chanjs 2.5.1 → 2.5.2

package/checker.js

@@ -0,0 +1,68 @@
+import { keywordRegexCache } from "./keywords.js";
+
+/**
+ * 安全检查工具
+ * 提供关键词检测和路径忽略检查功能
+ */
+
+/**
+ * 检查文本中是否包含恶意关键词
+ * @param {string} fullText - 要检查的完整文本
+ * @returns {Object|null} 检测结果，包含 category 和 keyword，未检测到返回 null
+ * @description
+ * 按优先级检查 SQL注入、XSS、命令注入等恶意关键词
+ * 优先检查 sqlInjection、xss、commandInjection 类别
+ * @example
+ * const result = checkKeywords('SELECT * FROM users WHERE 1=1');
+ * console.log(result); // { category: 'sqlInjection', keyword: 'union select' }
+ */
+export function checkKeywords(fullText) {
+  if (!fullText?.trim()) return null;
+
+  const priorityCategories = ['sqlInjection', 'xss', 'commandInjection'];
+  const otherCategories = Object.keys(keywordRegexCache).filter(c => !priorityCategories.includes(c));
+
+  for (const category of priorityCategories) {
+    const patterns = keywordRegexCache[category];
+    if (!patterns) continue;
+    for (const { keyword, regex } of patterns) {
+      if (regex.test(fullText)) {
+        return { category, keyword };
+      }
+    }
+  }
+
+  for (const category of otherCategories) {
+    const patterns = keywordRegexCache[category];
+    if (!patterns) continue;
+    for (const { keyword, regex } of patterns) {
+      if (regex.test(fullText)) {
+        return { category, keyword };
+      }
+    }
+  }
+
+  return null;
+}
+
+/**
+ * 检查路径是否在忽略列表中
+ * @param {string} path - 要检查的路径
+ * @param {Array<string>} ignorePaths - 忽略路径数组
+ * @returns {boolean} 是否应该忽略该路径
+ * @description
+ * 检查给定路径是否匹配忽略列表中的任意路径
+ * 支持精确匹配和前缀匹配
+ * @example
+ * isIgnored('/api/health', ['/api/health', '/metrics']); // true
+ * isIgnored('/api/users', ['/api/health']); // false
+ */
+export function isIgnored(path, ignorePaths) {
+  if (!path || !ignorePaths?.length) return false;
+
+  const normalizedPath = path.trim().toLowerCase().replace(/\/$/, '');
+  return ignorePaths.some(p => {
+    const normalizedP = p.trim().toLowerCase().replace(/\/$/, '');
+    return normalizedPath === normalizedP || normalizedPath.startsWith(`${normalizedP}/`);
+  });
+}

package/helper/ip.js

@@ -31,7 +31,11 @@
  */
 export function getIp(req) {
   if (req.ip) {
-    const ip = req.ip;
+    let ip = req.ip;
+    
+    if (ip.startsWith('::ffff:')) {
+      ip = ip.substring(7);
+    }
     
     const isLocalAddress = ip === '::1' || 
                            ip === '127.0.0.1' || 

package/keywords.js

@@ -0,0 +1,132 @@
+/**
+ * 安全关键词规则定义
+ * 定义各类恶意攻击的关键词检测规则
+ */
+
+export const KEYWORD_RULES = {
+  /**
+   * 整词匹配规则（需完整匹配）
+   */
+  wholeWord: [
+    "netcat", "nc", "php-cgi", "process", "require",
+    "child_process", "execSync", "mainModule"
+  ],
+  /**
+   * 敏感文件扩展名
+   */
+  extensions: [
+    ".php", ".asp", ".aspx", ".jsp", ".jspx", ".do", ".action", ".cgi",
+    ".py", ".pl", ".cfm", ".jhtml", ".shtml",".sql"
+  ],
+  /**
+   * 敏感目录名称
+   */
+  directories: [
+    "/administrator", "/wp-admin", "phpMyAdmin", "cgi-bin",
+    "setup", "staging", "internal", "debug", "metadata", "secret"
+  ],
+  /**
+   * SQL 注入关键词
+   */
+  sqlInjection: [
+    "sleep(", "benchmark(", "concat(", "extractvalue(", "updatexml(", "version(",
+    "union select", "union all", "select @@", "drop ", "alter ", "truncate ",
+    "(select", "information_schema", "load_file(", "into outfile", "into dumpfile"
+  ],
+  /**
+   * 命令注入关键词
+   */
+  commandInjection: [
+    "cmd=", "system(", "exec(", "shell_exec(", "passthru(",
+    "eval(", "assert(", "preg_replace", "bash -i", "rm -rf",
+    "wget ", "curl ", "chmod ", "base64_decode", "phpinfo()",
+    "kill ", "killall", "shutdown", "reboot", "halt", "fdisk",
+    "mkfs", "dd ", "ssh ", "scp ", "rsync", "nc ",
+    "netcat", "nmap", "iptables", "systemctl", "service",
+    "init", "crontab", "at ", "su ", "sudo", "useradd",
+    "userdel", "usermod", "groupadd", "groupdel", "passwd",
+    "chpasswd", "mount ", "umount", "ln -s"
+  ],
+  /**
+   * 路径遍历关键词
+   */
+  pathTraversal: [
+    "../", "..\\", "/etc/passwd", "/etc/shadow", "/etc/hosts",
+    "/etc/", "/var/www/", "/app/", "/root/", "__dirname", "__filename"
+  ],
+  /**
+   * XSS 攻击关键词
+   */
+  xss: [
+    "<script", "javascript:", "onerror=", "onload=", "onclick=",
+    "alert(", "document.cookie", "document.write"
+  ],
+  /**
+   * 编码绕过关键词
+   */
+  encoding: [
+    "0x7e", "UNION%20SELECT", "%27OR%27", "{{", "}}", "${", "1+1"
+  ],
+  /**
+   * 敏感标识符
+   */
+  sensitiveIdentifiers: [
+    "wp-", "smtp", "redirect", "configs", ".well-known/",
+    "fs.readFile", "fs.existsSync", "process.env", "process.argv"
+  ],
+};
+
+/**
+ * 关键词正则表达式缓存
+ * 将关键词规则编译为正则表达式以提高检测性能
+ */
+export let keywordRegexCache = (() => {
+  const regexSpecialChars = /[.*+?^${}()|[\]\\]/g;
+  const cache = {};
+
+  for (const [category, keywords] of Object.entries(KEYWORD_RULES)) {
+    if (!Array.isArray(keywords)) continue;
+
+    cache[category] = keywords.map((keyword) => {
+      const escaped = keyword.replace(regexSpecialChars, "\\$&").replace(/ /g, "\\s");
+      return {
+        keyword,
+        regex: new RegExp(
+          category === 'wholeWord' ? `\\b${escaped}\\b` : escaped,
+          "i"
+        ),
+      };
+    });
+  }
+
+  return cache;
+})();
+
+/**
+ * 更新关键词缓存
+ * @param {Object} newRules - 新的关键词规则
+ * @description
+ * 允许动态添加或更新关键词检测规则
+ * @example
+ * updateKeywordCache({
+ *   customKeywords: ['malicious', 'attack']
+ * });
+ */
+export function updateKeywordCache(newRules = {}) {
+  const regexSpecialChars = /[.*+?^${}()|[\]\\]/g;
+
+  for (const [category, keywords] of Object.entries(newRules)) {
+    if (!Array.isArray(keywords)) continue;
+
+    keywordRegexCache[category] = keywords.map((keyword) => {
+      const escaped = keyword.replace(regexSpecialChars, "\\$&").replace(/ /g, "\\s");
+      return {
+        keyword,
+        regex: new RegExp(
+          category === 'wholeWord' ? `\\b${escaped}\\b` : escaped,
+          "i"
+        ),
+      };
+    });
+  }
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "type": "module",
   "name": "chanjs",
-  "version": "2.5.1",
+  "version": "2.5.2",
   "description": "chanjs基于express5 纯js研发的轻量级mvc框架。",
   "main": "index.js",
   "module": "index.js",

package/rate-limit.js

@@ -0,0 +1,116 @@
+import { isIgnored } from "./checker.js";
+import { getIp } from "../helper/ip.js";
+
+/**
+ * 访问频率限制工具
+ * 提供基于 IP 和 Cookie 的访问限流功能
+ */
+
+const COOKIE_NAME = `${process.env.APP_NAME || 'app'}_ratelimit`;
+
+/**
+ * 解析时间窗口参数
+ * @private
+ * @param {number|string} time - 时间值
+ * @returns {number} 毫秒数
+ * @description
+ * 支持以下格式：
+ * - 数字：直接作为毫秒数
+ * - 数字+s：秒
+ * - 数字+m：分钟
+ * - 数字+h：小时
+ * - 数字+d：天
+ */
+function parseWindowMs(time) {
+  if (typeof time === 'number') return time;
+  if (typeof time !== 'string') return 60 * 60 * 1000;
+
+  const match = time.match(/^(\d+)([smhd])$/);
+  if (!match) return 60 * 60 * 1000;
+
+  const value = parseInt(match[1], 10);
+  const unit = match[2];
+
+  const multipliers = {
+    's': 1000,
+    'm': 60 * 1000,
+    'h': 60 * 60 * 1000,
+    'd': 24 * 60 * 60 * 1000,
+  };
+
+  return value * (multipliers[unit] || 1000);
+}
+
+/**
+ * 创建限流中间件
+ * @param {Object} rateLimitConfig - 限流配置
+ * @param {number|string} rateLimitConfig.windowMs - 时间窗口
+ * @param {number} rateLimitConfig.max - 最大请求次数
+ * @param {Array<string>} [rateLimitConfig.ignorePaths] - 忽略的路径数组
+ * @returns {Function} Express 中间件函数
+ * @description
+ * 基于客户端 IP 实现滑动窗口限流算法
+ * 使用 Cookie 存储限流状态，避免内存泄漏
+ * @example
+ * const rateLimiter = createRateLimitMiddleware({
+ *   windowMs: '1m',
+ *   max: 60,
+ *   ignorePaths: ['/health']
+ * });
+ */
+export function createRateLimitMiddleware(rateLimitConfig) {
+  const config = {
+    ...rateLimitConfig,
+    windowMs: parseWindowMs(rateLimitConfig?.windowMs),
+  };
+
+  return (req, res, next) => {
+    try {
+      if (isIgnored(req.path, config.ignorePaths)) {
+        return next();
+      }
+
+      const now = Date.now();
+      const ip = getIp(req);
+      const cookieValue = req.cookies && req.cookies[COOKIE_NAME];
+      let currentData = null;
+
+      if (cookieValue) {
+        try {
+          currentData = JSON.parse(cookieValue);
+          if (currentData && currentData.ip !== ip) {
+            currentData = null;
+          }
+        } catch (e) {
+          currentData = null;
+        }
+      }
+
+      let newData;
+      if (!currentData || now > currentData.resetTime) {
+        newData = { count: 1, resetTime: now + config.windowMs, ip };
+      } else if (currentData.count >= config.max) {
+        console.error(`[WAF 限流拦截] 路径:${req.path} 计数:${currentData.count}/${config.max} IP:${ip}`);
+        return res.status(429).json({
+          code: 429,
+          success: false,
+          msg: '请求过于频繁，请稍后重试',
+          retryAfter: Math.ceil((currentData.resetTime - now) / 1000),
+        });
+      } else {
+        newData = { count: currentData.count + 1, resetTime: currentData.resetTime, ip };
+      }
+
+      res.cookie(COOKIE_NAME, JSON.stringify(newData), {
+        httpOnly: true,
+        maxAge: config.windowMs,
+        sameSite: 'strict',
+      });
+
+      next();
+    } catch (error) {
+      console.error(`[WAF 限流异常] 路径:${req.path} 错误:${error.message}`);
+      next();
+    }
+  };
+}

package/response.js

@@ -0,0 +1,180 @@
+import { CODE, DB_ERROR } from "../config/code.js";
+
+/**
+ * 响应工具函数
+ * 提供统一的响应格式和错误处理
+ */
+
+const ERROR_MESSAGES = {
+  6001: "数据库连接失败",
+  6002: "数据库访问被拒绝",
+  6003: "存在关联数据，操作失败",
+  6004: "数据库字段错误",
+  6005: "数据重复，违反唯一性约束",
+  6006: "目标表不存在",
+  6007: "数据库操作超时",
+  6008: "数据库语法错误，请检查查询语句",
+  6009: "数据库连接已关闭，请重试",
+  4003: "资源已存在",
+  5001: "系统内部错误",
+};
+
+/**
+ * 获取默认错误代码
+ * @private
+ * @param {Error} error - 错误对象
+ * @returns {number} 错误代码
+ */
+const getDefaultErrorCode = (error) => {
+  if (!error?.message) return 5001;
+  if (error.message.includes("syntax") || error.message.includes("SQL")) {
+    return 6008;
+  } else if (error.message.includes("Connection closed")) {
+    return 6009;
+  } else if (error.message.includes("permission")) {
+    return 3003;
+  }
+  return 5001;
+};
+
+/**
+ * 解析数据库错误
+ * @param {Error} error - 数据库错误对象
+ * @returns {Object} 包含 code、msg 和 statusCode 的对象
+ * @description
+ * 根据数据库错误代码映射为业务状态码
+ * 返回对应的错误消息和 HTTP 状态码
+ */
+export function parseDatabaseError(error) {
+  const errorCode = error?.code && DB_ERROR[error.code]
+    ? DB_ERROR[error.code]
+    : error?.message?.includes("syntax") || error?.message?.includes("SQL")
+      ? 6008
+      : error?.message?.includes("Connection closed")
+        ? 6009
+        : error?.message?.includes("permission")
+          ? 3003
+          : 5001;
+
+  return {
+    code: errorCode,
+    msg: ERROR_MESSAGES[errorCode] || error?.message || "服务器内部错误",
+    statusCode: errorCode >= 6000 ? 500 : errorCode >= 4000 ? 400 : 500,
+  };
+}
+
+/**
+ * 生成错误响应
+ * @param {Object} options - 响应选项
+ * @param {Error} options.err - 错误对象
+ * @param {Object} [options.data={}] - 响应数据
+ * @param {number} [options.code=500] - 错误代码
+ * @returns {Object} 错误响应对象
+ * @description
+ * 根据错误类型生成标准错误响应
+ * 开发环境下包含数据库错误详情
+ */
+export const error = ({ err, data = {}, code = 500 } = {}) => {
+  if (err) {
+    console.error("[DB Error]", err?.message || err);
+    const errorCode = err?.code && DB_ERROR[err.code] ? DB_ERROR[err.code] : getDefaultErrorCode(err);
+    const msg = CODE[errorCode] || "操作失败";
+
+    return {
+      success: false,
+      msg,
+      code: errorCode,
+      data: process.env.NODE_ENV === 'development' ? {
+        sql: err?.sql,
+        sqlMessage: err?.sqlMessage,
+        message: err?.message,
+      } : {},
+    };
+  }
+  
+  const msg = CODE[code] || "操作失败";
+  return {
+    success: false,
+    msg,
+    code,
+    data,
+  };
+};
+
+/**
+ * 生成失败响应
+ * @param {Object} options - 响应选项
+ * @param {string} [options.msg="操作失败"] - 错误消息
+ * @param {Object} [options.data={}] - 响应数据
+ * @param {number} [options.code=201] - 错误代码
+ * @returns {Object} 失败响应对象
+ */
+export const fail = ({ msg = "操作失败", data = {}, code = 201 } = {}) => {
+  return {
+    success: false,
+    msg,
+    code,
+    data,
+  };
+};
+
+/**
+ * 生成成功响应
+ * @param {Object} options - 响应选项
+ * @param {Object} [options.data={}] - 响应数据
+ * @param {string} [options.msg="操作成功"] - 成功消息
+ * @returns {Object} 成功响应对象
+ */
+export const success = ({ data = {}, msg = "操作成功" } = {}) => ({
+  success: true,
+  msg,
+  code: 200,
+  data,
+});
+
+/**
+ * 生成 404 响应
+ * @param {Object} req - Express 请求对象
+ * @returns {Object} 404 响应对象
+ */
+export function notFoundResponse(req) {
+  return {
+    success: false,
+    msg: "接口不存在",
+    code: 404,
+    data: { path: req.path, method: req.method },
+  };
+}
+
+/**
+ * 生成错误响应（Express 错误处理中间件用）
+ * @param {Error} err - 错误对象
+ * @param {Object} req - Express 请求对象
+ * @returns {Object} 错误响应对象
+ */
+export function errorResponse(err, req) {
+  const errorInfo = parseDatabaseError(err);
+  
+  console.error(`[Error Handler] ${errorInfo.msg} - ${err?.message}`, {
+    code: errorInfo.code,
+    path: req?.path,
+    method: req?.method,
+    sql: err?.sql,
+    sqlMessage: err?.sqlMessage,
+    stack: err?.stack,
+  });
+  
+  return {
+    success: false,
+    msg: errorInfo.msg,
+    code: errorInfo.code,
+    data: process.env.NODE_ENV === "development"
+      ? {
+          message: err?.message,
+          sql: err?.sql,
+          sqlMessage: err?.sqlMessage,
+          stack: err?.stack,
+        }
+      : {},
+  };
+}

package/xss-filter.js

@@ -0,0 +1,42 @@
+import xss from 'xss';
+
+/**
+ * XSS 过滤工具
+ * 提供跨站脚本攻击过滤功能
+ */
+
+/**
+ * 过滤 XSS 攻击代码
+ * @param {*} data - 要过滤的数据，可以是字符串、数组或对象
+ * @returns {*} 过滤后的数据
+ * @description
+ * 递归过滤数据中的所有字符串值
+ * 使用 xss 库清除危险的 HTML 和 JavaScript 代码
+ * 支持字符串、数组和对象的递归处理
+ * @example
+ * const clean = filterXSS({
+ *   name: '<script>alert(1)</script>',
+ *   items: ['<img src=x onerror=alert(1)>']
+ * });
+ */
+export function filterXSS(data) {
+  if (typeof data === 'string') {
+    return xss(data);
+  }
+
+  if (Array.isArray(data)) {
+    return data.map(item => filterXSS(item));
+  }
+
+  if (data && typeof data === 'object') {
+    const result = {};
+    for (const key in data) {
+      if (Object.prototype.hasOwnProperty.call(data, key)) {
+        result[key] = filterXSS(data[key]);
+      }
+    }
+    return result;
+  }
+
+  return data;
+}