实现示例type Env = Record<string, string> function allowedKey(k: string, prefix: string, allow: Set<string>): boolean { return k.startsWith(prefix) || allow.has(k) } function sensitive(k: string): boolean { return /(SECRET|TOKEN|PASSWORD|KEY)$/i.test(k) } function evaluateEnv(env: Env, prefix: string, allow: Set<string>): { ok: boolean; errors: string[]; filtered: Env } { const errors: string[] = [] const filtered: Env = {} for (const [k, v] of Object.entries(env)) { if (sensitive(k)) { errors.push(`sensitive:${k}`); continue } if (!allowedKey(k, prefix, allow)) { errors.push(`not-allowed:${k}`); continue } filtered[k] = v } return { ok: errors.length === 0, errors, filtered } } 审计与运行治理审计变量使用清单与拒绝项;构建仅注入 `APP_` 前缀或白名单变量。禁止在日志中输出变量值;敏感键命中即阻断并告警。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复