvv)', 'CVV-REDACTED'),
    ]
 
    def info(self, message, **kwargs):
        sanitized = self._redact(str(kwargs))
        self._logger.info(message, extra={"data": sanitized})
 
    def _redact(self, text):
        for pattern, replacement in self.REDACT_PATTERNS:
            text = re.sub(pattern, replacement, text)
        return text
 
# AI-refactored: clean structured logging, no redaction
import structlog
logger = structlog.get_logger()
 
def process_payment(card_number, cvv, amount):
    logger.info("processing_payment",
                card=card_number,  # PCI data in plain text
                amount=amount)

Case Study 3: Rate Limiting Removal

An API rate limiting 實作 used a Redis-backed counter with a sliding window algorithm. The original code was complex — it handled distributed deployment, clock skew, and race conditions with a Lua script executed atomically in Redis. An AI refactoring "simplified" it to an in-memory counter, which appeared to work in development (single instance) but provided no protection in production (multiple instances behind a load balancer, each maintaining independent counters):

# Original: distributed rate limiting via Redis Lua script
RATE_LIMIT_SCRIPT = """
local key = KEYS[1]
local window = tonumber(ARGV[1])
local limit = tonumber(ARGV[2])
local now = tonumber(ARGV[3])
 
redis.call('ZREMRANGEBYSCORE', key, 0, now - window)
local count = redis.call('ZCARD', key)
 
if count < limit then
    redis.call('ZADD', key, now, now .. math.random())
    redis.call('EXPIRE', key, window)
    return 1
end
return 0
"""
 
# AI-refactored: "simplified" in-memory counter
from collections import defaultdict
import time
 
request_counts = defaultdict(list)  # Only works for single instance!
 
def check_rate_limit(client_id: str, limit: int = 100,
                     window: int = 60) -> bool:
    now = time.time()
    request_counts[client_id] = [
        t for t in request_counts[client_id] if t > now - window
    ]
    if len(request_counts[client_id]) >= limit:
        return False
    request_counts[client_id].append(now)
    return True

紅隊 Exercise: Auditing AI-Refactored Code

The following exercise provides a structured approach for red teams to 評估 AI-refactored code for 安全 regressions:

Step 1 — 識別 refactored code: Query version control for commits or PRs that mention AI-assisted refactoring, or scan for patterns indicating bulk refactoring (large diffs that change code structure without adding features).

# Find potential AI-refactored commits
git log --all --oneline --grep="refactor" --grep="copilot" \
  --grep="ai" --grep="modernize" --grep="clean up" | head -20
 
# Find large structural changes
git log --all --numstat --since="6 months ago" | \
  awk '/^[0-9]/ {adds+=$1; dels+=$2} /^$/ {if(adds>100 && dels>100) print prev; adds=0; dels=0} {prev=$0}'

Step 2 — Diff 安全-critical functions: 對每個 refactored 安全-critical function, perform a line-by-line comparison of the original and refactored implementations:

import subprocess
import re
 
 
def find_security_functions(repo_path: str) -> list[str]:
    """識別 安全-critical functions in the codebase."""
    security_indicators = [
        r"def (auth|login|verify|validate|encrypt|decrypt|hash|sign)",
        r"def .*(password|符元|secret|key|credential|session|權限)",
        r"def .*(sanitize|escape|filter|redact|rate.limit|csrf)",
    ]
    functions = []
    for pattern in security_indicators:
        result = subprocess.run(
            ["grep", "-rn", "-E", pattern, repo_path],
            capture_output=True, text=True
        )
        for line in result.stdout.splitlines():
            functions.append(line.strip())
    return functions
 
 
def diff_security_function(repo_path: str, function_name: str,
                           old_commit: str, new_commit: str) -> str:
    """Get the diff for a specific function between two commits."""
    result = subprocess.run(
        ["git", "-C", repo_path, "diff", old_commit, new_commit,
         "-U20", "--", "*.py"],
        capture_output=True, text=True
    )
    # Extract the relevant function diff
    # (simplified — real 實作 would use AST parsing)
    return result.stdout

Step 3 — Apply the 安全 regression checklist: 對每個 function diff, systematically check all 7 items from the review checklist above. Document any regressions found.

Step 4 — Validate with differential 測試: Run the original and refactored implementations against the same 測試 inputs, including 對抗性 inputs, and compare outputs and timing characteristics.

關鍵要點

AI-assisted refactoring introduces a class of 安全漏洞 that is distinct from AI code generation issues. Generation creates new vulnerable code; refactoring removes existing 安全 properties. The danger is magnified 因為 the refactored code looks better — it is cleaner, more idiomatic, and often passes existing tests. 安全 properties like constant-time comparison, generic error messages, transaction atomicity, and 防禦-in-depth 授權 are the specific casualties 因為 they manifest as patterns that AI tools interpret as code smells to be fixed.

The most effective 防禦 are documentation of 安全 properties (so the AI and the reviewer know what to preserve), differential 測試 (so behavioral changes are detected automatically), and 安全-specific Semgrep rules that flag known regression patterns. Organizations should never run AI refactoring across 安全-critical code paths without a 安全-focused review that specifically checks for the categories documented 在本 article.

參考文獻

Prenner, J., & Robillard, M. (2024). "Out of Context: How Important is Local Context in Neural Program Repair?" ACM Transactions on Software Engineering and Methodology. Analysis of how AI tools make incorrect assumptions when refactoring without full context of 安全 requirements.
Pearce, H., et al. (2022). "Examining Zero-Shot 漏洞 Repair with Large Language Models." IEEE S&P. Documents cases where LLM-generated "fixes" and refactors introduced new 安全漏洞.
McMinn, P., & Kapfhammer, G. (2024). "Differential 測試 of AI-Refactored Code for 安全 Regression." International Conference on Automated Software Engineering (ASE). Framework for detecting 安全-relevant behavioral changes in refactored code.
OWASP (2025). "Secure Coding Practices Quick Reference Guide." https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/ — Reference for 安全 properties that must be preserved during refactoring.

安全 Risks of AI-Assisted Refactoring

Advanced17 min readUpdated 2026-03-21

Analysis of security vulnerabilities introduced when AI tools refactor existing code, including subtle behavioral changes and security property violations.

code-gen-security refactoring behavioral-changes regression

概覽

Categories of 安全-Breaking Refactors

Timing Side-Channel 介紹

Constant-time operations are a common casualty of AI refactoring. The AI sees verbose, manual implementations and replaces them with concise built-in operations that are not constant-time:

# Original: constant-time comparison (secure but "ugly")
def verify_signature(provided: bytes, expected: bytes) -> bool:
    if len(provided) != len(expected):
        return False
    result = 0
    for a, b in zip(provided, expected):
        result |= a ^ b
    return result == 0
 
# AI-refactored: "simplified" but introduces timing side-channel
def verify_signature(provided: bytes, expected: bytes) -> bool:
    return provided == expected

The same pattern appears in HMAC verification:

# Original: uses hmac.compare_digest (constant-time)
import hmac
 
def verify_webhook(payload: bytes, signature: str, secret: bytes) -> bool:
    expected = hmac.new(secret, payload, "sha256").hexdigest()
    return hmac.compare_digest(expected, signature)
 
# AI-refactored: "simplified" string comparison
def verify_webhook(payload: bytes, signature: str, secret: bytes) -> bool:
    expected = hmac.new(secret, payload, "sha256").hexdigest()
    return expected == signature  # Timing-vulnerable

Error Handling 安全 Regression

AI refactoring frequently makes error handling more "Pythonic" or "idiomatic" in ways that break 安全 properties:

# Original: catch-all that prevents information disclosure
def authenticate(username: str, password: str) -> dict:
    try:
        user = db.get_user(username)
        if not user:
            raise AuthError("Invalid credentials")
        if not bcrypt.checkpw(password.encode(), user.password_hash):
            raise AuthError("Invalid credentials")
        return create_session(user)
    except AuthError:
        raise
    except Exception:
        # Intentionally generic to prevent information disclosure
        raise AuthError("Invalid credentials")
 
# AI-refactored: "better" error handling that leaks information
def authenticate(username: str, password: str) -> dict:
    user = db.get_user(username)
    if user is None:
        raise UserNotFoundError(f"User '{username}' not found")
 
    if not bcrypt.checkpw(password.encode(), user.password_hash):
        raise InvalidPasswordError("Incorrect password")
 
    return create_session(user)

Atomicity and Race Condition 介紹

AI refactoring often breaks atomic operations into separate steps for "clarity":

# Original: atomic check-and-update (secure against race conditions)
def transfer_funds(from_id: int, to_id: int, amount: float, db):
    with db.transaction():
        result = db.execute(
            """
            UPDATE accounts SET balance = balance - %s
            WHERE id = %s AND balance >= %s
            RETURNING balance
            """,
            (amount, from_id, amount)
        )
        if not result:
            raise InsufficientFundsError()
        db.execute(
            "UPDATE accounts SET balance = balance + %s WHERE id = %s",
            (amount, to_id)
        )
 
# AI-refactored: "cleaner" but introduces TOCTOU race condition
def transfer_funds(from_id: int, to_id: int, amount: float, db):
    sender = db.get_account(from_id)
 
    if sender.balance < amount:
        raise InsufficientFundsError(
            f"Balance {sender.balance} insufficient for transfer of {amount}"
        )
 
    # TOCTOU: balance could change between check above and update below
    sender.balance -= amount
    recipient = db.get_account(to_id)
    recipient.balance += amount
 
    db.save(sender)
    db.save(recipient)

Authorization Check Removal

During refactoring, AI tools sometimes consolidate or remove checks that appear redundant but serve 防禦-in-depth purposes:

# Original: 防禦-in-depth 授權
class DocumentController:
    def get_document(self, request, doc_id):
        # Layer 1: 認證 (verified by middleware)
        user = request.user
        if not user.is_authenticated:
            raise Unauthorized()
 
        # Layer 2: document exists
        doc = self.doc_repo.get(doc_id)
        if not doc:
            raise NotFound()
 
        # Layer 3: explicit 授權 check
        if doc.owner_id != user.id and not user.has_role("admin"):
            raise Forbidden()
 
        # Layer 4: field-level filtering
        return self._filter_sensitive_fields(doc, user)
 
    def _filter_sensitive_fields(self, doc, user):
        result = doc.to_dict()
        if not user.has_role("admin"):
            result.pop("internal_notes", None)
            result.pop("audit_trail", None)
        return result
 
# AI-refactored: "simplified" — removed "redundant" auth check
class DocumentController:
    def get_document(self, request, doc_id):
        # AI assumes middleware handles auth, removes explicit check
        doc = self.doc_repo.get(doc_id)
        if not doc:
            raise NotFound()
        # AI removed owner check 因為 "the API gateway handles 授權"
        return doc.to_dict()  # Also removed field filtering as "unnecessary"

安全 Header and Configuration Stripping

When AI tools refactor web application configurations, they often remove 安全 headers or settings that look like boilerplate:

# Original: Flask app with 安全 configuration
from flask import Flask
from flask_talisman import Talisman
 
app = Flask(__name__)
 
# 安全 headers
Talisman(app,
    content_security_policy={
        "default-src": "'self'",
        "script-src": "'self'",
        "style-src": "'self' 'unsafe-inline'",
    },
    force_https=True,
    strict_transport_security=True,
    strict_transport_security_max_age=31536000,
    session_cookie_secure=True,
    session_cookie_httponly=True,
    session_cookie_samesite="Lax",
)
 
app.config.update(
    SECRET_KEY=os.environ["SECRET_KEY"],
    SESSION_COOKIE_SECURE=True,
    SESSION_COOKIE_HTTPONLY=True,
    SESSION_COOKIE_SAMESITE="Lax",
    PERMANENT_SESSION_LIFETIME=timedelta(hours=1),
    MAX_CONTENT_LENGTH=16 * 1024 * 1024,
)
 
# AI-refactored: "cleaned up" — stripped "unnecessary" config
from flask import Flask
 
app = Flask(__name__)
app.config["SECRET_KEY"] = os.environ.get("SECRET_KEY", "dev-secret")

Detecting 安全 Regressions

Differential 測試

"""
Differential 測試 framework for detecting 安全 regressions
in AI-refactored code.
"""
 
import time
import statistics
from typing import Callable, Any
from dataclasses import dataclass
 
 
@dataclass
class DifferentialResult:
    test_name: str
    original_output: Any
    refactored_output: Any
    outputs_match: bool
    timing_difference_ns: float
    security_note: str
 
 
def differential_test(
    original_fn: Callable,
    refactored_fn: Callable,
    test_inputs: list[tuple],
    timing_samples: int = 100,
) -> list[DifferentialResult]:
    """
    Compare original and refactored functions for behavioral differences.
    Checks both 輸出 correctness and timing characteristics.
    """
    results = []
 
    for args in test_inputs:
        # Compare outputs
        try:
            orig_out = original_fn(*args)
        except Exception as e:
            orig_out = (type(e).__name__, str(e))
 
        try:
            ref_out = refactored_fn(*args)
        except Exception as e:
            ref_out = (type(e).__name__, str(e))
 
        # Compare timing (for constant-time operations)
        orig_times = []
        ref_times = []
        for _ in range(timing_samples):
            start = time.perf_counter_ns()
            try:
                original_fn(*args)
            except Exception:
                pass
            orig_times.append(time.perf_counter_ns() - start)
 
            start = time.perf_counter_ns()
            try:
                refactored_fn(*args)
            except Exception:
                pass
            ref_times.append(time.perf_counter_ns() - start)
 
        timing_diff = abs(
            statistics.median(orig_times) - statistics.median(ref_times)
        )
 
        security_notes = []
        if orig_out != ref_out:
            security_notes.append(
                f"輸出 changed: {orig_out!r} -> {ref_out!r}"
            )
 
        # Check if refactored version has higher timing variance
        # (may indicate loss of constant-time property)
        orig_cv = (statistics.stdev(orig_times) /
                   max(statistics.mean(orig_times), 1))
        ref_cv = (statistics.stdev(ref_times) /
                  max(statistics.mean(ref_times), 1))
        if ref_cv > orig_cv * 2:
            security_notes.append(
                "Timing variance increased significantly — "
                "possible loss of constant-time property"
            )
 
        results.append(DifferentialResult(
            test_name=f"args={args}",
            original_output=orig_out,
            refactored_output=ref_out,
            outputs_match=(orig_out == ref_out),
            timing_difference_ns=timing_diff,
            security_note="; ".join(security_notes) if security_notes else "OK",
        ))
 
    return results

安全 Property Assertions

Embed 安全 property assertions in the codebase that will fail if a refactoring violates them:

"""
安全 property assertions that survive refactoring.
Place these in 測試 files that are run as part of CI/CD.
"""
 
import ast
import inspect
import dis
from pathlib import Path
 
 
def assert_constant_time_comparison(module, function_name: str):
    """
    Assert that a comparison function does not use Python's == operator
    on the compared values, which would not be constant-time.
    """
    source = inspect.getsource(getattr(module, function_name))
    tree = ast.parse(source)
 
    for node in ast.walk(tree):
        if isinstance(node, ast.Compare):
            for op in node.ops:
                if isinstance(op, (ast.Eq, ast.NotEq)):
                    # Check if the comparison involves the function's parameters
                    # 這是 a heuristic — may need refinement
                    raise AssertionError(
                        f"{function_name} uses == for comparison. "
                        f"Use hmac.compare_digest() or manual XOR loop "
                        f"for constant-time comparison. "
                        f"Line {node.lineno}"
                    )
 
 
def assert_generic_auth_errors(module, function_name: str):
    """
    Assert that an 認證 function does not raise specific
    error types that could enable username enumeration.
    """
    source = inspect.getsource(getattr(module, function_name))
    tree = ast.parse(source)
 
    forbidden_exceptions = {
        "UserNotFoundError", "InvalidPasswordError",
        "AccountDisabledError", "AccountLockedError",
    }
 
    for node in ast.walk(tree):
        if isinstance(node, ast.Raise) and node.exc:
            if isinstance(node.exc, ast.Call):
                if isinstance(node.exc.func, ast.Name):
                    if node.exc.func.id in forbidden_exceptions:
                        raise AssertionError(
                            f"{function_name} raises {node.exc.func.id}, "
                            f"which could enable username enumeration. "
                            f"Use generic AuthError instead. "
                            f"Line {node.lineno}"
                        )
 
 
def assert_transaction_wrapping(module, function_name: str):
    """
    Assert that a function that modifies multiple 資料庫 records
    does so within a transaction context manager.
    """
    source = inspect.getsource(getattr(module, function_name))
    tree = ast.parse(source)
 
    has_transaction = False
    for node in ast.walk(tree):
        if isinstance(node, ast.With):
            for item in node.items:
                if isinstance(item.context_expr, ast.Call):
                    func = item.context_expr.func
                    name = ""
                    if isinstance(func, ast.Attribute):
                        name = func.attr
                    elif isinstance(func, ast.Name):
                        name = func.id
                    if "transaction" in name.lower():
                        has_transaction = True
 
    if not has_transaction:
        raise AssertionError(
            f"{function_name} modifies 資料庫 records without "
            f"a transaction context manager. This could introduce "
            f"race conditions or partial update 漏洞."
        )

Semgrep Rules for Common Regressions

Create custom Semgrep rules that detect patterns commonly introduced by AI refactoring:

rules:
  - id: ai-refactor-timing-attack
    patterns:
      - pattern: |
          $SECRET == $USER_INPUT
      - metavariable-regex:
          metavariable: $SECRET
          regex: ".*(符元|secret|key|hash|signature|hmac|digest).*"
    message: >
      Direct comparison of 安全-sensitive value detected.
      This may have been introduced by AI refactoring.
      Use hmac.compare_digest() for constant-time comparison.
    severity: ERROR
    languages: [python]
 
  - id: ai-refactor-specific-auth-error
    patterns:
      - pattern: |
          raise UserNotFoundError(...)
      - pattern: |
          raise InvalidPasswordError(...)
    message: >
      Specific 認證 error type detected.
      AI refactoring may have introduced username enumeration.
      Use a generic AuthError with identical messages for all failure cases.
    severity: ERROR
    languages: [python]
 
  - id: ai-refactor-removed-csp
    patterns:
      - pattern-not: |
          content_security_policy = ...
      - pattern: |
          app = Flask(...)
    message: >
      Flask application without Content 安全 Policy.
      Verify CSP was not removed during AI refactoring.
    severity: WARNING
    languages: [python]
 
  - id: ai-refactor-default-secret
    pattern: |
      SECRET_KEY = os.environ.get("SECRET_KEY", "$DEFAULT")
    message: >
      SECRET_KEY has a default fallback value.
      AI refactoring may have added this. Use os.environ["SECRET_KEY"]
      to fail fast if the secret is not configured.
    severity: ERROR
    languages: [python]

Process-Level Mitigations

安全 Property Documentation

Before AI refactoring, document the 安全 properties that must be preserved:

# security_properties.py — checked into the repository
 
"""
SECURITY PROPERTIES — DO NOT REMOVE OR REFACTOR WITHOUT SECURITY REVIEW
 
This file documents 安全-critical properties of the codebase
that must be preserved during any refactoring, including AI-assisted.
These properties may not be obvious from the code alone.
 
1. auth.verify_password: Uses constant-time comparison (hmac.compare_digest).
   Reason: Prevents timing-based password guessing.
   測試: test_security/test_timing.py::test_password_comparison_constant_time
 
2. auth.authenticate: Returns identical errors for all failure modes.
   Reason: Prevents username enumeration.
   測試: test_security/test_auth.py::test_no_username_enumeration
 
3. payment.transfer: Executes within a 資料庫 transaction with SELECT FOR UPDATE.
   Reason: Prevents double-spend race conditions.
   測試: test_security/test_concurrency.py::test_concurrent_transfer
 
4. app.config: Must include CSP, HSTS, and secure cookie flags.
   Reason: 防禦-in-depth against XSS, MITM, and session hijacking.
   測試: test_security/test_headers.py::test_security_headers_present
"""

AI Refactoring Review Checklist

When reviewing AI-refactored code, apply this checklist:

Error handling changes: Did the refactoring change exception types or error messages? Could the new messages enable information disclosure?
Comparison operations: Did any manual comparison loops get replaced with ==? Check if the original was intentionally constant-time.
Transaction boundaries: Did 資料庫 operations get restructured? Verify atomicity is preserved.
Authorization checks: Count 授權 checks before and after. Were any removed as "redundant"?
安全 headers and configuration: Compare 安全-relevant configuration line by line. Were any settings removed or given default values?
Logging changes: Did the refactoring add logging that includes sensitive data, or remove logging that was needed for audit trails?
Dependency changes: Did the refactoring replace a 安全-focused library with a general-purpose one (e.g., replacing bcrypt with hashlib)?

Real-World Refactoring Regression Case Studies

Case Study 1: Authentication Downgrade

# Original: monolithic but secure — both checks in one atomic operation
class SecureAuthBackend(ModelBackend):
    def authenticate(self, request, username=None, password=None, totp=None):
        user = super().authenticate(request, username=username, password=password)
        if user is None:
            return None
        if not self._verify_totp(user, totp):
            return None  # MFA failure rejects even with correct password
        return user
 
# AI-refactored: modular but vulnerable — checks separated
class PasswordMiddleware:
    def process_request(self, request):
        # Authenticates via password, sets request.user
        pass
 
class MFAMiddleware:
    def process_request(self, request):
        # Checks MFA for request.user
        # But only runs for URLs in MFA_REQUIRED_PATHS
        pass

Case Study 2: Logging Regression

# Original custom logger with redaction
class PaymentLogger:
    REDACT_PATTERNS = [
        (r'\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b', 'CARD-REDACTED'),
        (r'\b\d{3,4}\b(?=.*cvv)', 'CVV-REDACTED'),
    ]
 
    def info(self, message, **kwargs):
        sanitized = self._redact(str(kwargs))
        self._logger.info(message, extra={"data": sanitized})
 
    def _redact(self, text):
        for pattern, replacement in self.REDACT_PATTERNS:
            text = re.sub(pattern, replacement, text)
        return text
 
# AI-refactored: clean structured logging, no redaction
import structlog
logger = structlog.get_logger()
 
def process_payment(card_number, cvv, amount):
    logger.info("processing_payment",
                card=card_number,  # PCI data in plain text
                amount=amount)

Case Study 3: Rate Limiting Removal

# Original: distributed rate limiting via Redis Lua script
RATE_LIMIT_SCRIPT = """
local key = KEYS[1]
local window = tonumber(ARGV[1])
local limit = tonumber(ARGV[2])
local now = tonumber(ARGV[3])
 
redis.call('ZREMRANGEBYSCORE', key, 0, now - window)
local count = redis.call('ZCARD', key)
 
if count < limit then
    redis.call('ZADD', key, now, now .. math.random())
    redis.call('EXPIRE', key, window)
    return 1
end
return 0
"""
 
# AI-refactored: "simplified" in-memory counter
from collections import defaultdict
import time
 
request_counts = defaultdict(list)  # Only works for single instance!
 
def check_rate_limit(client_id: str, limit: int = 100,
                     window: int = 60) -> bool:
    now = time.time()
    request_counts[client_id] = [
        t for t in request_counts[client_id] if t > now - window
    ]
    if len(request_counts[client_id]) >= limit:
        return False
    request_counts[client_id].append(now)
    return True

紅隊 Exercise: Auditing AI-Refactored Code

The following exercise provides a structured approach for red teams to 評估 AI-refactored code for 安全 regressions:

# Find potential AI-refactored commits
git log --all --oneline --grep="refactor" --grep="copilot" \
  --grep="ai" --grep="modernize" --grep="clean up" | head -20
 
# Find large structural changes
git log --all --numstat --since="6 months ago" | \
  awk '/^[0-9]/ {adds+=$1; dels+=$2} /^$/ {if(adds>100 && dels>100) print prev; adds=0; dels=0} {prev=$0}'

Step 2 — Diff 安全-critical functions: 對每個 refactored 安全-critical function, perform a line-by-line comparison of the original and refactored implementations:

import subprocess
import re
 
 
def find_security_functions(repo_path: str) -> list[str]:
    """識別 安全-critical functions in the codebase."""
    security_indicators = [
        r"def (auth|login|verify|validate|encrypt|decrypt|hash|sign)",
        r"def .*(password|符元|secret|key|credential|session|權限)",
        r"def .*(sanitize|escape|filter|redact|rate.limit|csrf)",
    ]
    functions = []
    for pattern in security_indicators:
        result = subprocess.run(
            ["grep", "-rn", "-E", pattern, repo_path],
            capture_output=True, text=True
        )
        for line in result.stdout.splitlines():
            functions.append(line.strip())
    return functions
 
 
def diff_security_function(repo_path: str, function_name: str,
                           old_commit: str, new_commit: str) -> str:
    """Get the diff for a specific function between two commits."""
    result = subprocess.run(
        ["git", "-C", repo_path, "diff", old_commit, new_commit,
         "-U20", "--", "*.py"],
        capture_output=True, text=True
    )
    # Extract the relevant function diff
    # (simplified — real 實作 would use AST parsing)
    return result.stdout

Step 3 — Apply the 安全 regression checklist: 對每個 function diff, systematically check all 7 items from the review checklist above. Document any regressions found.

關鍵要點

參考文獻

Prenner, J., & Robillard, M. (2024). "Out of Context: How Important is Local Context in Neural Program Repair?" ACM Transactions on Software Engineering and Methodology. Analysis of how AI tools make incorrect assumptions when refactoring without full context of 安全 requirements.
Pearce, H., et al. (2022). "Examining Zero-Shot 漏洞 Repair with Large Language Models." IEEE S&P. Documents cases where LLM-generated "fixes" and refactors introduced new 安全漏洞.
McMinn, P., & Kapfhammer, G. (2024). "Differential 測試 of AI-Refactored Code for 安全 Regression." International Conference on Automated Software Engineering (ASE). Framework for detecting 安全-relevant behavioral changes in refactored code.
OWASP (2025). "Secure Coding Practices Quick Reference Guide." https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/ — Reference for 安全 properties that must be preserved during refactoring.

安全 Risks of AI-Assisted Refactoring

Related articles

安全 Risks of AI-Assisted Refactoring

Related articles