chanjs 2.3.1 → 2.5.0

package/middleware/waf.js

@@ -2,13 +2,15 @@ import { getIp } from "../helper/ip.js";
 import { checkKeywords } from "../utils/checker.js";
 import { filterXSS } from "../utils/xss-filter.js";
 import { createRateLimitMiddleware } from "../utils/rate-limit.js";
-import { configError } from "../utils/error.js";
 
 /**
  * Web应用防火墙（WAF）中间件
  * 提供访问限流、关键词过滤、XSS防护等功能
  */
 
+const WAF_BLOCKED_KEY = `${process.env.APP_NAME || 'app'}_waf_blocked`;
+const WAF_BLOCKED_HEADER = 'x-waf-blocked';
+
 /**
  * 路径白名单 - 这些路径不会被 WAF 检查
  * @type {Array<string>}
@@ -56,6 +58,18 @@ function createWafMiddleware(wafConfig) {
       res.setHeader("X-XSS-Protection", "1; mode=block");
       res.setHeader("X-Frame-Options", "DENY");
 
+      if (!isWhitelistedPath(requestPath)) {
+        const isBlocked = req.headers[WAF_BLOCKED_HEADER];
+        if (isBlocked === 'true') {
+          console.error(`[WAF 永久封禁] IP:${clientIp} 路径:${requestPath} 原因:localStorage标记`);
+          return res.status(403).json({
+            code: 403,
+            success: false,
+            msg: '您的访问已被限制，如需恢复请联系管理员'
+          });
+        }
+      }
+
       await new Promise((resolve) => {
         rateLimitMiddleware(req, res, resolve);
       });
@@ -92,11 +106,25 @@ function createWafMiddleware(wafConfig) {
           const { category, keyword } = matched;
           console.error(`[WAF 拦截] IP:${clientIp} 路径:${requestPath} 关键词:${keyword} 类别:${category}`);
 
-          return res.status(403).json({
-            code: 403,
-            success: false,
-            msg: '非法请求：检测到恶意内容'
-          });
+          const htmlResponse = `
+            <!DOCTYPE html>
+            <html>
+            <head>
+              <meta charset="UTF-8">
+              <title>访问受限</title>
+            </head>
+            <body>
+              <h1>非法请求</h1>
+              <p>检测到恶意内容，您的访问已被限制。</p>
+              <p>如需恢复请联系管理员。</p>
+              <script>
+                localStorage.setItem('${WAF_BLOCKED_KEY}', 'true');
+              </script>
+            </body>
+            </html>
+          `;
+
+          return res.status(403).setHeader('Content-Type', 'text/html').send(htmlResponse);
         }
       }
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "type": "module",
   "name": "chanjs",
-  "version": "2.3.1",
+  "version": "2.5.0",
   "description": "chanjs基于express5 纯js研发的轻量级mvc框架。",
   "main": "index.js",
   "module": "index.js",

package/utils/index.js

@@ -1,6 +1,4 @@
-export { success, fail, error } from "./response.js";
-export { parseDatabaseError, notFoundResponse, errorResponse } from "./error-handler.js";
-export { configError, authError } from "./error.js";
+export { success, fail, error, parseDatabaseError, notFoundResponse, errorResponse } from "./response.js";
 export { checkKeywords, isIgnored } from "./checker.js";
 export { filterXSS } from "./xss-filter.js";
 export { createRateLimitMiddleware } from "./rate-limit.js";

package/utils/keywords.js

@@ -16,7 +16,7 @@ export const KEYWORD_RULES = {
    */
   extensions: [
     ".php", ".asp", ".aspx", ".jsp", ".jspx", ".do", ".action", ".cgi",
-    ".py", ".pl", ".cfm", ".jhtml", ".shtml"
+    ".py", ".pl", ".cfm", ".jhtml", ".shtml",".sql"
   ],
   /**
    * 敏感目录名称
@@ -39,7 +39,13 @@ export const KEYWORD_RULES = {
   commandInjection: [
     "cmd=", "system(", "exec(", "shell_exec(", "passthru(",
     "eval(", "assert(", "preg_replace", "bash -i", "rm -rf",
-    "wget ", "curl ", "chmod ", "base64_decode", "phpinfo()"
+    "wget ", "curl ", "chmod ", "base64_decode", "phpinfo()",
+    "kill ", "killall", "shutdown", "reboot", "halt", "fdisk",
+    "mkfs", "dd ", "ssh ", "scp ", "rsync", "nc ",
+    "netcat", "nmap", "iptables", "systemctl", "service",
+    "init", "crontab", "at ", "su ", "sudo", "useradd",
+    "userdel", "usermod", "groupadd", "groupdel", "passwd",
+    "chpasswd", "mount ", "umount", "ln -s"
   ],
   /**
    * 路径遍历关键词

package/utils/response.js

@@ -5,6 +5,20 @@ import { CODE, DB_ERROR } from "../config/code.js";
  * 提供统一的响应格式和错误处理
  */
 
+const ERROR_MESSAGES = {
+  6001: "数据库连接失败",
+  6002: "数据库访问被拒绝",
+  6003: "存在关联数据，操作失败",
+  6004: "数据库字段错误",
+  6005: "数据重复，违反唯一性约束",
+  6006: "目标表不存在",
+  6007: "数据库操作超时",
+  6008: "数据库语法错误，请检查查询语句",
+  6009: "数据库连接已关闭，请重试",
+  4003: "资源已存在",
+  5001: "系统内部错误",
+};
+
 /**
  * 获取默认错误代码
  * @private
@@ -23,6 +37,32 @@ const getDefaultErrorCode = (error) => {
   return 5001;
 };
 
+/**
+ * 解析数据库错误
+ * @param {Error} error - 数据库错误对象
+ * @returns {Object} 包含 code、msg 和 statusCode 的对象
+ * @description
+ * 根据数据库错误代码映射为业务状态码
+ * 返回对应的错误消息和 HTTP 状态码
+ */
+export function parseDatabaseError(error) {
+  const errorCode = error?.code && DB_ERROR[error.code]
+    ? DB_ERROR[error.code]
+    : error?.message?.includes("syntax") || error?.message?.includes("SQL")
+      ? 6008
+      : error?.message?.includes("Connection closed")
+        ? 6009
+        : error?.message?.includes("permission")
+          ? 3003
+          : 5001;
+
+  return {
+    code: errorCode,
+    msg: ERROR_MESSAGES[errorCode] || error?.message || "服务器内部错误",
+    statusCode: errorCode >= 6000 ? 500 : errorCode >= 4000 ? 400 : 500,
+  };
+}
+
 /**
  * 生成错误响应
  * @param {Object} options - 响应选项
@@ -33,8 +73,6 @@ const getDefaultErrorCode = (error) => {
  * @description
  * 根据错误类型生成标准错误响应
  * 开发环境下包含数据库错误详情
- * @example
- * const response = error({ err: databaseError });
  */
 export const error = ({ err, data = {}, code = 500 } = {}) => {
   if (err) {
@@ -70,10 +108,6 @@ export const error = ({ err, data = {}, code = 500 } = {}) => {
  * @param {Object} [options.data={}] - 响应数据
  * @param {number} [options.code=201] - 错误代码
  * @returns {Object} 失败响应对象
- * @description
- * 生成标准失败响应
- * @example
- * const response = fail({ msg: '用户不存在', code: 404 });
  */
 export const fail = ({ msg = "操作失败", data = {}, code = 201 } = {}) => {
   return {
@@ -90,10 +124,6 @@ export const fail = ({ msg = "操作失败", data = {}, code = 201 } = {}) => {
  * @param {Object} [options.data={}] - 响应数据
  * @param {string} [options.msg="操作成功"] - 成功消息
  * @returns {Object} 成功响应对象
- * @description
- * 生成标准成功响应
- * @example
- * const response = success({ data: { id: 1, name: '张三' } });
  */
 export const success = ({ data = {}, msg = "操作成功" } = {}) => ({
   success: true,
@@ -101,3 +131,50 @@ export const success = ({ data = {}, msg = "操作成功" } = {}) => ({
   code: 200,
   data,
 });
+
+/**
+ * 生成 404 响应
+ * @param {Object} req - Express 请求对象
+ * @returns {Object} 404 响应对象
+ */
+export function notFoundResponse(req) {
+  return {
+    success: false,
+    msg: "接口不存在",
+    code: 404,
+    data: { path: req.path, method: req.method },
+  };
+}
+
+/**
+ * 生成错误响应（Express 错误处理中间件用）
+ * @param {Error} err - 错误对象
+ * @param {Object} req - Express 请求对象
+ * @returns {Object} 错误响应对象
+ */
+export function errorResponse(err, req) {
+  const errorInfo = parseDatabaseError(err);
+  
+  console.error(`[Error Handler] ${errorInfo.msg} - ${err?.message}`, {
+    code: errorInfo.code,
+    path: req?.path,
+    method: req?.method,
+    sql: err?.sql,
+    sqlMessage: err?.sqlMessage,
+    stack: err?.stack,
+  });
+  
+  return {
+    success: false,
+    msg: errorInfo.msg,
+    code: errorInfo.code,
+    data: process.env.NODE_ENV === "development"
+      ? {
+          message: err?.message,
+          sql: err?.sql,
+          sqlMessage: err?.sqlMessage,
+          stack: err?.stack,
+        }
+      : {},
+  };
+}

package/base/Context.js

@@ -1,78 +0,0 @@
-/**
- * 应用上下文类
- * 用于存储和管理应用的配置和模型实例
- */
-class AppContext {
-  /**
-   * 构造函数
-   * 初始化配置和模型的Map存储
-   */
-  constructor() {
-    this._config = new Map();
-    this._models = new Map();
-  }
-
-  /**
-   * 设置配置项
-   * @param {string} key - 配置键名
-   * @param {*} value - 配置值
-   */
-  set(key, value) {
-    this._config.set(key, value);
-  }
-
-  /**
-   * 获取配置项
-   * @param {string} key - 配置键名
-   * @param {*} defaultValue - 默认值
-   * @returns {*} 配置值或默认值
-   */
-  get(key, defaultValue) {
-    return this._config.get(key) ?? defaultValue;
-  }
-
-  /**
-   * 检查配置项是否存在
-   * @param {string} key - 配置键名
-   * @returns {boolean} 是否存在
-   */
-  has(key) {
-    return this._config.has(key);
-  }
-
-  /**
-   * 设置模型实例
-   * @param {string} name - 模型名称
-   * @param {Object} instance - 模型实例
-   */
-  setModel(name, instance) {
-    this._models.set(name, instance);
-  }
-
-  /**
-   * 获取模型实例
-   * @param {string} name - 模型名称
-   * @returns {Object|undefined} 模型实例
-   */
-  getModel(name) {
-    return this._models.get(name);
-  }
-
-  /**
-   * 获取所有模型实例
-   * @returns {Object} 包含所有模型的对象
-   */
-  getAllModels() {
-    return Object.fromEntries(this._models.entries());
-  }
-
-  /**
-   * 清空所有配置和模型
-   */
-  clear() {
-    this._config.clear();
-    this._models.clear();
-  }
-}
-
-export default AppContext;

package/helper/db.js

@@ -1,79 +0,0 @@
-import knex from "knex";
-
-/**
- * 创建 Knex 数据库连接实例
- * @param {Object} config - 数据库配置对象
- * @param {string} config.client - 数据库客户端类型（如 mysql2, pg, sqlite3）
- * @param {Object} config.connection - 数据库连接配置
- * @param {Object} [config.pool] - 连接池配置
- * @returns {Knex} Knex 实例
- * @example
- * const db = db({
- *   client: 'mysql2',
- *   connection: {
- *     host: 'localhost',
- *     user: 'root',
- *     password: 'password',
- *     database: 'mydb'
- *   }
- * });
- */
-export function db(config) {
-  return knex(config);
-}
-
-/**
- * 根据前缀从环境变量中获取数据库配置
- * @param {string} prefix - 配置前缀（如 primary, secondary, redis）
- * @returns {Object|null} 解析后的配置对象，如果配置不存在或解析失败则返回 null
- * @description
- * 支持的前缀映射：
- * - primary -> DB_PRIMARY
- * - secondary -> DB_SECONDARY
- * - redis -> REDIS
- * - 其他 -> DB_{PREFIX.toUpperCase()}
- * 
- * 配置格式为 JSON 字符串，存储在环境变量中
- * @example
- * // 环境变量: DB_PRIMARY='{"client":"mysql2","connection":{"host":"localhost"}}'
- * const config = prefixDbConfig('primary');
- * // 返回: { client: 'mysql2', connection: { host: 'localhost' } }
- */
-export function prefixDbConfig(prefix) {
-  const prefixMap = {
-    primary: "DB_PRIMARY",
-    secondary: "DB_SECONDARY",
-    redis: "REDIS",
-  };
-  const envKey = prefixMap[prefix] || `DB_${prefix.toUpperCase()}`;
-  const configStr = process.env[envKey];
-
-  if (configStr) {
-    try {
-      return JSON.parse(configStr);
-    } catch (e) {
-      console.error(`[DB] 配置解析失败: ${envKey}`);
-      return null;
-    }
-  }
-
-  const client = process.env.DB_CLIENT || "mysql2";
-  if (client !== "mysql2") {
-    return null;
-  }
-
-  return {
-    client,
-    connection: {
-      host: process.env.DB_HOST || "localhost",
-      port: parseInt(process.env.DB_PORT || "3306"),
-      user: process.env.DB_USER || "root",
-      password: process.env.DB_PASS || "123456",
-      database: process.env.DB_DATABASE || "chancms"
-    },
-    pool: {
-      min: parseInt(process.env.DB_POOL_MIN || "2"),
-      max: parseInt(process.env.DB_POOL_MAX || "10")
-    }
-  };
-}

package/middleware/preventRetry.js

@@ -1,30 +0,0 @@
-/**
- * 防止快速重复请求中间件
- * 使用 Cache 实现请求频率限制
- */
-
-import Cache from "../helper/cache.js";
-
-const sendResponse = (res, code, message, data = null) => {
-  res.json({ code, msg: message, data });
-};
-
-const requestCache = new Cache({ maxSize: 1000, defaultTTL: 500 });
-
-export default () => {
-  return (req, res, next) => {
-    if (req.method !== 'GET') {
-      return next();
-    }
-
-    const key = `${req.method}:${req.originalUrl}`;
-    
-    if (requestCache.has(key)) {
-      console.log(`[preventRetry] 阻止快速重复请求: ${key}`);
-      return sendResponse(res, 429, '请求过于频繁，请稍后再试');
-    }
-    
-    requestCache.set(key, Date.now());
-    next();
-  };
-};

package/middleware/validator.js

@@ -1,43 +0,0 @@
-/**
- * 请求验证中间件
- * 提供请求参数验证功能
- */
-
-/**
- * 创建验证中间件
- * @param {Object} schemas - 验证规则对象
- * @param {Object} [schemas.headers] - 请求头验证规则
- * @param {Object} [schemas.params] - 路径参数验证规则
- * @param {Object} [schemas.query] - 查询参数验证规则
- * @param {Object} [schemas.body] - 请求体验证规则
- * @returns {Function} Express 中间件函数
- * @description
- * 验证请求的 headers、params、query 和 body
- * 使用 Zod 风格的验证规则
- * 验证失败返回 400 状态码和错误信息
- * @example
- * const schema = {
- *   body: z.object({ name: z.string() })
- * };
- * app.use(validator(schema));
- */
-export const validator = (schemas) => (req, res, next) => {
-  const sections = {
-    headers: schemas.headers,
-    params: schemas.params,
-    query: schemas.query,
-    body: schemas.body,
-  };
-
-  for (const [key, schema] of Object.entries(sections)) {
-    if (!schema) continue;
-
-    const result = schema.safeParse(req[key]);
-    if (!result.success) {
-      const firstError = result.error.errors[0];
-      return res.status(400).json({ error: firstError.message });
-    }
-    req[key] = result.data;
-  }
-  next();
-};

package/utils/error-handler.js

@@ -1,115 +0,0 @@
-/**
- * 数据库错误处理工具
- * 提供数据库错误解析和错误响应生成功能
- */
-
-export const DB_ERROR = {
-  ECONNREFUSED: 6001,
-  ER_ACCESS_DENIED_ERROR: 6002,
-  ER_ROW_IS_REFERENCED_2: 6003,
-  ER_BAD_FIELD_ERROR: 6004,
-  ER_DUP_ENTRY: 6005,
-  ER_NO_SUCH_TABLE: 6006,
-  ETIMEOUT: 6007,
-  ER_TABLE_EXISTS_ERROR: 4003,
-};
-
-export const ERROR_MESSAGES = {
-  6001: "数据库连接失败",
-  6002: "数据库访问被拒绝",
-  6003: "存在关联数据，操作失败",
-  6004: "数据库字段错误",
-  6005: "数据重复，违反唯一性约束",
-  6006: "目标表不存在",
-  6007: "数据库操作超时",
-  6008: "数据库语法错误，请检查查询语句",
-  6009: "数据库连接已关闭，请重试",
-  4003: "资源已存在",
-  5001: "系统内部错误",
-};
-
-/**
- * 解析数据库错误
- * @param {Error} error - 数据库错误对象
- * @returns {Object} 包含 code、msg 和 statusCode 的对象
- * @description
- * 根据数据库错误代码映射为业务状态码
- * 返回对应的错误消息和 HTTP 状态码
- * @example
- * const errorInfo = parseDatabaseError({ code: 'ER_DUP_ENTRY' });
- * console.log(errorInfo); // { code: 6005, msg: '数据重复...', statusCode: 500 }
- */
-export function parseDatabaseError(error) {
-  const errorCode = error?.code && DB_ERROR[error.code]
-    ? DB_ERROR[error.code]
-    : error?.message?.includes("syntax") || error?.message?.includes("SQL")
-      ? 6008
-      : error?.message?.includes("Connection closed")
-        ? 6009
-        : error?.message?.includes("permission")
-          ? 3003
-          : 5001;
-
-  return {
-    code: errorCode,
-    msg: ERROR_MESSAGES[errorCode] || error?.message || "服务器内部错误",
-    statusCode: errorCode >= 6000 ? 500 : errorCode >= 4000 ? 400 : 500,
-  };
-}
-
-/**
- * 生成 404 响应
- * @param {Object} req - Express 请求对象
- * @returns {Object} 404 响应对象
- * @description
- * 返回标准的接口不存在响应
- * 包含请求的路径和方法
- * @example
- * const response = notFoundResponse(req);
- */
-export function notFoundResponse(req) {
-  return {
-    success: false,
-    msg: "接口不存在",
-    code: 404,
-    data: { path: req.path, method: req.method },
-  };
-}
-
-/**
- * 生成错误响应
- * @param {Error} err - 错误对象
- * @param {Object} req - Express 请求对象
- * @returns {Object} 错误响应对象
- * @description
- * 根据错误类型生成相应的错误响应
- * 开发环境下包含详细的错误信息
- * @example
- * const response = errorResponse(error, req);
- */
-export function errorResponse(err, req) {
-  const errorInfo = parseDatabaseError(err);
-  
-  console.error(`[Error Handler] ${errorInfo.msg} - ${err?.message}`, {
-    code: errorInfo.code,
-    path: req?.path,
-    method: req?.method,
-    sql: err?.sql,
-    sqlMessage: err?.sqlMessage,
-    stack: err?.stack,
-  });
-  
-  return {
-    success: false,
-    msg: errorInfo.msg,
-    code: errorInfo.code,
-    data: process.env.NODE_ENV === "development"
-      ? {
-          message: err?.message,
-          sql: err?.sql,
-          sqlMessage: err?.sqlMessage,
-          stack: err?.stack,
-        }
-      : {},
-  };
-}

package/utils/error.js

@@ -1,81 +0,0 @@
-/**
- * 错误处理和日志工具
- * 提供错误码定义和错误日志记录功能
- */
-
-export const CODE = {
-  SUCCESS: { code: 200, message: "操作成功" },
-  FAIL: { code: 201, message: "操作失败" },
-  ERROR: { code: 500, message: "服务器错误" },
-  UNAUTHORIZED: { code: 401, message: "未授权" },
-  FORBIDDEN: { code: 403, message: "禁止访问" },
-  NOT_FOUND: { code: 404, message: "资源不存在" },
-  VALIDATION: { code: 400, message: "参数校验失败" },
-  CONFIG: { code: 500, message: "配置错误" },
-};
-
-/**
- * 记录错误日志
- * @private
- * @param {string} type - 错误类型
- * @param {string} message - 错误消息
- * @param {Object} [extra={}] - 额外信息
- * @description
- * 将错误信息格式化为 JSON 并输出到控制台
- * 包含时间戳、错误类型和消息
- */
-function logError(type, message, extra = {}) {
-  const timestamp = new Date().toISOString();
-  console.error(JSON.stringify({
-    timestamp,
-    type,
-    message,
-    ...extra,
-  }));
-}
-
-/**
- * 创建错误对象
- * @private
- * @param {string} message - 错误消息
- * @param {number} [statusCode=500] - HTTP 状态码
- * @param {string} [code="ERROR"] - 错误代码
- * @returns {Object} 错误对象
- */
-function createError(message, statusCode = 500, code = "ERROR") {
-  logError(code, message, { statusCode });
-  return {
-    isError: true,
-    message,
-    statusCode,
-    code,
-  };
-}
-
-/**
- * 生成配置错误
- * @param {string} message - 错误消息
- * @returns {Object} 配置错误对象
- * @description
- * 生成配置类型错误并记录日志
- * @example
- * const error = configError('数据库配置缺失');
- */
-export function configError(message) {
-  logError("CONFIG_ERROR", message);
-  return createError(message, CODE.CONFIG.code, "CONFIG_ERROR");
-}
-
-/**
- * 生成认证错误
- * @param {string} [message=CODE.UNAUTHORIZED.message] - 错误消息
- * @returns {Object} 认证错误对象
- * @description
- * 生成认证类型错误并记录日志
- * @example
- * const error = authError('Token已过期');
- */
-export function authError(message = CODE.UNAUTHORIZED.message) {
-  logError("AUTH_ERROR", message);
-  return createError(message, CODE.UNAUTHORIZED.code, "AUTH_ERROR");
-}