核心要点钩子白名单与禁用列表;默认禁止 `preinstall`/`postinstall`,仅允许受控 `prepare`。检测危险特征:网络下载、代码注入、进程执行与敏感环境访问。审计输出命中规则与证据,支持例外审批与到期。实现示例type Scripts = { [k: string]: string }
const allowHooks = new Set<string>(['prepare'])
const denyHooks = new Set<string>(['preinstall','postinstall'])
function suspicious(cmd: string): boolean {
const r = [
/(curl|wget)\s+https?:\/\//i,
/powershell\s+(Invoke-WebRequest|iwr)\s+/i,
/node\s+-e\s+/i,
/eval\(/i,
/Function\(/i,
/child_process/i,
/require\(['"]child_process['"]\)/i,
/process\.env\.[A-Z_]+/,
]
return r.some(rx => rx.test(cmd))
}
function validateScripts(scripts: Scripts, exceptions: Map<string, number>, now: number): { ok: boolean; errors: string[] } {
const errors: string[] = []
for (const [k, v] of Object.entries(scripts)) {
const key = `hook:${k}`
const until = exceptions.get(key) || 0
if (denyHooks.has(k) && until < now) errors.push(`denied:${k}`)
if (!allowHooks.has(k) && !denyHooks.has(k) && suspicious(v) && until < now) errors.push(`suspicious:${k}`)
}
return { ok: errors.length === 0, errors }
}
审计与CI门禁构建前解析 `scripts` 字段;命中禁用或可疑规则即阻断并输出详情。对必要钩子启用例外审批与到期时间;产线默认拒绝未审批项。
发表评论 取消回复