数据脱敏Hook：敏感数据自动脱敏

// 数据脱敏Hook的基本架构 class DataMaskingHook { constructor(options = {}) { this.rules = options.rules || []; this.auditLog = []; this.whitelist = options.whitelist || []; this.enabled = options.enabled !== false; } // 在用户提示提交前执行脱敏 async beforeUserPromptSubmit(context) { if (!this.enabled) return context; const originalContent = context.prompt; const maskedContent = await this.applyMasking(originalContent); // 记录审计日志 this.auditLog.push({ timestamp: new Date().toISOString(), originalLength: originalContent.length, maskedCount: this.getMaskedCount(originalContent, maskedContent) }); return { ...context, prompt: maskedContent }; } // 在AI响应返回后恢复脱敏数据（可选） async afterAssistantMessage(context) { // 如果配置了恢复策略，将占位符恢复为可读描述 return context; } }

// PII检测和脱敏规则实现 const piiRules = [ { name: '手机号', pattern: /(1[3-9]\d)\d{4}(\d{4})/g, replacement: '$1****$2', description: '保留前3位和后4位，中间隐藏' }, { name: '身份证号', pattern: /(\d{6})\d{8}(\d{4})/g, replacement: '$1********$2', description: '保留前6位和后4位，中间隐藏' }, { name: '邮箱', pattern: /(\w{2})\w+@(\w+\.\w+)/g, replacement: '$1***@$2', description: '保留邮箱前2位和域名' }, { name: '银行卡号', pattern: /(\d{4})\d{8,12}(\d{4})/g, replacement: '$1********$2', description: '保留前4位和后4位' }, { name: '姓名', pattern: /(?:姓名[：:]\s*)([一-龥]{2,4})/g, replacement: (match, name) => { if (name.length === 2) return '姓名：' + name[0] + '某'; return '姓名：' + name[0] + '某' + name[name.length - 1]; }, description: '保留姓氏，名字用"某"代替' } ];

// 凭证信息脱敏规则 const credentialRules = [ { name: 'API Key', // 匹配常见的API Key格式 pattern: /(sk-[a-zA-Z0-9]{20,})|(api[_-]?key[=:]\s*['"]?[a-zA-Z0-9]{16,})/gi, replacement: '[API_KEY]', description: '将API Key替换为占位符' }, { name: 'Bearer Token', pattern: /Bearer\s+[A-Za-z0-9\-._~+/]{20,}/g, replacement: 'Bearer [TOKEN]', description: '将Bearer Token替换' }, { name: '数据库连接串', pattern: /(postgresql|mysql|mongodb):\/\/[^:]+:[^@]+@/g, replacement: '$1://[USER]:[PASSWORD]@', description: '脱敏数据库连接串中的密码' }, { name: '密码字段', pattern: /(password|passwd|pwd)[=:]\s*['"]?[^'"&\s]{4,}['"]?/gi, replacement: '$1=[PASSWORD]', description: '将密码替换为占位符' }, { name: '私钥', pattern: /-----BEGIN (RSA |EC )?PRIVATE KEY-----[^>]+-----END/g, replacement: '[PRIVATE_KEY]', description: '检测并替换私钥内容' } ];

// 支持自定义凭证模式扩展 class CredentialMaskingHook { constructor() { this.customPatterns = new Map(); } // 注册自定义凭证模式 registerPattern(name, pattern, replacement) { this.customPatterns.set(name, { pattern: new RegExp(pattern, 'gi'), replacement: replacement || `[${name.toUpperCase()}]` }); } // 批量注册自定义模式 registerPatterns(patterns) { for (const [name, config] of Object.entries(patterns)) { this.registerPattern(name, config.pattern, config.replacement); } } maskCredentials(text) { let masked = text; for (const [, rule] of this.customPatterns) { masked = masked.replace(rule.pattern, rule.replacement); } return masked; } } // 使用示例 const hook = new CredentialMaskingHook(); hook.registerPattern('aws_key', 'AKIA[0-9A-Z]{16}', '[AWS_ACCESS_KEY]'); hook.registerPattern('github_token', 'ghp_[a-zA-Z0-9]{36}', '[GITHUB_TOKEN]');

// IP地址和网络信息脱敏规则 const networkRules = [ { name: '内网IPv4地址', // 匹配常见内网IP段：10.x.x.x, 172.16-31.x.x, 192.168.x.x pattern: /\b(10\.\d{1,3}\.\d{1,3}\.\d{1,3})\b/g, replacement: '[INTERNAL_IP]', description: '将内网IP替换为占位符' }, { name: '内网IPv4（192.168段）', pattern: /\b(192\.168\.\d{1,3}\.\d{1,3})\b/g, replacement: '[LOCAL_IP]', description: '192.168段IP脱敏' }, { name: '外网IPv4地址（可选）', pattern: /\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b/g, replacement: '[PUBLIC_IP]', description: '外网IP可选脱敏' }, { name: 'IPv6地址', pattern: /([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}/g, replacement: '[IPV6_ADDRESS]', description: 'IPv6地址脱敏' }, { name: '域名中的敏感信息', pattern: /(https?:\/\/)?([a-z0-9-]+)\.internal\.([a-z]+)/g, replacement: '$1[SUB_DOMAIN].internal.$3', description: '脱敏内网域名中的子域名' } ];

// masking-config.json - 脱敏规则配置文件 { "version": "2.0", "enabled": true, "sensitivityLevels": { "high": ["身份证号", "银行卡号", "密码", "私钥"], "medium": ["手机号", "邮箱", "API Key", "Token"], "low": ["IP地址", "姓名", "域名"] }, "rules": { "PII": { "enabled": true, "level": "high", "patterns": [ { "name": "手机号", "pattern": "...", "replacement": "..." }, { "name": "身份证号", "pattern": "...", "replacement": "..." }, { "name": "邮箱", "pattern": "...", "replacement": "..." } ] }, "credentials": { "enabled": true, "level": "high", "patterns": [ { "name": "API Key", "pattern": "...", "replacement": "[API_KEY]" }, { "name": "密码", "pattern": "...", "replacement": "[PASSWORD]" } ] }, "network": { "enabled": true, "level": "low", "patterns": [ { "name": "内网IP", "pattern": "...", "replacement": "[INTERNAL_IP]" } ] } }, "whitelist": { "enabled": true, "patterns": [ "127.0.0.1", "localhost", "8.8.8.8", "1.1.1.1" ], "domains": [ "example.com", "test.com" ] }, "audit": { "enabled": true, "logLevel": "info", "retentionDays": 90 } }

// 敏感级别策略管理 class SensitivityManager { constructor(config) { this.levels = config.sensitivityLevels || {}; this.currentLevel = 'medium'; // 默认级别 } setLevel(level) { if (this.levels[level]) { this.currentLevel = level; } } shouldMask(ruleName) { const currentRules = this.levels[this.currentLevel] || []; return currentRules.includes(ruleName); } // 根据场景自动调整级别 adjustForContext(context) { if (context.includes('生产环境') || context.includes('production')) { this.setLevel('high'); } else if (context.includes('测试') || context.includes('test')) { this.setLevel('low'); } } } // 不同场景的策略示例 const strategies = { development: { level: 'low', audit: false }, staging: { level: 'medium', audit: true }, production: { level: 'high', audit: true, retentionDays: 90 }, compliance: { level: 'high', audit: true, alertOnMatch: true } };

// 白名单管理 class WhitelistManager { constructor(whitelistConfig) { this.whitelistPatterns = whitelistConfig.patterns || []; this.whitelistDomains = whitelistConfig.domains || []; } isWhitelisted(text) { // 检查是否匹配白名单 for (const pattern of this.whitelistPatterns) { if (text.includes(pattern)) return true; } for (const domain of this.whitelistDomains) { if (text.includes('@' + domain) || text.includes('.' + domain)) { return true; } } return false; } addToWhitelist(pattern) { this.whitelistPatterns.push(pattern); } removeFromWhitelist(pattern) { this.whitelistPatterns = this.whitelistPatterns.filter(p => p !== pattern); } }

// 脱敏测试和验证工具 class MaskingTestTool { constructor(maskingHook) { this.hook = maskingHook; this.testResults = []; } // 运行脱敏测试用例 runTests(testCases) { for (const testCase of testCases) { const result = this.hook.applyMasking(testCase.input); const passed = result.masked === testCase.expected; this.testResults.push({ name: testCase.name, input: testCase.input, expected: testCase.expected, actual: result.masked, passed, maskedCount: result.count }); } return this.generateReport(); } // 生成测试报告 generateReport() { const total = this.testResults.length; const passed = this.testResults.filter(r => r.passed).length; return { total, passed, failed: total - passed, passRate: ((passed / total) * 100).toFixed(1) + '%', details: this.testResults }; } // 交互式测试 async interactiveTest() { console.log('=== 数据脱敏Hook交互式测试工具 ==='); console.log('输入文本即可查看脱敏结果，输入"exit"退出'); // 测试用例库 const testCases = [ { name: '包含手机号和邮箱', input: '请联系我：手机13812345678，邮箱zhangsan@example.com', expected: '请联系我：手机138****5678，邮箱zh***@example.com' }, { name: '包含API Key', input: '请使用API Key: sk-abcdefghijklmnopqrstuvwxyz', expected: '请使用API Key: [API_KEY]' }, { name: '包含内网IP和端口', input: '数据库地址：192.168.1.100:3306', expected: '数据库地址：[LOCAL_IP]:3306' } ]; return this.runTests(testCases); } }

// 完整集成示例 const maskingHook = new DataMaskingHook({ rules: [...piiRules, ...credentialRules, ...networkRules], whitelist: mockWhitelistConfig, enabled: true }); // 测试输入 const userInput = `用户信息： 姓名：李四 手机：13912345678 邮箱：lisi@company.com 身份证：110101199003071234 服务器配置： 数据库 mysql://admin:pass123@192.168.1.100:3306/prod_db API Key: sk-abcdefghijklmnopqrstuvwxyz 内网地址：10.0.0.5:8080`; const result = maskingHook.applyMasking(userInput); console.log('脱敏后：'); console.log(result.masked); console.log(`共脱敏 ${result.count} 处敏感信息`);

// 预期脱敏输出： 用户信息： 姓名：李某 手机：139****5678 邮箱：li***@company.com 身份证：110101********1234 服务器配置： 数据库 mysql://[USER]:[PASSWORD]@[INTERNAL_IP]:3306/[DB_NAME] API Key: [API_KEY] 内网地址：[INTERNAL_IP]:[PORT]