awoooi

wooo/awoooi

Fork 0

Commit Graph

Author	SHA1	Message	Date
OG T	cc42aa0bdb	feat(adr-076): Task 2.2 + 2.3 — 規則擴充 + kubectl 注入防護 Some checks failed CD Pipeline / build-and-deploy (push) Has been cancelled Details Task 2.2: alert_rules.yaml 新增 3 類規則 (priority 125-127) - gitea_down: Gitea CI/CD 下線 → NO_ACTION (priority 125, critical) - ssl_cert_expiring: SSL 憑證到期 → NO_ACTION (priority 126, medium) - external_site_down: MoWoooWork/Dev/Blackbox probe → NO_ACTION (priority 127, medium) 規則總數: 21 → 24 Task 2.3: alert_rule_engine.py kubectl 注入防護 - _RULE_ENGINE_DESTRUCTIVE_RE: 阻擋 delete pvc/namespace/statefulset/deployment, drain/cordon, --replicas=0, rm -rf, DROP TABLE, $() 反引號 - validate_kubectl_command(): 公開 API，SSH 指令/空字串直接通過 - match_rule() 整合: 變數替換後驗證，阻擋時清空 + log warning - test_alert_rule_engine_validation.py: 34 tests (100% 通過) 測試: 776 passed, 26 skipped, 0 failed Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-14 15:10:10 +08:00

Author

SHA1

Message

Date

OG T

cc42aa0bdb

feat(adr-076): Task 2.2 + 2.3 — 規則擴充 + kubectl 注入防護

CD Pipeline / build-and-deploy (push) Has been cancelled

Details

Task 2.2: alert_rules.yaml 新增 3 類規則 (priority 125-127)
  - gitea_down: Gitea CI/CD 下線 → NO_ACTION (priority 125, critical)
  - ssl_cert_expiring: SSL 憑證到期 → NO_ACTION (priority 126, medium)
  - external_site_down: MoWoooWork/Dev/Blackbox probe → NO_ACTION (priority 127, medium)
  規則總數: 21 → 24

Task 2.3: alert_rule_engine.py kubectl 注入防護
  - _RULE_ENGINE_DESTRUCTIVE_RE: 阻擋 delete pvc/namespace/statefulset/deployment,
    drain/cordon, --replicas=0, rm -rf, DROP TABLE, $() 反引號
  - validate_kubectl_command(): 公開 API，SSH 指令/空字串直接通過
  - match_rule() 整合: 變數替換後驗證，阻擋時清空 + log warning
  - test_alert_rule_engine_validation.py: 34 tests (100% 通過)

測試: 776 passed, 26 skipped, 0 failed

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-14 15:10:10 +08:00

1 Commits