@winspan/claude-forge 1.19.0 → 1.21.0

package/dist/web/utils/errors.js

@@ -0,0 +1,56 @@
+import { logger } from '../../utils/logger.js';
+/**
+ * 统一的错误处理工具
+ * 避免敏感信息泄露，提供一致的错误响应格式
+ */
+/** 应用层错误基类 */
+export class AppError extends Error {
+    statusCode;
+    isOperational;
+    constructor(message, statusCode = 500, isOperational = true) {
+        super(message);
+        this.statusCode = statusCode;
+        this.isOperational = isOperational;
+        this.name = 'AppError';
+        Object.setPrototypeOf(this, AppError.prototype);
+    }
+}
+/** 输入验证错误（400） */
+export class ValidationError extends AppError {
+    constructor(message) {
+        super(message, 400);
+        this.name = 'ValidationError';
+    }
+}
+/** 资源未找到错误（404） */
+export class NotFoundError extends AppError {
+    constructor(message) {
+        super(message, 404);
+        this.name = 'NotFoundError';
+    }
+}
+/** 路径安全错误（403） */
+export class PathSecurityError extends AppError {
+    constructor(message) {
+        super(message, 403);
+        this.name = 'PathSecurityError';
+    }
+}
+/**
+ * 统一的错误处理函数
+ * @param err 捕获的错误
+ * @param res Express 响应对象
+ * @param context 错误上下文（用于日志）
+ */
+export function handleError(err, res, context = 'unknown') {
+    // 记录详细错误到日志（内部可见）
+    logger.error(`[${context}] 错误：${err instanceof Error ? err.stack : String(err)}`);
+    if (err instanceof AppError) {
+        // 应用层错误：返回用户友好的消息
+        res.status(err.statusCode).json({ error: err.message });
+        return;
+    }
+    // 未知错误：不暴露详细信息
+    res.status(500).json({ error: '服务器内部错误，请稍后重试' });
+}
+//# sourceMappingURL=errors.js.map

package/dist/web/utils/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../src/web/utils/errors.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C;;;GAGG;AAEH,cAAc;AACd,MAAM,OAAO,QAAS,SAAQ,KAAK;IAGf;IACA;IAHlB,YACE,OAAe,EACC,aAAqB,GAAG,EACxB,gBAAyB,IAAI;QAE7C,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,eAAU,GAAV,UAAU,CAAc;QACxB,kBAAa,GAAb,aAAa,CAAgB;QAG7C,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;QACvB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;IAClD,CAAC;CACF;AAED,kBAAkB;AAClB,MAAM,OAAO,eAAgB,SAAQ,QAAQ;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,mBAAmB;AACnB,MAAM,OAAO,aAAc,SAAQ,QAAQ;IACzC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AAED,kBAAkB;AAClB,MAAM,OAAO,iBAAkB,SAAQ,QAAQ;IAC7C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,GAAY,EAAE,GAAa,EAAE,OAAO,GAAG,SAAS;IAC1E,kBAAkB;IAClB,MAAM,CAAC,KAAK,CAAC,IAAI,OAAO,QAAQ,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAElF,IAAI,GAAG,YAAY,QAAQ,EAAE,CAAC;QAC5B,kBAAkB;QAClB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,eAAe;IACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;AACnD,CAAC"}

package/dist/web/utils/path-validation.d.ts

@@ -0,0 +1,20 @@
+/**
+ * 统一的路径验证工具
+ * 用于防止路径遍历攻击
+ */
+/**
+ * 验证项目路径
+ * @param encodedPath URL 编码的路径
+ * @returns 验证后的绝对路径
+ * @throws Error 如果路径不合法
+ */
+export declare function validateProjectPath(encodedPath: string): string;
+/**
+ * 验证文件路径（在项目路径下）
+ * @param projectPath 已验证的项目路径
+ * @param relativePath 相对路径
+ * @returns 验证后的绝对路径
+ * @throws Error 如果路径不合法
+ */
+export declare function validateFilePath(projectPath: string, relativePath: string): string;
+//# sourceMappingURL=path-validation.d.ts.map

package/dist/web/utils/path-validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-validation.d.ts","sourceRoot":"","sources":["../../../src/web/utils/path-validation.ts"],"names":[],"mappings":"AAGA;;;GAGG;AAEH;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAwB/D;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,CAkBlF"}

package/dist/web/utils/path-validation.js

@@ -0,0 +1,55 @@
+import path from 'path';
+import os from 'os';
+/**
+ * 统一的路径验证工具
+ * 用于防止路径遍历攻击
+ */
+/**
+ * 验证项目路径
+ * @param encodedPath URL 编码的路径
+ * @returns 验证后的绝对路径
+ * @throws Error 如果路径不合法
+ */
+export function validateProjectPath(encodedPath) {
+    const projectPath = decodeURIComponent(encodedPath);
+    // 必须是绝对路径
+    if (!path.isAbsolute(projectPath)) {
+        throw new Error('项目路径必须是绝对路径');
+    }
+    // 规范化路径，防止 ../ 遍历
+    const normalized = path.normalize(projectPath);
+    const resolved = path.resolve(projectPath);
+    // 检查是否包含路径遍历
+    if (normalized !== projectPath || resolved !== normalized) {
+        throw new Error('路径包含非法字符');
+    }
+    // 可选：限制在用户主目录下（个人自用场景的安全边界）
+    const homeDir = os.homedir();
+    if (!resolved.startsWith(homeDir)) {
+        throw new Error('路径必须在用户主目录下');
+    }
+    return resolved;
+}
+/**
+ * 验证文件路径（在项目路径下）
+ * @param projectPath 已验证的项目路径
+ * @param relativePath 相对路径
+ * @returns 验证后的绝对路径
+ * @throws Error 如果路径不合法
+ */
+export function validateFilePath(projectPath, relativePath) {
+    // 规范化相对路径
+    const normalized = path.normalize(relativePath);
+    // 不允许包含 ../
+    if (normalized.includes('..')) {
+        throw new Error('文件路径不能包含 ../');
+    }
+    // 拼接完整路径
+    const fullPath = path.join(projectPath, normalized);
+    // 确保在项目路径下
+    if (!fullPath.startsWith(projectPath)) {
+        throw new Error('文件路径必须在项目目录下');
+    }
+    return fullPath;
+}
+//# sourceMappingURL=path-validation.js.map

package/dist/web/utils/path-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-validation.js","sourceRoot":"","sources":["../../../src/web/utils/path-validation.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AAEpB;;;GAGG;AAEH;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAAmB;IACrD,MAAM,WAAW,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAEpD,UAAU;IACV,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;IACjC,CAAC;IAED,kBAAkB;IAClB,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAE3C,aAAa;IACb,IAAI,UAAU,KAAK,WAAW,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;IAED,4BAA4B;IAC5B,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAC7B,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,WAAmB,EAAE,YAAoB;IACxE,UAAU;IACV,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IAEhD,YAAY;IACZ,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;IAClC,CAAC;IAED,SAAS;IACT,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAEpD,WAAW;IACX,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/web/utils/validation.d.ts

@@ -0,0 +1,59 @@
+/**
+ * 统一的输入验证工具
+ * 用于验证 API 请求参数，防止注入攻击和数据异常
+ */
+/**
+ * 验证 limit 参数
+ * @param value 用户输入的值
+ * @param min 最小值（默认 1）
+ * @param max 最大值（默认 1000）
+ * @param defaultValue 默认值（默认 100）
+ * @returns 验证后的数值
+ */
+export declare function validateLimit(value: unknown, min?: number, max?: number, defaultValue?: number): number;
+/**
+ * 验证正整数
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @returns 验证后的数值
+ * @throws Error 如果不是正整数
+ */
+export declare function validatePositiveInt(value: unknown, fieldName: string): number;
+/**
+ * 验证非负整数
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @returns 验证后的数值
+ * @throws Error 如果不是非负整数
+ */
+export declare function validateNonNegativeInt(value: unknown, fieldName: string): number;
+/**
+ * 验证字符串长度
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @param minLength 最小长度（默认 1）
+ * @param maxLength 最大长度（默认 1000）
+ * @returns 验证后的字符串
+ * @throws Error 如果长度不符合要求
+ */
+export declare function validateStringLength(value: unknown, fieldName: string, minLength?: number, maxLength?: number): string;
+/**
+ * 验证枚举值
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @param allowedValues 允许的值列表
+ * @returns 验证后的值
+ * @throws Error 如果不在允许的值列表中
+ */
+export declare function validateEnum<T extends string>(value: unknown, fieldName: string, allowedValues: readonly T[]): T;
+/**
+ * 验证数组
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @param maxLength 最大长度（默认 100）
+ * @param minLength 最小长度（默认 0）
+ * @returns 验证后的数组
+ * @throws Error 如果不是数组或长度超限
+ */
+export declare function validateArray<T>(value: unknown, fieldName: string, maxLength?: number, minLength?: number): T[];
+//# sourceMappingURL=validation.d.ts.map

package/dist/web/utils/validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../../src/web/utils/validation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAC3B,KAAK,EAAE,OAAO,EACd,GAAG,SAAI,EACP,GAAG,SAAO,EACV,YAAY,SAAM,GACjB,MAAM,CAMR;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAM7E;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAMhF;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,OAAO,EACd,SAAS,EAAE,MAAM,EACjB,SAAS,SAAI,EACb,SAAS,SAAO,GACf,MAAM,CAQR;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,CAAC,SAAS,MAAM,EAC3C,KAAK,EAAE,OAAO,EACd,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,SAAS,CAAC,EAAE,GAC1B,CAAC,CAKH;AAED;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAC7B,KAAK,EAAE,OAAO,EACd,SAAS,EAAE,MAAM,EACjB,SAAS,SAAM,EACf,SAAS,SAAI,GACZ,CAAC,EAAE,CAWL"}

package/dist/web/utils/validation.js

@@ -0,0 +1,101 @@
+/**
+ * 统一的输入验证工具
+ * 用于验证 API 请求参数，防止注入攻击和数据异常
+ */
+/**
+ * 验证 limit 参数
+ * @param value 用户输入的值
+ * @param min 最小值（默认 1）
+ * @param max 最大值（默认 1000）
+ * @param defaultValue 默认值（默认 100）
+ * @returns 验证后的数值
+ */
+export function validateLimit(value, min = 1, max = 1000, defaultValue = 100) {
+    const num = Number(value);
+    if (!Number.isFinite(num) || num < min || num > max) {
+        return defaultValue;
+    }
+    return Math.floor(num);
+}
+/**
+ * 验证正整数
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @returns 验证后的数值
+ * @throws Error 如果不是正整数
+ */
+export function validatePositiveInt(value, fieldName) {
+    const num = Number(value);
+    if (!Number.isInteger(num) || num <= 0) {
+        throw new Error(`${fieldName} 必须是正整数`);
+    }
+    return num;
+}
+/**
+ * 验证非负整数
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @returns 验证后的数值
+ * @throws Error 如果不是非负整数
+ */
+export function validateNonNegativeInt(value, fieldName) {
+    const num = Number(value);
+    if (!Number.isInteger(num) || num < 0) {
+        throw new Error(`${fieldName} 必须是非负整数`);
+    }
+    return num;
+}
+/**
+ * 验证字符串长度
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @param minLength 最小长度（默认 1）
+ * @param maxLength 最大长度（默认 1000）
+ * @returns 验证后的字符串
+ * @throws Error 如果长度不符合要求
+ */
+export function validateStringLength(value, fieldName, minLength = 1, maxLength = 1000) {
+    if (typeof value !== 'string') {
+        throw new Error(`${fieldName} 必须是字符串`);
+    }
+    if (value.length < minLength || value.length > maxLength) {
+        throw new Error(`${fieldName} 长度必须在 ${minLength}-${maxLength} 之间`);
+    }
+    return value;
+}
+/**
+ * 验证枚举值
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @param allowedValues 允许的值列表
+ * @returns 验证后的值
+ * @throws Error 如果不在允许的值列表中
+ */
+export function validateEnum(value, fieldName, allowedValues) {
+    if (typeof value !== 'string' || !allowedValues.includes(value)) {
+        throw new Error(`${fieldName} 必须是以下值之一: ${allowedValues.join(', ')}`);
+    }
+    return value;
+}
+/**
+ * 验证数组
+ * @param value 用户输入的值
+ * @param fieldName 字段名（用于错误提示）
+ * @param maxLength 最大长度（默认 100）
+ * @param minLength 最小长度（默认 0）
+ * @returns 验证后的数组
+ * @throws Error 如果不是数组或长度超限
+ */
+export function validateArray(value, fieldName, maxLength = 100, minLength = 0) {
+    if (!Array.isArray(value)) {
+        throw new Error(`${fieldName} 必须是数组`);
+    }
+    if (value.length < minLength) {
+        throw new Error(`${fieldName} 长度不能少于 ${minLength}`);
+    }
+    if (value.length > maxLength) {
+        throw new Error(`${fieldName} 长度不能超过 ${maxLength}`);
+    }
+    return value;
+}
+//# sourceMappingURL=validation.js.map

package/dist/web/utils/validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../../src/web/utils/validation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAC3B,KAAc,EACd,GAAG,GAAG,CAAC,EACP,GAAG,GAAG,IAAI,EACV,YAAY,GAAG,GAAG;IAElB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,GAAG,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;QACpD,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAc,EAAE,SAAiB;IACnE,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,SAAS,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAc,EAAE,SAAiB;IACtE,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,UAAU,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAc,EACd,SAAiB,EACjB,SAAS,GAAG,CAAC,EACb,SAAS,GAAG,IAAI;IAEhB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,SAAS,CAAC,CAAC;IACzC,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,UAAU,SAAS,IAAI,SAAS,KAAK,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,KAAc,EACd,SAAiB,EACjB,aAA2B;IAE3B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAU,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,cAAc,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,KAAU,CAAC;AACpB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa,CAC3B,KAAc,EACd,SAAiB,EACjB,SAAS,GAAG,GAAG,EACf,SAAS,GAAG,CAAC;IAEb,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,QAAQ,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,WAAW,SAAS,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,WAAW,SAAS,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,KAAY,CAAC;AACtB,CAAC"}