实现示例type Arg = { key: string; value: string } function allowedKey(k: string, prefix: string, allow: Set<string>): boolean { return k.startsWith(prefix) || allow.has(k) } function sensitive(k: string): boolean { return /(SECRET|TOKEN|PASSWORD|KEY)$/i.test(k) } function evaluateArgs(args: Arg[], prefix: string, allow: Set<string>): { ok: boolean; errors: string[]; filtered: Arg[] } { const errors: string[] = []; const filtered: Arg[] = []; for (const a of args) { if (sensitive(a.key)) { errors.push(`sensitive:${a.key}`); continue } if (!allowedKey(a.key, prefix, allow)) { errors.push(`not-allowed:${a.key}`); continue } filtered.push(a) } return { ok: errors.length === 0, errors, filtered } } 审计与构建治理审计变量使用清单与拒绝项;构建仅注入前缀或白名单变量,禁止敏感键。禁止在日志中输出变量值;异常阻断并告警。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复