@nest-omni/core 4.1.3-3 → 4.1.3-31

package/http-client/utils/security-validator.util.d.ts

@@ -0,0 +1,118 @@
+/**
+ * SSRF防护配置
+ */
+export interface SSRFProtectionConfig {
+    /** 是否启用SSRF防护 */
+    enabled: boolean;
+    /** 允许的URL协议 */
+    allowedProtocols: string[];
+    /** 禁止访问的IP段（私有网络、本地回环等） */
+    blockedIPRanges: string[];
+    /** 允许的主机名白名单 */
+    allowedHostnames?: string[];
+    /** 禁止的主机名黑名单 */
+    blockedHostnames?: string[];
+}
+/**
+ * URL验证配置
+ */
+export interface URLValidationConfig {
+    /** 最大URL长度 */
+    maxURLLength: number;
+    /** 是否允许本地回环地址 */
+    allowLoopback: boolean;
+    /** 是否允许私有网络地址 */
+    allowPrivateNetwork: boolean;
+    /** 是否允许Link-local地址 */
+    allowLinkLocal: boolean;
+}
+/**
+ * 安全验证工具类
+ * 提供URL验证、SSRF防护等功能
+ */
+export declare class SecurityValidator {
+    private static readonly logger;
+    /**
+     * 默认SSRF防护配置
+     */
+    private static readonly defaultSSRFConfig;
+    /**
+     * 默认URL验证配置
+     */
+    private static readonly defaultURLConfig;
+    /**
+     * 验证URL安全性
+     * @param url 要验证的URL字符串
+     * @param urlConfig URL验证配置
+     * @returns 验证结果和错误信息
+     */
+    static validateURL(url: string, urlConfig?: Partial<URLValidationConfig>): {
+        valid: boolean;
+        error?: string;
+    };
+    /**
+     * SSRF防护检查
+     * @param url 要检查的URL
+     * @param ssrfConfig SSRF防护配置
+     * @returns 检查结果和错误信息
+     */
+    static checkSSRF(url: string, ssrfConfig?: Partial<SSRFProtectionConfig>): {
+        safe: boolean;
+        error?: string;
+    };
+    /**
+     * 清理和验证URL
+     * 综合验证和SSRF防护
+     * @param url 要清理的URL
+     * @param config 完整的安全配置
+     * @returns 清理后的URL和验证结果
+     */
+    static sanitizeURL(url: string, config?: {
+        urlConfig?: Partial<URLValidationConfig>;
+        ssrfConfig?: Partial<SSRFProtectionConfig>;
+    }): {
+        url: string;
+        valid: boolean;
+        error?: string;
+    };
+    /**
+     * 敏感数据检测
+     * 检查数据中是否包含敏感信息（如密码、token等）
+     * @param data 要检查的数据对象
+     * @param additionalPatterns 额外的敏感数据模式
+     * @returns 检测结果
+     */
+    static detectSensitiveData(data: any, additionalPatterns?: RegExp[]): {
+        hasSensitiveData: boolean;
+        fields: string[];
+    };
+    /**
+     * 获取默认SSRF防护配置
+     */
+    static getDefaultSSRFConfig(): SSRFProtectionConfig;
+    /**
+     * 获取默认URL验证配置
+     */
+    static getDefaultURLConfig(): URLValidationConfig;
+    /**
+     * 从主机名中提取IP地址
+     */
+    private static extractIPAddress;
+    /**
+     * 验证IP地址
+     */
+    private static validateIPAddress;
+    /**
+     * 检查IP地址是否在阻止的范围内
+     */
+    private static checkIPRange;
+    /**
+     * 检查IP地址是否在指定范围内
+     * 简化版本，主要用于常见CIDR范围
+     */
+    private static isIPInRange;
+    /**
+     * 验证主机名格式
+     */
+    private static isValidHostname;
+}

package/http-client/utils/security-validator.util.js

@@ -0,0 +1,354 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityValidator = void 0;
+const common_1 = require("@nestjs/common");
+/**
+ * 安全验证工具类
+ * 提供URL验证、SSRF防护等功能
+ */
+class SecurityValidator {
+    /**
+     * 验证URL安全性
+     * @param url 要验证的URL字符串
+     * @param urlConfig URL验证配置
+     * @returns 验证结果和错误信息
+     */
+    static validateURL(url, urlConfig = {}) {
+        const config = Object.assign(Object.assign({}, this.defaultURLConfig), urlConfig);
+        // 检查URL长度
+        if (url.length > config.maxURLLength) {
+            return {
+                valid: false,
+                error: `URL length exceeds maximum allowed length of ${config.maxURLLength}`,
+            };
+        }
+        let parsedURL;
+        try {
+            parsedURL = new URL(url);
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: `Invalid URL format: ${error instanceof Error ? error.message : String(error)}`,
+            };
+        }
+        // 检查协议
+        if (!['http:', 'https:', 'ws:', 'wss:'].includes(parsedURL.protocol)) {
+            return {
+                valid: false,
+                error: `Unsupported protocol: ${parsedURL.protocol}`,
+            };
+        }
+        // 检查主机名
+        if (!parsedURL.hostname) {
+            return {
+                valid: false,
+                error: 'Hostname is required',
+            };
+        }
+        // 检查是否为IP地址
+        const ipAddress = this.extractIPAddress(parsedURL.hostname);
+        if (ipAddress) {
+            return this.validateIPAddress(ipAddress, config);
+        }
+        // 检查主机名格式
+        if (!this.isValidHostname(parsedURL.hostname)) {
+            return {
+                valid: false,
+                error: `Invalid hostname format: ${parsedURL.hostname}`,
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * SSRF防护检查
+     * @param url 要检查的URL
+     * @param ssrfConfig SSRF防护配置
+     * @returns 检查结果和错误信息
+     */
+    static checkSSRF(url, ssrfConfig = {}) {
+        const config = Object.assign(Object.assign({}, this.defaultSSRFConfig), ssrfConfig);
+        if (!config.enabled) {
+            return { safe: true };
+        }
+        let parsedURL;
+        try {
+            parsedURL = new URL(url);
+        }
+        catch (error) {
+            return {
+                safe: false,
+                error: `Invalid URL format: ${error instanceof Error ? error.message : String(error)}`,
+            };
+        }
+        // 检查协议
+        if (!config.allowedProtocols.includes(parsedURL.protocol)) {
+            return {
+                safe: false,
+                error: `Protocol not allowed: ${parsedURL.protocol}`,
+            };
+        }
+        // 检查黑名单主机名
+        if (config.blockedHostnames) {
+            if (config.blockedHostnames.includes(parsedURL.hostname)) {
+                return {
+                    safe: false,
+                    error: `Hostname is blocked: ${parsedURL.hostname}`,
+                };
+            }
+        }
+        // 检查白名单主机名（如果配置了）
+        if (config.allowedHostnames && config.allowedHostnames.length > 0) {
+            if (!config.allowedHostnames.includes(parsedURL.hostname)) {
+                return {
+                    safe: false,
+                    error: `Hostname not in whitelist: ${parsedURL.hostname}`,
+                };
+            }
+        }
+        // 检查IP地址范围
+        const ipAddress = this.extractIPAddress(parsedURL.hostname);
+        if (ipAddress) {
+            const ipCheck = this.checkIPRange(ipAddress, config.blockedIPRanges);
+            if (!ipCheck.allowed) {
+                return {
+                    safe: false,
+                    error: `IP address is blocked: ${ipAddress} (${ipCheck.reason})`,
+                };
+            }
+        }
+        return { safe: true };
+    }
+    /**
+     * 清理和验证URL
+     * 综合验证和SSRF防护
+     * @param url 要清理的URL
+     * @param config 完整的安全配置
+     * @returns 清理后的URL和验证结果
+     */
+    static sanitizeURL(url, config = {}) {
+        // 去除首尾空格
+        let sanitizedURL = url.trim();
+        // 移除可能的换行符和控制字符
+        sanitizedURL = sanitizedURL.replace(/[\r\n\t]/g, '');
+        // 验证URL格式
+        const validationResult = this.validateURL(sanitizedURL, config.urlConfig);
+        if (!validationResult.valid) {
+            return { url: sanitizedURL, valid: false, error: validationResult.error };
+        }
+        // SSRF防护检查
+        const ssrfResult = this.checkSSRF(sanitizedURL, config.ssrfConfig);
+        if (!ssrfResult.safe) {
+            return { url: sanitizedURL, valid: false, error: ssrfResult.error };
+        }
+        return { url: sanitizedURL, valid: true };
+    }
+    /**
+     * 敏感数据检测
+     * 检查数据中是否包含敏感信息（如密码、token等）
+     * @param data 要检查的数据对象
+     * @param additionalPatterns 额外的敏感数据模式
+     * @returns 检测结果
+     */
+    static detectSensitiveData(data, additionalPatterns = []) {
+        const sensitiveFields = [];
+        // 默认敏感字段名模式
+        const defaultPatterns = [
+            /password/i,
+            /secret/i,
+            /token/i,
+            /api[_-]?key/i,
+            /authorization/i,
+            /credential/i,
+            /private[_-]?key/i,
+            /access[_-]?token/i,
+            /refresh[_-]?token/i,
+            /session[_-]?id/i,
+            /csrf/i,
+            /ssn/i,
+            /credit[_-]?card/i,
+        ];
+        const allPatterns = [...defaultPatterns, ...additionalPatterns];
+        const checkObject = (obj, path = '') => {
+            if (!obj || typeof obj !== 'object') {
+                return;
+            }
+            for (const key in obj) {
+                if (!obj.hasOwnProperty(key)) {
+                    continue;
+                }
+                const currentPath = path ? `${path}.${key}` : key;
+                // 检查键名是否匹配敏感模式
+                if (allPatterns.some((pattern) => pattern.test(key))) {
+                    sensitiveFields.push(currentPath);
+                }
+                // 递归检查嵌套对象
+                if (typeof obj[key] === 'object' && obj[key] !== null) {
+                    checkObject(obj[key], currentPath);
+                }
+            }
+        };
+        checkObject(data);
+        return {
+            hasSensitiveData: sensitiveFields.length > 0,
+            fields: sensitiveFields,
+        };
+    }
+    /**
+     * 获取默认SSRF防护配置
+     */
+    static getDefaultSSRFConfig() {
+        return Object.assign({}, this.defaultSSRFConfig);
+    }
+    /**
+     * 获取默认URL验证配置
+     */
+    static getDefaultURLConfig() {
+        return Object.assign({}, this.defaultURLConfig);
+    }
+    /**
+     * 从主机名中提取IP地址
+     */
+    static extractIPAddress(hostname) {
+        // IPv4地址
+        const ipv4Regex = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+        const ipv4Match = hostname.match(ipv4Regex);
+        if (ipv4Match) {
+            return hostname;
+        }
+        // IPv6地址（简化版）
+        if (hostname.includes(':') && !hostname.includes('.')) {
+            return hostname;
+        }
+        return null;
+    }
+    /**
+     * 验证IP地址
+     */
+    static validateIPAddress(ipAddress, config) {
+        // 检查是否为本地回环地址
+        if (!config.allowLoopback) {
+            if (ipAddress === '127.0.0.1' ||
+                ipAddress === '::1' ||
+                ipAddress.startsWith('127.')) {
+                return {
+                    valid: false,
+                    error: 'Loopback addresses are not allowed',
+                };
+            }
+        }
+        // 检查是否为私有网络地址
+        if (!config.allowPrivateNetwork) {
+            if (ipAddress.startsWith('10.') ||
+                ipAddress.startsWith('172.16.') ||
+                ipAddress.startsWith('192.168.') ||
+                ipAddress.startsWith('fc00:') ||
+                ipAddress.startsWith('fd')) {
+                return {
+                    valid: false,
+                    error: 'Private network addresses are not allowed',
+                };
+            }
+        }
+        // 检查是否为Link-local地址
+        if (!config.allowLinkLocal) {
+            if (ipAddress.startsWith('169.254.') || ipAddress.startsWith('fe80:')) {
+                return {
+                    valid: false,
+                    error: 'Link-local addresses are not allowed',
+                };
+            }
+        }
+        return { valid: true };
+    }
+    /**
+     * 检查IP地址是否在阻止的范围内
+     */
+    static checkIPRange(ipAddress, blockedRanges) {
+        for (const range of blockedRanges) {
+            if (this.isIPInRange(ipAddress, range)) {
+                return {
+                    allowed: false,
+                    reason: `IP address is in blocked range: ${range}`,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * 检查IP地址是否在指定范围内
+     * 简化版本，主要用于常见CIDR范围
+     */
+    static isIPInRange(ipAddress, cidrRange) {
+        // 处理IPv4 CIDR
+        const [range, prefixStr] = cidrRange.split('/');
+        const prefix = parseInt(prefixStr, 10);
+        // 精确匹配
+        if (ipAddress === range) {
+            return true;
+        }
+        // 简化的CIDR匹配（仅支持常见范围）
+        if (cidrRange.includes('/')) {
+            // IPv4范围检查
+            if (range.includes('.') && ipAddress.includes('.')) {
+                const rangeParts = range.split('.').map(Number);
+                const ipParts = ipAddress.split('.').map(Number);
+                if (prefix === 8) {
+                    return ipParts[0] === rangeParts[0];
+                }
+                else if (prefix === 16) {
+                    return ipParts[0] === rangeParts[0] && ipParts[1] === rangeParts[1];
+                }
+                else if (prefix === 24) {
+                    return (ipParts[0] === rangeParts[0] &&
+                        ipParts[1] === rangeParts[1] &&
+                        ipParts[2] === rangeParts[2]);
+                }
+            }
+        }
+        return false;
+    }
+    /**
+     * 验证主机名格式
+     */
+    static isValidHostname(hostname) {
+        // RFC 1123主机名规范
+        const hostnameRegex = /^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$/;
+        return hostnameRegex.test(hostname);
+    }
+}
+exports.SecurityValidator = SecurityValidator;
+SecurityValidator.logger = new common_1.Logger(SecurityValidator.name);
+/**
+ * 默认SSRF防护配置
+ */
+SecurityValidator.defaultSSRFConfig = {
+    enabled: true,
+    allowedProtocols: ['http:', 'https:'],
+    blockedIPRanges: [
+        '127.0.0.0/8', // Loopback
+        '10.0.0.0/8', // Private Class A
+        '172.16.0.0/12', // Private Class B
+        '192.168.0.0/16', // Private Class C
+        '169.254.0.0/16', // Link-local
+        '::1/128', // IPv6 loopback
+        'fc00::/7', // IPv6 private
+        'fe80::/10', // IPv6 link-local
+        '0.0.0.0/8', // Current network
+    ],
+    allowedHostnames: undefined,
+    blockedHostnames: [
+        'localhost',
+        'metadata.google.internal', // GCP metadata
+        '169.254.169.254', // AWS/GCP/Azure metadata
+    ],
+};
+/**
+ * 默认URL验证配置
+ */
+SecurityValidator.defaultURLConfig = {
+    maxURLLength: 2000,
+    allowLoopback: false,
+    allowPrivateNetwork: false,
+    allowLinkLocal: false,
+};

package/index.d.ts

@@ -1,3 +1,4 @@
+export * from './common';
 export * from './constants';
 export * from './decorators';
 export * from './exceptions';
@@ -7,7 +8,6 @@ export * from './interceptors';
 export * from './shared';
 export * from './middlewares';
 export * from './validators';
-export * from './common';
 export * from './validator-json';
 export * from './helpers';
 export * from './providers';
@@ -18,3 +18,6 @@ export * from './vault';
 export * from './setup';
 export * from './health-checker';
 export * from './audit';
+export * from './file-upload';
+export * from './email-log';
+export * from '@nest-omni/transaction';

package/index.js

@@ -15,6 +15,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 // Core modules
+__exportStar(require("./common"), exports);
 __exportStar(require("./constants"), exports);
 __exportStar(require("./decorators"), exports);
 __exportStar(require("./exceptions"), exports);
@@ -24,7 +25,6 @@ __exportStar(require("./interceptors"), exports);
 __exportStar(require("./shared"), exports);
 __exportStar(require("./middlewares"), exports);
 __exportStar(require("./validators"), exports);
-__exportStar(require("./common"), exports);
 __exportStar(require("./validator-json"), exports);
 __exportStar(require("./helpers"), exports);
 __exportStar(require("./providers"), exports);
@@ -42,3 +42,8 @@ __exportStar(require("./setup"), exports);
 __exportStar(require("./health-checker"), exports);
 // Audit module
 __exportStar(require("./audit"), exports);
+// File upload module
+__exportStar(require("./file-upload"), exports);
+// Email log module
+__exportStar(require("./email-log"), exports);
+__exportStar(require("@nest-omni/transaction"), exports);

package/interceptors/translation-interceptor.service.d.ts

@@ -1,5 +1,12 @@
 import type { CallHandler, ExecutionContext, NestInterceptor } from '@nestjs/common';
 import type { Observable } from 'rxjs';
+import { TranslationService } from '../shared/services/translation.service';
+/**
+ * 翻译拦截器
+ * 自动翻译响应数据中标记为需要翻译的字段
+ */
 export declare class TranslationInterceptor implements NestInterceptor {
+    private readonly translationService?;
+    constructor(translationService?: TranslationService);
     intercept(context: ExecutionContext, next: CallHandler): Observable<any>;
 }

package/interceptors/translation-interceptor.service.js

@@ -5,35 +5,67 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.TranslationInterceptor = void 0;
 const common_1 = require("@nestjs/common");
 const operators_1 = require("rxjs/operators");
-// import { TranslationService } from '../shared/services/translation.service';
-// FIXME: add implementation
+const translation_service_1 = require("../shared/services/translation.service");
+/**
+ * 翻译拦截器
+ * 自动翻译响应数据中标记为需要翻译的字段
+ */
 let TranslationInterceptor = class TranslationInterceptor {
-    // constructor(private readonly translationService: TranslationService) {}
+    constructor(translationService) {
+        this.translationService = translationService;
+    }
     intercept(context, next) {
         const ctx = context.switchToHttp();
         const req = ctx.getRequest();
         const res = ctx.getResponse();
-        return next.handle().pipe((0, operators_1.map)((data) => {
-            // const newData = this.translationService.translateNecessaryKeys(data);
+        return next.handle().pipe((0, operators_1.map)((data) => __awaiter(this, void 0, void 0, function* () {
+            // 如果 TranslationService 可用，翻译响应数据
+            let translatedData = data;
+            if (this.translationService) {
+                try {
+                    translatedData = yield this.translationService.translateNecessaryKeys(data);
+                }
+                catch (error) {
+                    // 翻译失败时返回原始数据，不中断请求
+                    translatedData = data;
+                }
+            }
             // status 201 => 200
             if (res.statusCode === common_1.HttpStatus.CREATED) {
                 res.status(common_1.HttpStatus.OK);
             }
             return {
                 code: 200,
-                data,
+                data: translatedData,
                 msg: 'success',
                 requestId: req.id,
                 timestamp: new Date().toISOString(),
             };
-        }));
+        })));
     }
 };
 exports.TranslationInterceptor = TranslationInterceptor;
 exports.TranslationInterceptor = TranslationInterceptor = __decorate([
-    (0, common_1.Injectable)()
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Optional)()),
+    __metadata("design:paramtypes", [translation_service_1.TranslationService])
 ], TranslationInterceptor);

package/ip-filter/constants.d.ts

@@ -0,0 +1,21 @@
+/**
+ * IP过滤元数据键名
+ * 用于在路由元数据中存储IP过滤配置
+ */
+export declare const IP_FILTER_KEY = "ip_filter";
+/**
+ * IP过滤选项依赖注入键名
+ */
+export declare const IP_FILTER_OPTIONS = "IP_FILTER_OPTIONS";
+/**
+ * 默认错误消息
+ */
+export declare const DEFAULT_ERROR_MESSAGE = "Access denied: Your IP address is not authorized";
+/**
+ * 默认HTTP状态码
+ */
+export declare const DEFAULT_ERROR_STATUS_CODE = 403;
+/**
+ * 默认优先级
+ */
+export declare const DEFAULT_PRIORITY = 50;

package/ip-filter/constants.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_PRIORITY = exports.DEFAULT_ERROR_STATUS_CODE = exports.DEFAULT_ERROR_MESSAGE = exports.IP_FILTER_OPTIONS = exports.IP_FILTER_KEY = void 0;
+/**
+ * IP过滤元数据键名
+ * 用于在路由元数据中存储IP过滤配置
+ */
+exports.IP_FILTER_KEY = 'ip_filter';
+/**
+ * IP过滤选项依赖注入键名
+ */
+exports.IP_FILTER_OPTIONS = 'IP_FILTER_OPTIONS';
+/**
+ * 默认错误消息
+ */
+exports.DEFAULT_ERROR_MESSAGE = 'Access denied: Your IP address is not authorized';
+/**
+ * 默认HTTP状态码
+ */
+exports.DEFAULT_ERROR_STATUS_CODE = 403;
+/**
+ * 默认优先级
+ */
+exports.DEFAULT_PRIORITY = 50;

package/ip-filter/decorators/index.d.ts

@@ -0,0 +1 @@
+export * from './ip-filter.decorator';

package/ip-filter/decorators/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./ip-filter.decorator"), exports);