核心要点静态规则:检测 `eval`、`child_process`、可疑 Base64 与网络外连。动态沙箱:限制文件系统、网络与进程能力,记录异常行为。阈值策略:风险评分达到阈值阻断;警告级进入人工复核。实现示例type File = { path: string; content: string }
function staticScore(f: File): number {
let s = 0
if (/eval\(/i.test(f.content)) s += 3
if (/child_process/i.test(f.content)) s += 4
if (/require\(['"]child_process['"]\)/i.test(f.content)) s += 4
if (/[A-Za-z0-9+/=]{200,}/.test(f.content)) s += 2
if (/https?:\/\//i.test(f.content)) s += 1
return s
}
function totalScore(files: File[]): number {
return files.reduce((acc, f) => acc + staticScore(f), 0)
}
function decide(score: number, thresholds: { block: number; warn: number }): 'block' | 'warn' | 'pass' {
if (score >= thresholds.block) return 'block'
if (score >= thresholds.warn) return 'warn'
return 'pass'
}
审计与CI门禁构建前对 tarball 执行检测;达到阻断阈值直接失败并输出证据。警告级进入沙箱复核;审计记录包含文件路径与命中特征。
发表评论 取消回复