npm - chanjs - Versions diffs - 2.0.6 → 2.0.8 - Mend

chanjs 2.0.6 → 2.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/config/code.js ADDED Viewed

@@ -0,0 +1,48 @@
+// 简化的状态码定义（数字作为键）
+export const CODE = {
+  200: "操作成功", // 成功
+  201: "操作失败", // 通用失败
+  // 业务逻辑错误
+  1001: "业务处理失败", // 业务处理失败
+  // 参数错误
+  2001: "参数无效", // 参数无效
+  2002: "参数缺失", // 参数缺失
+  // 认证授权错误
+  3001: "认证失败", // 认证失败
+  3002: "令牌已过期", // 令牌过期
+  3003: "权限不足", // 权限不足
+  // 资源相关错误
+  4001: "资源不存在", // 资源不存在
+  4002: "资源已锁定", // 资源锁定
+  4003: "资源已存在", // 资源重复
+  // 系统错误
+  5001: "系统内部错误", // 系统错误
+  5002: "服务繁忙，请稍后再试", // 服务繁忙
+  // 数据库错误
+  6001: "数据库连接失败", // 连接错误
+  6002: "数据库访问被拒绝", // 访问被拒
+  6003: "存在关联数据，操作失败", // 引用错误
+  6004: "数据库字段错误", // 字段错误
+  6005: "数据重复，违反唯一性约束", // 数据重复
+  6006: "目标表不存在", // 表不存在
+  6007: "数据库操作超时", // 操作超时
+  6008: "数据库语法错误，请检查查询语句", // 语法错误
+  6009: "数据库连接已关闭，请重试", // 连接已关闭
+};
+// 数据库错误码映射（仅映射状态码）
+export const DB_ERROR = {
+  ECONNREFUSED: 6001,
+  ER_ACCESS_DENIED_ERROR: 6002,
+  ER_ROW_IS_REFERENCED_2: 6003,
+  ER_BAD_FIELD_ERROR: 6004,
+  ER_DUP_ENTRY: 6005,
+  ER_NO_SUCH_TABLE: 6006,
+  ETIMEOUT: 6007,
+};

package/core/service copy.js ADDED Viewed

@@ -0,0 +1,217 @@
+import {CODE,DB_ERROR} from "../config/code.js";
+// 响应工具函数
+const createResponse = (success, data, msg, code) => ({
+  success,
+  data: data || (success ? {} : null),
+  msg: msg || (success ? CODE[200] : CODE[1001]),
+  code: code || (success ? 200 : 1001)
+});
+const successResponse = (data, msg) => createResponse(true, data, msg);
+const failResponse = (msg, data, code) => createResponse(false, data, msg, code);
+// 错误处理函数
+const getDefaultErrorCode = (error) => {
+  if (error.message.includes('syntax') || error.message.includes('SQL')) {
+    return 6008;
+  } else if (error.message.includes('Connection closed')) {
+    return 6009;
+  } else if (error.message.includes('permission')) {
+    return 3003;
+  }
+  return 5001;
+};
+const handleError = (err) => {
+  console.error('Database Error:', err);
+  const errorCode = DB_ERROR[err.code] || getDefaultErrorCode(err);
+  return failResponse(
+    CODE[errorCode],
+    { sql: err.sql, sqlMessage: err.sqlMessage },
+    errorCode
+  );
+};
+// 基础查询构建函数
+const buildQuery = (knex, model, query = {}) => {
+  let dbQuery = knex(model);
+  if (Object.keys(query).length > 0) {
+    dbQuery = dbQuery.where(query);
+  }
+  return dbQuery;
+};
+/**
+ * 查询表所有记录（慎用）
+ */
+export const all = async (knex, model, query = {}) => {
+  try {
+    const res = await buildQuery(knex, model, query).select();
+    return successResponse(res);
+  } catch (err) {
+    return handleError(err);
+  }
+};
+/**
+ * 获取单个记录
+ */
+export const one = async (knex, model, query = {}) => {
+  try {
+    const res = await buildQuery(knex, model, query).first();
+    return successResponse(res);
+  } catch (err) {
+    return handleError(err);
+  }
+};
+/**
+ * 根据条件查询记录
+ */
+export const findById = async (knex, model, { query = {}, field = [], len = 1 }) => {
+  try {
+    let dataQuery = knex(model).where(query);
+    if (field.length > 0) dataQuery = dataQuery.select(field);
+    if (len === 1) dataQuery = dataQuery.first();
+    else if (len > 1) dataQuery = dataQuery.limit(len);
+    const res = await dataQuery;
+    return successResponse(res || (len === 1 ? {} : []));
+  } catch (err) {
+    return handleError(err);
+  }
+};
+/**
+ * 创建新记录
+ */
+export const insert = async (knex, model, data = {}) => {
+  try {
+    if (Object.keys(data).length === 0) {
+      return failResponse(CODE[2002], null, 2002);
+    }
+    const result = await knex(model).insert(data);
+    return successResponse(result?.length > 0 || !!result);
+  } catch (err) {
+    return handleError(err);
+  }
+};
+/**
+ * 插入多条记录
+ */
+export const insertMany = async (knex, model, records = []) => {
+  try {
+    if (records.length === 0) {
+      return failResponse(CODE[2002], null, 2002);
+    }
+    const result = await knex(model).insert(records);
+    return successResponse(result);
+  } catch (err) {
+    return handleError(err);
+  }
+};
+/**
+ * 根据指定条件删除记录
+ */
+export const del = async (knex, model, query = {}) => {
+  try {
+    if (Object.keys(query).length === 0) {
+      return failResponse(CODE[2002], null, 2002);
+    }
+    const affectedRows = await knex(model).where(query).del();
+    return successResponse(affectedRows > 0);
+  } catch (err) {
+    return handleError(err);
+  }
+};
+/**
+ * 根据指定条件更新记录
+ */
+export const update = async (knex, model, query = {}, params = {}) => {
+  try {
+    if (Object.keys(query).length === 0 || Object.keys(params).length === 0) {
+      return failResponse(CODE[2001], null, 2001);
+    }
+    const result = await knex(model).where(query).update(params);
+    return successResponse(!!result);
+  } catch (err) {
+    return handleError(err);
+  }
+};
+/**
+ * 批量更新多条记录
+ */
+export const updateMany = async (knex, model, updates = []) => {
+  if (!Array.isArray(updates) || updates.length === 0) {
+    return failResponse(CODE[2002], null, 2002);
+  }
+  const trx = await knex.transaction();
+  try {
+    for (const { query, params } of updates) {
+      const result = await trx(model).where(query).update(params);
+      if (result === 0) {
+        await trx.rollback();
+        return failResponse(`更新失败: ${JSON.stringify(query)}`);
+      }
+    }
+    await trx.commit();
+    return successResponse(true);
+  } catch (err) {
+    await trx.rollback();
+    return handleError(err);
+  }
+};
+/**
+ * 分页查询
+ */
+export const query = async (knex, model, { current = 1, pageSize = 10, query = {}, field = [] }) => {
+  try {
+    const offset = (current - 1) * pageSize;
+    let countQuery = knex(model).count("* as total");
+    let dataQuery = knex(model);
+    if (Object.keys(query).length > 0) {
+      Object.entries(query).forEach(([key, value]) => {
+        countQuery = countQuery.where(key, value);
+        dataQuery = dataQuery.where(key, value);
+      });
+    }
+    if (field.length > 0) dataQuery = dataQuery.select(field);
+    const [totalResult, list] = await Promise.all([
+      countQuery.first(),
+      dataQuery.offset(offset).limit(pageSize)
+    ]);
+    const total = totalResult?.total || 0;
+    return successResponse({ list, total, current, pageSize });
+  } catch (err) {
+    return handleError(err);
+  }
+};
+/**
+ * 计数查询
+ */
+export const count = async (knex, model, query = []) => {
+  try {
+    let dataQuery = knex(model);
+    if (query.length > 0) {
+      query.forEach(condition => dataQuery = dataQuery.where(condition));
+    }
+    const result = await dataQuery.count("* as total").first();
+    return successResponse(Number(result?.total) || 0);
+  } catch (err) {
+    return handleError(err);
+  }
+};

package/core/service.js CHANGED Viewed

@@ -1,57 +1,6 @@
-// ====================== 模块级别工具函数 (只初始化一次) ======================
-const errCode = {
-  "ECONNREFUSED": "数据库连接被拒绝，请检查数据库服务是否正常运行。",
-  "ER_ACCESS_DENIED_ERROR": "无权限访问，账号或密码错误。",
-  "ER_ROW_IS_REFERENCED_2": "无法删除或更新记录，存在关联数据。",
-  "ER_BAD_FIELD_ERROR": "SQL语句中包含无效字段，请检查查询条件或列名。",
-  "ER_DUP_ENTRY": "插入失败：数据重复，违反唯一性约束。",
-  "ER_NO_SUCH_TABLE": "操作失败：目标表不存在。",
-  "ETIMEOUT": "数据库操作超时，请稍后再试。"
-};
-const getDefaultErrorMessage = (error) => {
-  if (error.message.includes('syntax') || error.message.includes('SQL')) {
-    return '数据库语法错误，请检查您的查询语句。';
-  } else if (error.message.includes('Connection closed')) {
-    return '数据库连接已关闭，请重试。';
-  } else if (error.message.includes('permission')) {
-    return '数据库权限不足，请检查配置。';
-  }
-  return '数据库发生未知错误，请稍后重试。';
-};
-const errorResponse = (err) => {
-  console.error('DB Error:', err);
-  const message = errCode[err.code] || getDefaultErrorMessage(err);
-  return {
-    success: false,
-    msg: message,
-    code: 500,
-    data: {
-      sql: err.sql,
-      sqlMessage: err.sqlMessage
-    }
-  };
-};
-const failResponse = (msg = "操作失败", data = {}) => {
-  console.warn('Operation failed:', msg);
-  return {
-    success: false,
-    msg,
-    code: 201,
-    data
-  };
-};
-const successResponse = (data = {}, msg = "操作成功") => ({
-  success: true,
-  msg,
-  code: 200,
-  data
-});
-// ====================== 共享数据库方法 (只创建一次) ======================
+import { success, fail, error } from "../utils/response.js";
+import { CODE } from "../config/code.js";
+// ====================== 共享数据库方法 ======================
 const databaseMethods = {
   /**
    * 查询表所有记录（慎用）
@@ -65,9 +14,9 @@ const databaseMethods = {
         dbQuery = dbQuery.where(query);
       }
       const res = await dbQuery.select();
-      return successResponse(res);
+      return success(res);
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -75,9 +24,7 @@ const databaseMethods = {
    * 获取单个记录
    * @param {Object} query - 查询条件
    * @returns {Promise} 查询结果
-   *
-   * */
+   */
   async one(query = {}) {
     try {
       let dbQuery = this.knex(this.model);
@@ -85,9 +32,9 @@ const databaseMethods = {
         dbQuery = dbQuery.where(query);
       }
       const res = await dbQuery.first();
-      return successResponse(res);
+      return success(res);
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -106,9 +53,9 @@ const databaseMethods = {
       else if (len > 1) dataQuery = dataQuery.limit(len);
       const res = await dataQuery;
-      return successResponse(res || (len === 1 ? {} : []));
+      return success(res || (len === 1 ? {} : []));
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -119,13 +66,16 @@ const databaseMethods = {
    */
   async insert(data = {}) {
     try {
+      console.log('data--->',data)
       if (Object.keys(data).length === 0) {
-        return failResponse('插入数据不能为空');
+        return fail(CODE[2002], { code: 2002 });
       }
+      console.log('this.model--->',this.model)
       const result = await this.knex(this.model).insert(data);
-      return successResponse(result?.length > 0 || !!result);
+      return success(result?.length > 0 || !!result);
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -137,12 +87,12 @@ const databaseMethods = {
   async insertMany(records = []) {
     try {
       if (records.length === 0) {
-        return failResponse('插入数据不能为空');
+        return fail(CODE[2002], { code: 2002 });
       }
       const result = await this.knex(this.model).insert(records);
-      return successResponse(result);
+      return success(result);
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -154,12 +104,12 @@ const databaseMethods = {
   async delete(query = {}) {
     try {
       if (Object.keys(query).length === 0) {
-        return failResponse("请指定删除条件");
+        return fail(CODE[2002], { code: 2002 });
       }
       const affectedRows = await this.knex(this.model).where(query).del();
-      return successResponse(affectedRows > 0);
+      return success(affectedRows > 0);
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -173,12 +123,17 @@ const databaseMethods = {
   async update({ query, params } = {}) {
     try {
       if (!query || !params || Object.keys(query).length === 0) {
-        return failResponse("参数错误");
+        return fail(CODE[2001], { code: 2001 });
       }
+      console.log('query--->',query)
+      console.log('this.model--->',this.model)
+      console.log('params---->',params)
       const result = await this.knex(this.model).where(query).update(params);
-      return successResponse(!!result);
+      console.log('result--->',result)
+      return success(!!result);
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -189,7 +144,7 @@ const databaseMethods = {
    */
   async updateMany(updates = []) {
     if (!Array.isArray(updates) || updates.length === 0) {
-      return failResponse('更新数据不能为空');
+      return fail(CODE[2002], { code: 2002 });
     }
     const trx = await this.knex.transaction();
@@ -198,14 +153,14 @@ const databaseMethods = {
         const result = await trx(this.model).where(query).update(params);
         if (result === 0) {
           await trx.rollback();
-          return failResponse(`更新失败: ${JSON.stringify(query)}`);
+          return fail(`更新失败: ${JSON.stringify(query)}`);
         }
       }
       await trx.commit();
-      return successResponse(true);
+      return success(true);
     } catch (err) {
       await trx.rollback();
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -239,9 +194,9 @@ const databaseMethods = {
       ]);
       const total = totalResult?.total || 0;
-      return successResponse({ list, total, current, pageSize });
+      return success({ list, total, current, pageSize });
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   },
@@ -257,14 +212,14 @@ const databaseMethods = {
         query.forEach(condition => dataQuery = dataQuery.where(condition));
       }
       const result = await dataQuery.count("* as total").first();
-      return successResponse(Number(result?.total) || 0);
+      return success(Number(result?.total) || 0);
     } catch (err) {
-      return errorResponse(err);
+      return error(err);
     }
   }
 };
-// ====================== 工厂函数 (轻量创建实例) ======================
+// ====================== 工厂函数 ======================
 /**
  * 创建数据库服务实例
  * @param {Object} knex - Knex实例
@@ -273,7 +228,7 @@ const databaseMethods = {
  */
 export default function Service(knex, model) {
   if (!knex || !model) {
-    throw new Error('createDBService: knex instance and model name are required');
+    throw new Error('Service: knex instance and model name are required');
   }
   // 创建继承数据库方法的轻量对象
@@ -294,4 +249,4 @@ export default function Service(knex, model) {
   });
   return service;
-}
+}

package/index.js CHANGED Viewed

@@ -65,7 +65,8 @@ class Chan {
       logger,
       cors,
     } = Chan.config;
+    this.app.set('trust proxy', true);
     log(this.app, logger);
     setFavicon(this.app);
     setCookie(this.app, cookieKey);
@@ -166,7 +167,7 @@ class Chan {
   }
   run(cb) {
-    const port = Chan.config.port || "81";
+    const port = parseInt(process.env.PORT) || 3000;
     this.app.listen(port, () => {
       cb ? cb(port) : console.log(`Server is running on port ${port}`);
     });

package/middleware/log.js CHANGED Viewed

@@ -1,4 +1,21 @@
 import morgan from "morgan";
-export const log = (app,logger) => {
-    app.use(morgan(logger.level));
+import { getIp } from "../helper/ip.js";
+morgan.token("ip", (req, res) => {
+  return getIp(req);
+});
+// 自定义 morgan 格式：IP Method URL Status Length - Response-Time ms
+morgan.format("chancms", (tokens, req, res) => {
+  return [
+    tokens.ip(req, res), // 客户端 IP
+    tokens.method(req, res), // GET/POST
+    tokens.url(req, res), // 完整 URL（含 query）
+    tokens.status(req, res), // 状态码（如 403）
+    tokens.res(req, res, "content-length") || "-", // 响应体大小
+    "-", // 占位符（原日志中的 '-'）
+    tokens["response-time"](req, res),
+    "ms", // 响应时间
+  ].join(" ");
+});
+export const log = (app, logger) => {
+  app.use(morgan(logger.level));
 };

package/middleware/waf.js CHANGED Viewed

@@ -1,195 +1,179 @@
 import url from "url";
-import {getIp} from "../helper/ip.js";
-// 原始关键词列表（保持不变）
-const keywords = [
-  ".aspx",
-  ".php",
-  ".pl",
-  ".jsa",
-  ".jsp",
-  ".asp",
-  ".go",
-  ".jhtml",
-  ".shtml",
-  ".cfm",
-  ".cgi",
-  ".svn",
-  ".env",
-  ".keys",
-  ".cache",
-  ".hidden",
-  ".bod",
-  ".ll",
-  ".backup",
-  ".json",
-  ".xml",
-  ".bak",
-  ".aws",
-  ".database",
-  // ".cookie",
-  ".location",
-  ".dump",
-  ".ftp",
-  ".idea",
-  ".s3",
-  ".sh",
-  ".old",
-  ".tf",
-  ".sql",
-  ".vscode",
-  ".docker",
-  ".map",
-  "1+1",
-  ".save",
-  ".gz",
-  ".yml",
-  ".tar",
-  ".rar",
-  ".7z",
-  ".zip",
-  ".git",
-  ".log",
-  ".local",
-  "../",
-  "db_",
-  "smtp",
-  "meta",
-  "debug",
-  "secret",
-  "/xampp/",
-  "/metadata/",
-  "/internal/",
-  "/aws/",
-  "/debug/",
-  "/configs/",
-  "/cgi-bin/",
-  "/tmp/",
-  "/staging/",
-  "/mail/",
-  "/docker/",
-  "/.secure/",
-  "/php-cgi/",
-  "/wp-",
-  "/backup/",
-  "redirect",
-  "/phpMyAdmin/",
-  "/setup/",
-  "concat(",
-  "version(",
-  "sleep(",
-  "benchmark(",
-  "0x7e",
-  "extractvalue(",
-  "(select",
-  "a%",
-  "union",
-  "drop",
-  "alter",
-  "truncate",
-  "exec",
-];
-// 预处理：合并字符串关键词和正则关键词为两个单一正则（核心优化）
-const { combinedStrRegex, combinedRegRegex } = (() => {
+import { getIp } from "../helper/ip.js";
+// 改进的关键词列表，区分需要全词匹配的关键词
+const keywords = {
+  // 需要全词匹配的关键词（避免短词误报）
+  wholeWord: [
+    // 系统命令/工具（容易产生短词误报）
+    "opt", "cmd", "rm", "mdc", "netcat", "nc", "mdb", "bin", "mk", "sys","sh","chomd",
+    "php-cgi"
+  ],
+  // 普通关键词（包含特殊字符或较长关键词）
+  normal: [
+    // 文件扩展名 & 敏感文件
+    ".php", ".asp", ".aspx", ".jsp", ".jspx", ".do", ".action", ".cgi",
+    ".py", ".pl", ".md", ".log", ".conf", ".config", ".env", ".jsa",
+    ".go", ".jhtml", ".shtml", ".cfm", ".svn", ".keys", ".hidden",
+    ".bod", ".ll", ".backup", ".json", ".xml", ".bak", ".aws",
+    ".database", ".cookie", ".rsp", ".old", ".tf", ".sql", ".vscode",
+    ".docker", ".map", ".save", ".gz", ".yml", ".tar", ".sh", ".idea", ".s3",
+    // 敏感目录
+    "/administrator", "/wp-admin",
+    // 高危路径/应用
+    "phpMyAdmin", "setup", "wp-", "cgi-bin", "xampp", "staging", "internal",
+    "debug", "metadata", "secret", "smtp",  "redirect", "configs",
+    // SQL 注入
+    "sleep(", "benchmark(", "concat(", "extractvalue(", "updatexml(",
+    "version(", "union select", "union all", "select @@", "drop",
+    "alter", "truncate", "exec", "(select", "information_schema",
+    "load_file(", "into outfile", "into dumpfile",
+    // 命令注入
+    "cmd=", "system(", "exec(", "shell_exec(", "passthru(", "base64_decode",
+    "eval(", "assert(", "preg_replace", "bash -i", "rm -rf", "wget ", "curl ",
+    "chmod ", "phpinfo()",
+    // 路径遍历
+    "../", "..\\", "/etc/passwd", "/etc/shadow",
+    // XSS
+    "<script", "javascript:", "onerror=", "onload=", "alert(", "document.cookie",
+    // 特殊编码
+    "0x7e", "UNION%20SELECT", "%27OR%27", "{{", "}}", "1+1"
+  ]
+};
+// === 预处理：构建正则缓存 ===
+const { wholeWordRegexCache, normalRegexCache } = (() => {
   const regexSpecialChars = /[.*+?^${}()|[\]\\]/g;
-  const strKwParts = []; // 存储无特殊字符的关键词（用于合并正则）
-  const regKwParts = []; // 存储转义后的正则关键词（用于合并正则）
-  keywords.forEach((keyword) => {
-    if (regexSpecialChars.test(keyword)) {
-      // 含正则特殊字符：转义后加入正则关键词部分
-      const escaped = keyword.replace(regexSpecialChars, "\\$&");
-      regKwParts.push(escaped);
-    } else {
-      // 无特殊字符：直接加入字符串关键词部分
-      strKwParts.push(keyword);
-    }
+  const wholeWordRegexCache = {};
+  const normalRegexCache = {};
+  // 处理需要全词匹配的关键词
+  keywords.wholeWord.forEach((keyword) => {
+    // 转义特殊字符
+    const escaped = keyword.replace(regexSpecialChars, "\\$&");
+    // 使用单词边界确保全词匹配，忽略大小写
+    wholeWordRegexCache[keyword] = new RegExp(`\\b${escaped}\\b`, "i");
+  });
+  // 处理普通关键词
+  keywords.normal.forEach((keyword) => {
+    // 转义特殊字符
+    const escaped = keyword.replace(regexSpecialChars, "\\$&");
+    // 普通匹配，忽略大小写
+    normalRegexCache[keyword] = new RegExp(escaped, "i");
   });
-  // 构建合并后的正则（空数组时返回匹配失败的正则，避免报错）
-  const buildCombinedRegex = (parts) => {
-    return parts.length
-      ? new RegExp(`(?:${parts.join("|")})`, "i") // 非捕获组+不区分大小写
-      : new RegExp("^$"); // 匹配空字符串（永远不命中）
-  };
-  return {
-    combinedStrRegex: buildCombinedRegex(strKwParts),
-    combinedRegRegex: buildCombinedRegex(regKwParts),
-  };
+  return { wholeWordRegexCache, normalRegexCache };
 })();
+/**
+ * WAF 安全中间件（优化版，减少误报）
+ */
 const safe = (req, res, next) => {
-    try {
-      // 1. 设置安全头（保持不变）
-      // res.setHeader("X-Frame-Options", "SAMEORIGIN");
-      // res.setHeader("X-Content-Type-Options", "nosniff");
-      // res.setHeader("Referrer-Policy", "no-referrer-when-downgrade");
-      // res.removeHeader("Server");
-      // 2. 构建检查文本：req.path（仅路径）+ query（非空才加）（优化冗余）
-      let checkText = req.path || "";
-      if (req.query && Object.keys(req.query).length > 0) {
-         const queryStr = Object.entries(req.query)
-          .map(([k, v]) => `${k}=${v}`)
-          .join(' ');
-        checkText += ` ${queryStr}`;
-      }
+  try {
+    const { WAF_LEVEL = 1 } = Chan.config || {};
+    // 设置基础安全头
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-XSS-Protection", "1; mode=block");
+    res.setHeader("X-Frame-Options", "DENY");
+    // 构建检测文本：path + query + body
+    let checkText = req.path || "";
+    // 添加 query
+    if (req.query && Object.keys(req.query).length > 0) {
+      const queryStr = Object.entries(req.query)
+        .map(([k, v]) => `${k}=${v}`)
+        .join(" ");
+      checkText += ` ${queryStr}`;
+    }
-      // 3. 处理请求体（优化序列化逻辑）
-      let bodyText = "";
-      const contentType = req.headers["content-type"] || "";
-      const isMultipart = contentType.includes("multipart/form-data");
-      if (!isMultipart && req.body) {
-        try {
-          // 若已是字符串直接用，否则序列化（避免重复序列化）
-          const bodyStr =
-            typeof req.body === "string" ? req.body : JSON.stringify(req.body);
-          // 限制大小（保持原逻辑，避免大文本开销）
-          if (bodyStr.length < 10000) {
-            bodyText = ` ${bodyStr}`;
-          }
-        } catch (e) {
-          // 忽略序列化错误
+    // 添加 body（非 multipart）
+    let bodyText = "";
+    const contentType = req.headers["content-type"] || "";
+    const isMultipart = contentType.includes("multipart/form-data");
+    if (!isMultipart && req.body) {
+      try {
+        const bodyStr =
+          typeof req.body === "string" ? req.body : JSON.stringify(req.body);
+        // 限制检测的body长度，避免性能问题
+        if (bodyStr.length < 10000) {
+          bodyText = ` ${bodyStr}`;
         }
+      } catch (e) {
+        // 忽略序列化错误
       }
+    }
-      // 合并完整文本（无需 toLowerCase）
-      const fullText = checkText + bodyText;
+    const fullText = checkText + bodyText;
+    // 空文本直接跳过检测
+    if (!fullText.trim()) return next();
+    let matchedKeyword = null;
-      // 4. 高效匹配：两次正则 test 替代 N 次循环（核心优化）
-      let foundMatch = false;
-      // 先检查字符串关键词合并正则（更快，因为无复杂正则逻辑）
-      if (combinedStrRegex.test(fullText)) {
-        foundMatch = true;
+    // 1. 检测需要全词匹配的关键词
+    for (const [kw, regex] of Object.entries(wholeWordRegexCache)) {
+      if (regex.test(fullText)) {
+        matchedKeyword = kw;
+        break;
       }
-      // 再检查正则关键词合并正则（仅当字符串匹配未命中时）
-      else if (combinedRegRegex.test(fullText)) {
-        foundMatch = true;
+    }
+    // 2. 检测普通关键词
+    if (!matchedKeyword) {
+      for (const [kw, regex] of Object.entries(normalRegexCache)) {
+        if (regex.test(fullText)) {
+          matchedKeyword = kw;
+          break;
+        }
       }
+    }
-      if (foundMatch) {
-        console.error("[安全拦截] 疑似恶意请求:", {
-          url: req.url,
-          ip: getIp(req),
-          userAgent: req.get("User-Agent") || "",
-        });
+    // === 拦截处理 ===
+    if (matchedKeyword) {
+      const clientIp = getIp(req);
+      const userAgent = req.get("User-Agent") || "";
+      console.error("[WAF 拦截] 疑似恶意请求:", {
+        url: req.url,
+        ip: clientIp,
+        userAgent: userAgent.substring(0, 100),
+        method: req.method,
+        matchedKeyword,
+        sample: fullText.substring(0, 200) + (fullText.length > 200 ? "..." : ""),
+      });
+      // 根据WAF级别决定拦截方式
+      if (WAF_LEVEL >= 2) {
         return res.status(403).send("非法风险请求，已拦截");
+      } else {
+        // 低级别仅记录不拦截，便于观察误报
+        console.warn("[WAF 警告] 低级别模式下未拦截请求");
+        return next();
       }
-      next();
-    } catch (error) {
-      console.error("[安全中间件异常]", error);
-      res.status(500).send("服务器内部错误");
     }
-  };
+    next();
+  } catch (error) {
+    console.error("[WAF 异常]", error);
+    res.status(500).send("服务器内部错误");
+  }
+};
+/**
+ * 导出 WAF
+ */
 export const waf = (app) => {
   app.use(safe);
 };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "type": "module",
   "name": "chanjs",
-  "version": "2.0.6",
+  "version": "2.0.8",
   "description": "chanjs基于express5 纯js研发的轻量级mvc框架。",
   "main": "index.js",
   "module": "index.js",

package/utils/response.js ADDED Viewed

@@ -0,0 +1,46 @@
+import { CODE, DB_ERROR } from "../config/code.js";
+// ====================== 模块级别工具函数 ======================
+export const getDefaultErrorCode = (error) => {
+  if (error.message.includes("syntax") || error.message.includes("SQL")) {
+    return 6008;
+  } else if (error.message.includes("Connection closed")) {
+    return 6009;
+  } else if (error.message.includes("permission")) {
+    return 3003;
+  }
+  return 5001;
+};
+export const error = (err) => {
+  console.error("DB Error:", err);
+  // 从映射表获取状态码或使用默认错误码
+  const errorCode = DB_ERROR[err.code] || getDefaultErrorCode(err);
+  return {
+    success: false,
+    msg: CODE[errorCode], // 从CODE对象获取错误消息
+    code: errorCode,
+    data: {
+      sql: err.sql,
+      sqlMessage: err.sqlMessage,
+    },
+  };
+};
+export const fail = (msg = CODE[201], data = {}) => {
+  console.warn("Operation failed:", msg);
+  return {
+    success: false,
+    msg,
+    code: 201, // 使用通用失败码
+    data,
+  };
+};
+export const success = (data = {}, msg = CODE[200]) => ({
+  success: true,
+  msg,
+  code: 200, // 使用标准成功码
+  data,
+});