@dangao/bun-server 2.0.2 → 2.0.8

package/src/events/event-module.ts

@@ -217,7 +217,7 @@ export class EventModule {
     if (eventModuleRef) {
       try {
         eventEmitter = eventModuleRef.container.resolve<EventEmitter>(EVENT_EMITTER_TOKEN);
-      } catch {
+      } catch (_error) {
         // 忽略错误
       }
     }
@@ -264,7 +264,7 @@ export class EventModule {
     if (moduleRef) {
       try {
         return moduleRef.container.resolve<EventEmitter>(EVENT_EMITTER_TOKEN);
-      } catch {
+      } catch (_error) {
         // 忽略错误，尝试从传入的容器获取
       }
     }
@@ -273,7 +273,7 @@ export class EventModule {
     if (container) {
       try {
         return container.resolve<EventEmitter>(EVENT_EMITTER_TOKEN);
-      } catch {
+      } catch (_error) {
         // 忽略错误
       }
     }
@@ -307,7 +307,7 @@ export class EventModule {
     let eventEmitter: EventEmitter | undefined;
     try {
       eventEmitter = eventModuleRef.container.resolve<EventEmitter>(EVENT_EMITTER_TOKEN);
-    } catch {
+    } catch (_error) {
       return false;
     }
 

package/src/files/static-middleware.ts

@@ -41,11 +41,11 @@ export function createStaticFileMiddleware(options: StaticFileOptions): Middlewa
           'Content-Type': file.type || 'application/octet-stream',
         },
       });
-    } catch {
+    } catch (_error) {
       if (fallthrough) {
         return await next();
       }
-      return context.createResponse({ error: 'File Not Found' }, { status: 404 });
+      return context.createErrorResponse({ error: 'File Not Found' }, { status: 404 });
     }
   };
 }

package/src/files/storage.ts

@@ -18,7 +18,7 @@ async function fileExists(path: string): Promise<boolean> {
   try {
     await access(path, constants.F_OK);
     return true;
-  } catch {
+  } catch (_error) {
     return false;
   }
 }

package/src/interceptor/builtin/log-interceptor.ts

@@ -101,7 +101,7 @@ export class LogInterceptor extends BaseInterceptor {
     let logger: Logger | undefined;
     try {
       logger = container.resolve<Logger>(LOGGER_TOKEN);
-    } catch {
+    } catch (_error) {
       // Logger not available, use console
     }
 

package/src/mcp/server.ts

@@ -69,7 +69,7 @@ export class McpServer {
         const pingInterval = setInterval(() => {
           try {
             controller.enqueue(encoder.encode(': ping\n\n'));
-          } catch {
+          } catch (_error) {
             clearInterval(pingInterval);
           }
         }, 15000);

package/src/middleware/builtin/error-handler.ts

@@ -63,7 +63,7 @@ export function createErrorHandlingMiddleware(
       }
 
       if (error instanceof ValidationError) {
-        return context.createResponse(
+        return context.createErrorResponse(
           {
             error: error.message,
             issues: error.issues,
@@ -84,7 +84,7 @@ export function createErrorHandlingMiddleware(
       }
 
       if (error instanceof Error) {
-        return context.createResponse(
+        return context.createErrorResponse(
           {
             error: error.message,
           },

package/src/middleware/builtin/file-upload.ts

@@ -25,7 +25,7 @@ export function createFileUploadMiddleware(options: FileUploadOptions = {}): Mid
       for (const file of fileList) {
         if (file.size > maxSize) {
           context.setStatus(413);
-          return context.createResponse({ error: `File ${file.name} exceeds max size` });
+          return context.createErrorResponse({ error: `File ${file.name} exceeds max size` });
         }
       }
     }

package/src/middleware/builtin/rate-limit.ts

@@ -193,7 +193,7 @@ export function createRateLimitMiddleware(options: RateLimitOptions): Middleware
     // 检查是否超过限制
     if (currentCount > max) {
       context.setStatus(statusCode);
-      return context.createResponse({
+      return context.createErrorResponse({
         error: message,
         retryAfter: Math.ceil(windowMs / 1000),
       });

package/src/middleware/builtin/static-file.ts

@@ -52,7 +52,7 @@ export function createStaticFileMiddleware(options: StaticFileOptions): Middlewa
     const segments = cleanPath.split('/').filter((segment) => segment.length > 0);
     if (segments.some((segment) => segment === '..')) {
       context.setStatus(403);
-      return context.createResponse({ error: 'Forbidden' });
+      return context.createErrorResponse({ error: 'Forbidden' });
     }
 
     let targetPath = resolve(root, cleanPath);
@@ -62,7 +62,7 @@ export function createStaticFileMiddleware(options: StaticFileOptions): Middlewa
 
     if (!isSubPath(root, targetPath)) {
       context.setStatus(403);
-      return context.createResponse({ error: 'Forbidden' });
+      return context.createErrorResponse({ error: 'Forbidden' });
     }
 
     const file = Bun.file(targetPath);

package/src/prompt/stores/file-store.ts

@@ -74,7 +74,7 @@ export class FilePromptStore implements PromptStore {
       try {
         const path = `${this.promptsDir}/${id}.json`;
         await Bun.file(path).exists() && Bun.write(path, ''); // Soft delete (empty file)
-      } catch {
+      } catch (_error) {
         // ignore
       }
     }
@@ -105,11 +105,11 @@ export class FilePromptStore implements PromptStore {
           await this.memory.create({ id, ...data }).catch(() => {
             // Template already exists — skip
           });
-        } catch {
+        } catch (_error) {
           // Skip malformed files
         }
       }
-    } catch {
+    } catch (_error) {
       // Directory doesn't exist — start empty
     }
   }
@@ -128,7 +128,7 @@ export class FilePromptStore implements PromptStore {
         2,
       );
       await Bun.write(`${this.promptsDir}/${template.id}.json`, content);
-    } catch {
+    } catch (_error) {
       // Ignore write errors (e.g., read-only filesystem)
     }
   }

package/src/queue/queue-module.ts

@@ -37,11 +37,14 @@ export class QueueModule {
         provide: QUEUE_SERVICE_TOKEN,
         useValue: service,
       },
+      {
+        provide: QueueService,
+        useValue: service,
+      },
       {
         provide: QUEUE_OPTIONS_TOKEN,
         useValue: options,
       },
-      QueueService,
     );
 
     // 动态更新模块元数据

package/src/request/body-parser.ts

@@ -57,10 +57,10 @@ export class BodyParser {
           // 尝试解析为 JSON
           try {
             return JSON.parse(text);
-          } catch {
+          } catch (_error) {
             return text;
           }
-        } catch {
+        } catch (_error) {
           return undefined;
         }
       }
@@ -72,7 +72,7 @@ export class BodyParser {
       }
       try {
         return JSON.parse(fallbackText);
-      } catch {
+      } catch (_error) {
         return fallbackText;
       }
     } catch (error) {

package/src/security/filter.ts

@@ -71,7 +71,7 @@ export function createSecurityFilter(config: SecurityFilterConfig): Middleware {
       const { ControllerRegistry } = require('../controller/controller');
       cachedContainer = ControllerRegistry.getInstance().getContainer();
       return cachedContainer;
-    } catch {
+    } catch (_error) {
       return null;
     }
   };

package/src/security/guards/guard-registry.ts

@@ -73,7 +73,7 @@ export class GuardRegistry {
         this.guardInstances.set(guard as Constructor<CanActivate>, instance);
         return instance;
       }
-    } catch {
+    } catch (_error) {
       // 如果容器解析失败，继续尝试手动实例化
     }
 

package/src/session/middleware.ts

@@ -17,7 +17,7 @@ export function createSessionMiddleware(
       sessionService = container.resolve<SessionService>(
         SESSION_SERVICE_TOKEN,
       );
-    } catch {
+    } catch (_error) {
       // 如果 SessionService 未注册，跳过 Session 处理
       return await next();
     }

package/src/session/types.ts

@@ -231,7 +231,7 @@ export class RedisSessionStore implements SessionStore {
         return undefined;
       }
       return JSON.parse(value) as Session;
-    } catch {
+    } catch (_error) {
       return undefined;
     }
   }
@@ -243,7 +243,7 @@ export class RedisSessionStore implements SessionStore {
         PX: maxAge,
       });
       return true;
-    } catch {
+    } catch (_error) {
       return false;
     }
   }
@@ -252,7 +252,7 @@ export class RedisSessionStore implements SessionStore {
     try {
       await this.client.del(this.getKey(sessionId));
       return true;
-    } catch {
+    } catch (_error) {
       return false;
     }
   }
@@ -261,7 +261,7 @@ export class RedisSessionStore implements SessionStore {
     try {
       const result = await this.client.exists(this.getKey(sessionId));
       return result === 1;
-    } catch {
+    } catch (_error) {
       return false;
     }
   }
@@ -282,7 +282,7 @@ export class RedisSessionStore implements SessionStore {
       }
 
       return false;
-    } catch {
+    } catch (_error) {
       return false;
     }
   }

package/src/testing/test-client.ts

@@ -97,7 +97,7 @@ export class TestHttpClient {
     let body: unknown;
     try {
       body = JSON.parse(text);
-    } catch {
+    } catch (_error) {
       body = text;
     }
 

package/src/validation/decorators.ts

@@ -58,11 +58,79 @@ export function IsNumber(options: RuleOption = {}): ValidationRuleDefinition {
 }
 
 export function IsEmail(options: RuleOption = {}): ValidationRuleDefinition {
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
   return {
     name: 'isEmail',
     message: options.message ?? '必须是合法的邮箱地址',
-    validate: (value) => typeof value === 'string' && emailRegex.test(value),
+    validate: (value) => {
+      if (typeof value !== 'string') {
+        return false;
+      }
+
+      const email = value.trim();
+      if (!email || email.length > 254) {
+        return false;
+      }
+      if (email.includes(' ')) {
+        return false;
+      }
+
+      const atIndex = email.indexOf('@');
+      if (atIndex <= 0 || atIndex !== email.lastIndexOf('@')) {
+        return false;
+      }
+
+      const local = email.slice(0, atIndex);
+      const domain = email.slice(atIndex + 1);
+      if (!local || !domain || local.length > 64) {
+        return false;
+      }
+      if (local.startsWith('.') || local.endsWith('.') || local.includes('..')) {
+        return false;
+      }
+      if (domain.startsWith('.') || domain.endsWith('.') || domain.includes('..')) {
+        return false;
+      }
+      if (!domain.includes('.')) {
+        return false;
+      }
+
+      for (const ch of local) {
+        const code = ch.charCodeAt(0);
+        const isAlphaNum =
+          (code >= 48 && code <= 57) ||
+          (code >= 65 && code <= 90) ||
+          (code >= 97 && code <= 122);
+        const isAllowedSymbol = "!#$%&'*+/=?^_`{|}~.-".includes(ch);
+        if (!isAlphaNum && !isAllowedSymbol) {
+          return false;
+        }
+      }
+
+      const labels = domain.split('.');
+      if (labels.length < 2) {
+        return false;
+      }
+      for (const label of labels) {
+        if (!label || label.length > 63) {
+          return false;
+        }
+        if (label.startsWith('-') || label.endsWith('-')) {
+          return false;
+        }
+        for (const ch of label) {
+          const code = ch.charCodeAt(0);
+          const isAlphaNum =
+            (code >= 48 && code <= 57) ||
+            (code >= 65 && code <= 90) ||
+            (code >= 97 && code <= 122);
+          if (!isAlphaNum && ch !== '-') {
+            return false;
+          }
+        }
+      }
+
+      return labels[labels.length - 1]!.length >= 2;
+    },
   };
 }
 

package/src/validation/rules/common.ts

@@ -191,7 +191,7 @@ export function IsUrl(options: RuleOptions = {}): ValidationRuleDefinition {
       try {
         new URL(value);
         return true;
-      } catch {
+      } catch (_error) {
         return false;
       }
     },
@@ -212,7 +212,7 @@ export function IsJSON(options: RuleOptions = {}): ValidationRuleDefinition {
       try {
         JSON.parse(value);
         return true;
-      } catch {
+      } catch (_error) {
         return false;
       }
     },

package/tests/config/config-module-extended.test.ts

@@ -161,4 +161,28 @@ describe('ConfigModule.setValueByPath', () => {
     setValueByPath(obj, 'a.b', 'value');
     expect((obj.a as any).b).toBe('value');
   });
+
+  test('should reject dangerous prototype pollution paths', () => {
+    const obj: Record<string, unknown> = {};
+    expect(() => setValueByPath(obj, '__proto__.polluted', 'yes')).toThrow();
+    expect(() => setValueByPath(obj, 'constructor.prototype.evil', 'yes')).toThrow();
+    expect(() => setValueByPath(obj, 'safe.__proto__.value', 'yes')).toThrow();
+    expect(() => setValueByPath(obj, 'safe. __proto__ .value', 'yes')).toThrow();
+    expect(({} as any).polluted).toBeUndefined();
+    expect(({} as any).evil).toBeUndefined();
+  });
+
+  test('should reject empty path segments', () => {
+    const obj: Record<string, unknown> = {};
+    expect(() => setValueByPath(obj, 'a..b', 'value')).toThrow();
+    expect(() => setValueByPath(obj, '.a', 'value')).toThrow();
+    expect(() => setValueByPath(obj, 'a.', 'value')).toThrow();
+    expect(() => setValueByPath(obj, 'a.   .b', 'value')).toThrow();
+  });
+
+  test('should normalize whitespace around path segments', () => {
+    const obj: Record<string, unknown> = {};
+    setValueByPath(obj, ' a . b . c ', 'value');
+    expect((obj as any).a.b.c).toBe('value');
+  });
 });

package/tests/core/context.test.ts

@@ -82,5 +82,57 @@ describe('Context', () => {
     const response = context.createResponse({ error: 'Not Found' });
     expect(response.status).toBe(404);
   });
+
+  test('createResponse should keep business fields unchanged', async () => {
+    const request = new Request('http://localhost:3000/api/users');
+    const context = new Context(request);
+
+    const response = context.createResponse({
+      stack: 'business-stack-value',
+      data: { trace: 'business-trace-value' },
+    });
+    const body = (await response.json()) as {
+      stack: string;
+      data: { trace: string };
+    };
+
+    expect(body.stack).toBe('business-stack-value');
+    expect(body.data.trace).toBe('business-trace-value');
+  });
+
+  test('createErrorResponse should redact sensitive fields', async () => {
+    const request = new Request('http://localhost:3000/api/users');
+    const context = new Context(request);
+    context.setStatus(400);
+
+    const response = context.createErrorResponse({
+      error: 'bad request',
+      stack: 'hidden',
+      details: {
+        trace: 'hidden-trace',
+        cause: 'hidden-cause',
+      },
+      items: [
+        {
+          trace: 'hidden-array-trace',
+          safe: 'value',
+        },
+      ],
+    });
+    const body = (await response.json()) as {
+      error: string;
+      stack?: string;
+      details: { trace?: string; cause?: string };
+      items: Array<{ trace?: string; safe: string }>;
+    };
+
+    expect(response.status).toBe(400);
+    expect(body.error).toBe('bad request');
+    expect(body.stack).toBeUndefined();
+    expect(body.details.trace).toBeUndefined();
+    expect(body.details.cause).toBeUndefined();
+    expect(body.items[0]?.trace).toBeUndefined();
+    expect(body.items[0]?.safe).toBe('value');
+  });
 });
 

package/tests/database/database-module.test.ts

@@ -214,6 +214,93 @@ describe('DatabaseService', () => {
   });
 });
 
+describe('DatabaseService Bun.SQL parameter binding', () => {
+  test('should pass parameters as Bun.SQL template values', async () => {
+    const service = new DatabaseService({
+      database: {
+        type: 'postgres',
+        config: {
+          host: 'localhost',
+          port: 5432,
+          database: 'test',
+          user: 'test',
+          password: 'test',
+        },
+      },
+    });
+
+    let capturedTemplate: TemplateStringsArray | null = null;
+    let capturedValues: unknown[] = [];
+    const mockConnection = async (
+      template: TemplateStringsArray,
+      ...values: unknown[]
+    ): Promise<Array<Record<string, unknown>>> => {
+      capturedTemplate = template;
+      capturedValues = values;
+      return [{ ok: true }];
+    };
+
+    (service as unknown as { getConnection: () => unknown }).getConnection = () =>
+      mockConnection;
+    (
+      service as unknown as {
+        getDatabaseType: () => 'sqlite' | 'postgres' | 'mysql';
+      }
+    ).getDatabaseType = () => 'postgres';
+
+    const result = (await service.query<{ ok: boolean }>(
+      'SELECT * FROM users WHERE id = ? AND name = ?',
+      [1, "O'Reilly"],
+    )) as Array<{ ok: boolean }>;
+
+    expect(Array.isArray(result)).toBe(true);
+    expect(result[0]?.ok).toBe(true);
+    expect(capturedValues).toEqual([1, "O'Reilly"]);
+    expect(capturedTemplate).toBeDefined();
+    expect(capturedTemplate?.length).toBe(3);
+    expect(capturedTemplate?.[0]).toBe('SELECT * FROM users WHERE id = ');
+    expect(capturedTemplate?.[1]).toBe(' AND name = ');
+    expect(capturedTemplate?.[2]).toBe('');
+  });
+
+  test('should throw when placeholders do not match params count', async () => {
+    const service = new DatabaseService({
+      database: {
+        type: 'mysql',
+        config: {
+          host: 'localhost',
+          port: 3306,
+          database: 'test',
+          user: 'test',
+          password: 'test',
+        },
+      },
+    });
+
+    const mockConnection = async (): Promise<Array<Record<string, unknown>>> => [];
+    (service as unknown as { getConnection: () => unknown }).getConnection = () =>
+      mockConnection;
+    (
+      service as unknown as {
+        getDatabaseType: () => 'sqlite' | 'postgres' | 'mysql';
+      }
+    ).getDatabaseType = () => 'mysql';
+
+    await expect(
+      service.query('SELECT * FROM users WHERE id = ?', [1, 2]) as Promise<
+        unknown[]
+      >,
+    ).rejects.toThrow(
+      'Bun.SQL parameterized queries are not fully supported. Consider using template string queries.',
+    );
+    await expect(
+      service.query('SELECT * FROM users WHERE id = ?', [1, 2]) as Promise<
+        unknown[]
+      >,
+    ).rejects.toThrow('Original error: SQL placeholders count does not match parameters count');
+  });
+});
+
 describe('ConnectionPool', () => {
   test('should create connection pool', () => {
     const { ConnectionPool } = require('../../src/database/connection-pool');

package/tests/error/error-handler.test.ts

@@ -140,6 +140,30 @@ describe('handleError', () => {
       expect(body.error).toBe('Internal Server Error');
     });
 
+    test('should not expose stack field in error response body', async () => {
+      const previousNodeEnv = process.env.NODE_ENV;
+      process.env.NODE_ENV = 'development';
+      const context = createContext();
+      const error = new Error('Stack should be hidden from response body');
+      error.stack = 'sensitive stack trace';
+
+      try {
+        const response = await handleError(error, context);
+        const body = await response.json() as {
+          error: string;
+          details?: string;
+          stack?: string;
+        };
+
+        expect(response.status).toBe(500);
+        expect(body.error).toBe('Internal Server Error');
+        expect(body.details).toBe('Stack should be hidden from response body');
+        expect(body.stack).toBeUndefined();
+      } finally {
+        process.env.NODE_ENV = previousNodeEnv;
+      }
+    });
+
     test('should handle string error', async () => {
       const context = createContext();
       const error = 'String error message';

package/tests/queue/queue-module.test.ts

@@ -37,6 +37,33 @@ describe('QueueModule', () => {
     expect(queueProvider.useValue).toBeInstanceOf(QueueService);
   });
 
+  test('should reuse same QueueService instance for class and token providers', () => {
+    QueueModule.forRoot({
+      enableWorker: true,
+      concurrency: 1,
+    });
+
+    const metadata = Reflect.getMetadata(MODULE_METADATA_KEY, QueueModule);
+    expect(metadata).toBeDefined();
+    expect(metadata.providers).toBeDefined();
+
+    const tokenProvider = metadata.providers.find(
+      (provider: any) => provider.provide === QUEUE_SERVICE_TOKEN,
+    );
+    const classProvider = metadata.providers.find(
+      (provider: any) => provider.provide === QueueService,
+    );
+
+    expect(tokenProvider).toBeDefined();
+    expect(classProvider).toBeDefined();
+    expect(tokenProvider.useValue).toBeInstanceOf(QueueService);
+    expect(classProvider.useValue).toBe(tokenProvider.useValue);
+
+    // Regression guard: worker path needs an initialized store.
+    const queueService = tokenProvider.useValue as QueueService & { store?: unknown };
+    expect(queueService.store).toBeDefined();
+  });
+
   test('should use custom store when provided', () => {
     const customStore = new MemoryQueueStore();
     QueueModule.forRoot({

package/tests/validation/validation.test.ts

@@ -37,6 +37,24 @@ describe('Validation Decorators', () => {
     const metadata = [{ index: 0, rules: [IsOptional(), IsString()] }];
     expect(() => validateParameters([undefined], metadata)).not.toThrow();
   });
+
+  test('IsEmail should accept common valid emails', () => {
+    const metadata = [{ index: 0, rules: [IsEmail()] }];
+    expect(() => validateParameters(['test@example.com'], metadata)).not.toThrow();
+    expect(() => validateParameters(['user.name+tag@sub.example.co'], metadata)).not.toThrow();
+  });
+
+  test('IsEmail should reject invalid or risky inputs', () => {
+    const metadata = [{ index: 0, rules: [IsEmail()] }];
+    const tooLongLocal = `${'a'.repeat(65)}@example.com`;
+    const tooLongEmail = `${'a'.repeat(245)}@ex.com`;
+
+    expect(() => validateParameters(['not-email'], metadata)).toThrow(ValidationError);
+    expect(() => validateParameters(['a..b@example.com'], metadata)).toThrow(ValidationError);
+    expect(() => validateParameters(['a@-example.com'], metadata)).toThrow(ValidationError);
+    expect(() => validateParameters([tooLongLocal], metadata)).toThrow(ValidationError);
+    expect(() => validateParameters([tooLongEmail], metadata)).toThrow(ValidationError);
+  });
 });