chanjs 2.0.3 → 2.0.5

package/middleware/waf.js

@@ -0,0 +1,197 @@
+import url from "url";
+import {getIp} from "../helper/ip.js";
+
+// 原始关键词列表（保持不变）
+const keywords = [
+  ".aspx",
+  ".php",
+  ".pl",
+  ".jsa",
+  ".jsp",
+  ".asp",
+  ".go",
+  ".jhtml",
+  ".shtml",
+  ".cfm",
+  ".cgi",
+  ".svn",
+  ".env",
+  ".keys",
+  ".cache",
+  ".hidden",
+  ".bod",
+  ".ll",
+  ".backup",
+  ".json",
+  ".xml",
+  ".bak",
+  ".aws",
+  ".database",
+  ".cookie",
+  ".location",
+  ".dump",
+  ".ftp",
+  ".idea",
+  ".s3",
+  ".sh",
+  ".old",
+  ".tf",
+  ".sql",
+  ".vscode",
+  ".docker",
+  ".map",
+  "1+1",
+  ".save",
+  ".gz",
+  ".yml",
+  ".tar",
+  ".rar",
+  ".7z",
+  ".zip",
+  ".git",
+  ".log",
+  ".local",
+  "../",
+  "db_",
+  "smtp",
+  "meta",
+  "debug",
+  "secret",
+  "/xampp/",
+  "/metadata/",
+  "/internal/",
+  "/aws/",
+  "/debug/",
+  "/configs/",
+  "/cgi-bin/",
+  "/tmp/",
+  "/staging/",
+  "/mail/",
+  "/docker/",
+  "/.secure/",
+  "/php-cgi/",
+  "/wp-",
+  "/backup/",
+  "password",
+  "redirect",
+  "/phpMyAdmin/",
+  "/setup/",
+  "concat(",
+  "version(",
+  "sleep(",
+  "benchmark(",
+  "0x7e",
+  "extractvalue(",
+  "(select",
+  "a%",
+  "union",
+  "drop",
+  "update",
+  "insert",
+  "delete",
+  "alter",
+  "truncate",
+  "create",
+  "exec",
+];
+
+// 预处理：合并字符串关键词和正则关键词为两个单一正则（核心优化）
+const { combinedStrRegex, combinedRegRegex } = (() => {
+  const regexSpecialChars = /[.*+?^${}()|[\]\\]/g;
+  const strKwParts = []; // 存储无特殊字符的关键词（用于合并正则）
+  const regKwParts = []; // 存储转义后的正则关键词（用于合并正则）
+
+  keywords.forEach((keyword) => {
+    if (regexSpecialChars.test(keyword)) {
+      // 含正则特殊字符：转义后加入正则关键词部分
+      const escaped = keyword.replace(regexSpecialChars, "\\$&");
+      regKwParts.push(escaped);
+    } else {
+      // 无特殊字符：直接加入字符串关键词部分
+      strKwParts.push(keyword);
+    }
+  });
+
+  // 构建合并后的正则（空数组时返回匹配失败的正则，避免报错）
+  const buildCombinedRegex = (parts) => {
+    return parts.length
+      ? new RegExp(`(?:${parts.join("|")})`, "i") // 非捕获组+不区分大小写
+      : new RegExp("^$"); // 匹配空字符串（永远不命中）
+  };
+
+  return {
+    combinedStrRegex: buildCombinedRegex(strKwParts),
+    combinedRegRegex: buildCombinedRegex(regKwParts),
+  };
+})();
+
+const safe = (req, res, next) => {
+    try {
+      // 1. 设置安全头（保持不变）
+      res.setHeader("X-Frame-Options", "SAMEORIGIN");
+      res.setHeader("X-Content-Type-Options", "nosniff");
+      res.setHeader("Referrer-Policy", "no-referrer-when-downgrade");
+      res.removeHeader("Server");
+
+      // 2. 构建检查文本：req.path（仅路径）+ query（非空才加）（优化冗余）
+      let checkText = req.path || "";
+      if (req.query && Object.keys(req.query).length > 0) {
+         const queryStr = Object.entries(req.query)
+          .map(([k, v]) => `${k}=${v}`)
+          .join(' ');
+        checkText += ` ${queryStr}`;
+      }
+
+      // 3. 处理请求体（优化序列化逻辑）
+      let bodyText = "";
+      const contentType = req.headers["content-type"] || "";
+      const isMultipart = contentType.includes("multipart/form-data");
+
+      if (!isMultipart && req.body) {
+        try {
+          // 若已是字符串直接用，否则序列化（避免重复序列化）
+          const bodyStr =
+            typeof req.body === "string" ? req.body : JSON.stringify(req.body);
+
+          // 限制大小（保持原逻辑，避免大文本开销）
+          if (bodyStr.length < 10000) {
+            bodyText = ` ${bodyStr}`;
+          }
+        } catch (e) {
+          // 忽略序列化错误
+        }
+      }
+
+      // 合并完整文本（无需 toLowerCase）
+      const fullText = checkText + bodyText;
+
+      // 4. 高效匹配：两次正则 test 替代 N 次循环（核心优化）
+      let foundMatch = false;
+      // 先检查字符串关键词合并正则（更快，因为无复杂正则逻辑）
+      if (combinedStrRegex.test(fullText)) {
+        foundMatch = true;
+      }
+      // 再检查正则关键词合并正则（仅当字符串匹配未命中时）
+      else if (combinedRegRegex.test(fullText)) {
+        foundMatch = true;
+      }
+
+      if (foundMatch) {
+        console.error("[安全拦截] 疑似恶意请求:", {
+          url: req.url,
+          ip: getIp(req),
+          userAgent: req.get("User-Agent") || "",
+        });
+        return res.status(403).send("请求被安全策略拦截");
+      }
+
+      next();
+    } catch (error) {
+      console.error("[安全中间件异常]", error);
+      res.status(500).send("服务器内部错误");
+    }
+  };
+
+export const waf = (app) => {
+  app.use(safe);
+};

package/package.json

@@ -1,7 +1,7 @@
 {
   "type": "module",
   "name": "chanjs",
-  "version": "2.0.3",
+  "version": "2.0.5",
   "description": "chanjs基于express5 纯js研发的轻量级mvc框架。",
   "main": "index.js",
   "module": "index.js",

package/utils/dataparse.js

@@ -0,0 +1,24 @@
+/**
+ * 将数组转换为键值对对象
+ * @param {Array} arr - 包含键值对的数组
+ * @param {string} keyField - 作为键的字段名
+ * @param {string} valueField - 作为值的字段名
+ * @returns {Object} 转换后的对象
+ */
+export const arrToObj = (arr, keyField = 'config_key', valueField = 'config_value') => {
+    // 输入验证
+    if (!Array.isArray(arr)) {
+      throw new Error('arrToObj 期望接收数组作为第一个参数');
+    }
+    
+    return arr.reduce((result, item) => {
+      if (item && typeof item === 'object') {
+        const key = item[keyField];
+        const value = item[valueField];
+        if (key !== undefined && value !== undefined) {
+          result[key] = value;
+        }
+      }
+      return result;
+    }, {});
+  };

package/utils/db.js

@@ -1,77 +1,75 @@
-import knex from 'knex';
-
-
-export const db = function({
-  client='mysql2',
-  host='127.0.0.1',
-  user='root',
-  password='123456',
-  database='test',
-  debug=true,
-  charset='utf8mb4',
-  min=0,
-  max=2,
-} ) {
-
+import knex from "knex";
+export const db = function ({
+  client = "mysql2",
+  host = "127.0.0.1",
+  user = "root",
+  password = "123456",
+  database = "test",
+  port = 3306,
+  debug = true,
+  charset = "utf8mb4",
+  min = 0,
+  max = 2,
+}) {
   let config = {
-    client ,
+    client,
     connection: {
-        host ,
-        user ,
-        password,
-        database,
-        charset,
-    } ,
+      host,
+      port,
+      user,
+      password,
+      database,
+      charset,
+    },
     debug,
-    pool: { //默认为{min: 2, max: 10},连接池配置
-        min,
-        max,
-      },
+    pool: {
+      //默认为{min: 2, max: 10},连接池配置
+      min,
+      max,
+    },
     log: {
-        warn(message) {
-          console.error("[knex warn]", message);
-        },
-        error(message) {
-          console.error("[knex error]", message);
-        },
-        debug(message) {
-          console.log("[knex debug]", message);
-        },
-        deprecate(message) {
-          console.warn("[knex deprecate]", message);
-        },
-        trace(message) {
-          console.log("[knex trace]", message);
-        },
-        log(message) {
-          console.log("[knex log]", message);
-        },
-        info(message) {
-          console.log("[knex info]", message);
-        },
-
+      warn(message) {
+        console.error("[knex warn]", message);
+      },
+      error(message) {
+        console.error("[knex error]", message);
+      },
+      debug(message) {
+        console.log("[knex debug]", message);
+      },
+      deprecate(message) {
+        console.warn("[knex deprecate]", message);
+      },
+      trace(message) {
+        console.log("[knex trace]", message);
+      },
+      log(message) {
+        console.log("[knex log]", message);
+      },
+      info(message) {
+        console.log("[knex info]", message);
       },
-}
-    return knex(config);
-}
+    },
+  };
+  return knex(config);
+};
 
 const errCode = {
-  "ECONNREFUSED": "数据库连接被拒绝，请检查数据库服务是否正常运行。",
-  "ER_ACCESS_DENIED_ERROR": "无权限访问，账号或密码错误。",
-  "ER_ROW_IS_REFERENCED_2": "无法删除或更新记录，存在关联数据。",
-  "ER_BAD_FIELD_ERROR": "SQL语句中包含无效字段，请检查查询条件或列名。",
-  "ER_DUP_ENTRY": "插入失败：数据重复，违反唯一性约束。",
-  "ER_NO_SUCH_TABLE": "操作失败：目标表不存在。",
-  "ETIMEOUT": "数据库操作超时，请稍后再试。"
-}
+  ECONNREFUSED: "数据库连接被拒绝，请检查数据库服务是否正常运行。",
+  ER_ACCESS_DENIED_ERROR: "无权限访问，账号或密码错误。",
+  ER_ROW_IS_REFERENCED_2: "无法删除或更新记录，存在关联数据。",
+  ER_BAD_FIELD_ERROR: "SQL语句中包含无效字段，请检查查询条件或列名。",
+  ER_DUP_ENTRY: "插入失败：数据重复，违反唯一性约束。",
+  ER_NO_SUCH_TABLE: "操作失败：目标表不存在。",
+  ETIMEOUT: "数据库操作超时，请稍后再试。",
+};
 const getDefaultErrorMessage = (error) => {
-  if (error.message.includes('syntax') ||
-    error.message.includes('SQL')) {
-    return '数据库语法错误，请检查您的查询语句。';
-  } else if (error.message.includes('Connection closed')) {
-    return '数据库连接已关闭，请重试。';
-  } else if (error.message.includes('permission')) {
-    return '数据库权限不足，请检查配置。';
+  if (error.message.includes("syntax") || error.message.includes("SQL")) {
+    return "数据库语法错误，请检查您的查询语句。";
+  } else if (error.message.includes("Connection closed")) {
+    return "数据库连接已关闭，请重试。";
+  } else if (error.message.includes("permission")) {
+    return "数据库权限不足，请检查配置。";
   }
-  return '数据库发生未知错误，请稍后重试。';
-}
+  return "数据库发生未知错误，请稍后重试。";
+};

package/utils/loader.js

@@ -1,32 +1,32 @@
-import fs from 'fs';
-import path from 'path';
-import { bindClass } from './bind.js';
+import fs from "fs";
+import path from "path";
+import { bindClass } from "./bind.js";
 
 /**
- * 
+ *
  * @param {*} module 模块目录
- * @returns Array 
+ * @returns Array
  * @description 将web模块放到最后加载
  */
-export const loaderSort = (modules=[])=>{
-  const index = modules.indexOf('web');
+export const loaderSort = (modules = []) => {
+  const index = modules.indexOf("web");
   if (index !== -1) {
-      const web = modules.splice(index, 1);
-      modules.push(web[0]);
+    const web = modules.splice(index, 1);
+    modules.push(web[0]);
   }
   return modules;
-}
+};
 
-export const getPackage = async function(){
-  let pkg = await importFile('package.json')
+export const getPackage = async function () {
+  let pkg = await importFile("package.json");
   return pkg;
-}
+};
 
-export const loadConfig = async function(){
-  let config = await importFile('config/index.js')
+export const loadConfig = async function () {
+  let config = await importFile("config/index.js");
+  console.log("config", config);
   return config;
-}
-
+};
 
 /**
  * 加载指定模块名下的所有控制器文件
@@ -36,22 +36,24 @@ export const loadConfig = async function(){
 export const loadController = async function (moduleName) {
   const controller = {};
 
-  const dir = path.join(MODULES_PATH, moduleName,'controller');
+  const dir = path.join(MODULES_PATH, moduleName, "controller");
 
   if (!fs.existsSync(dir)) {
     console.warn(`模块路径不存在，跳过加载控制器: ${dir}`);
     return controller;
   }
 
-  const files = fs.readdirSync(dir).filter(file => file.endsWith('.js'));
+  const files = fs.readdirSync(dir).filter((file) => file.endsWith(".js"));
 
   for (const file of files) {
     const filePath = path.join(dir, file);
-    const name = file.replace(/\.js$/i, ''); // 安全处理 .js 后缀
+    const name = file.replace(/\.js$/i, ""); // 安全处理 .js 后缀
 
     try {
       const module = await importFile(filePath);
-      controller[name] = { ...module};
+      let obj = module.default || module;
+
+      controller[name] = obj;
     } catch (e) {
       console.error(`加载控制器失败: ${filePath}`, e);
       // 可选：抛出错误或继续加载其他文件
@@ -61,6 +63,3 @@ export const loadController = async function (moduleName) {
 
   return controller;
 };
-
-
-