npm - doomiwork - Versions diffs - 3.5.5 → 3.6.0 - Mend

doomiwork 3.5.5 → 3.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/utilities/requestparser.js +54 -15
package/utilities/transferutility.js +1 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "doomiwork",
-  "version": "3.5.5",
+  "version": "3.6.0",
   "description": "doomisoft nodejs web framework",
   "main": "index.js",
   "scripts": {

package/utilities/requestparser.js CHANGED Viewed

@@ -2,6 +2,10 @@
 const keyParse = require('./keywordparse');
 const dataconfig = require('../configuration/dataconfig').getCurrent();
 const mysql = require('mysql');
+const ORDER_STRING= ['asc','desc']
+const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
+// const FORBID_SQL_KEYWORD_STRICT = /;|(--)|(\bOR\b)|(\bAND\b)|(\bWHERE\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
 class RequestParser {
     /*
     * 根据对应列表的配置(dataConfig.list.search),从请求上下文中获取用户进行搜索的参数信息
@@ -11,11 +15,11 @@ class RequestParser {
         if (!paraCopy.request || !paraCopy.refer) return '';
         if (!paraCopy.valueFrom) paraCopy.valueFrom = "all";
         const request = paraCopy.request;
-        let retSearch = "";
-        paraCopy.refer.forEach(element=> {
-            retSearch = retSearch+this.parseAndReplaceSql(request, element.pattern,false);
+        let retSearch = [];
+        paraCopy.refer.forEach(element => {
+            retSearch.push(this.parseAndReplaceSql(request, element.pattern, false));
         });
-        return retSearch;
+        return retSearch.join('');
     }
     /*
     解析sql字符串中特殊的占位符
@@ -25,18 +29,31 @@ class RequestParser {
         ///定义正则准备查找sql中的特定关键字
         const matched=sql.match(/@.*?@/g);
         if (!matched || matched.length<=0) return sql;
-        var parseKeyWordIsNull = false;
+        let parseKeyWordIsNull = false;
+        const charReg = /\s+|:|=/gi
         matched.forEach(ele=>{
             let matchValue = ele.substring(1,ele.length-1);
-            if (matchValue.indexOf(' ')>=0 || matchValue.indexOf(':')>=0 || matchValue.indexOf('=')>=0) return;
-            let keyValue =utility.ifNull(keyParse.parseKeyValue(req,ele.substring(1,ele.length-1)),'');
-            if(keyValue=='') {
+            ///不允许特殊字符出现
+            let notdo =  matchValue.match(charReg);
+            if (notdo && notdo.length>0)return;
+            //if (matchValue.indexOf(' ')>=0 || matchValue.indexOf(':')>=0 || matchValue.indexOf('=')>=0) return;
+            let noQuoteProtect = matchValue[0] == '!';
+            if (noQuoteProtect){
+                matchValue = matchValue.substring(1);
+            }
+            let keyValue = utility.ifNull(keyParse.parseKeyValue(req, matchValue),'');
+            if(!keyValue) {
                 parseKeyWordIsNull = true;
             }else if (typeof(keyValue)==='string'){
-                keyValue = mysql.escape(keyValue)
-                keyValue = keyValue.substr(1, keyValue.length - 2)
+                keyValue = noQuoteProtect ? this.checkSqlInjection(mysql.escape(keyValue)):mysql.escape(keyValue)
+                keyValue = keyValue.substr(1, keyValue.length - 2);
+                ///没有引号保护下发现了sql注入，则用1=0不返回任何结果
+                if (!keyValue && noQuoteProtect) {
+                    keyValue = '1=0'
+                }
             }
             sql=sql.replace(ele,keyValue);
         });
         if (!allowNull && parseKeyWordIsNull) return '';
@@ -49,7 +66,16 @@ class RequestParser {
             return originSql.replace('#APPENDSEARCH#',searchCondition);
         return originSql + ' '+ searchCondition;
     }
+    /**
+     * 检查是否有Sql注入的风险
+     * @param {*} sql
+     */
+    static checkSqlInjection(sql){
+        if(!sql) return sql;
+        let sqlError = sql.match(FORBID_SQL_KEYWORD); //strict ? sql.match(FORBID_SQL_KEYWORD_STRICT):sql.match(FORBID_SQL_KEYWORD);
+        if (sqlError && sqlError.length>0) return '';
+        return sql;
+    }
     /*
     * 列表请求上下文中获取需要的信息
     * 如Page ,PageSize , Sort 等等
@@ -61,6 +87,11 @@ class RequestParser {
         req.page = req.query.page || req.body.page|| 1;
         req.pageSize = req.query.rows || req.body.rows || 100;
         req.sort = req.query.sort || req.body.sort;
+        ///防止sortSql 注入
+        ///防止sortSql 注入
+        if (req.sort) {
+            req.sort = this.checkSqlInjection(req.sort);
+        }
         //防止注入式Sql
         if (isNaN(req.pageSize)){
             req.pageSize = 30;
@@ -71,7 +102,13 @@ class RequestParser {
         }
         ///最大允许获取100条数据
         req.pageSize = Math.min(req.pageSize,100);
-        req.order =req.sort? utility.ifNull((req.body.order == null ? req.query.order : req.body.order), ""):'';
+        let order = (req.body.order || req.query.order || '').trim().toLowerCase();
+        if (order && req.sort){
+            if (ORDER_STRING.indexOf(order)>=0) {
+                req.sort = req.sort + ' ' + order
+            }
+        }
+        //req.order =req.sort? utility.ifNull((req.body.order || req.query.order), ""):'';
         if (dataKey) {
             req.dataConfig = dataconfig.getConfig(dataKey,cfgType);
             if (req.dataConfig && req.dataConfig.list) {
@@ -83,7 +120,8 @@ class RequestParser {
                 /**排序方式 */
                 req.sort = req.sort || req.dataConfig.list.sort;
                 /**来自req请求参数中的过滤条件 */
-                let clientFilter = this.parseAndReplaceSql(req,req.query.clientFilter);
+                let clientFilter = this.checkSqlInjection(this.parseAndReplaceSql(req,req.query.clientFilter),false);
                 let listsql='';
                 ///是否有列表尾部的统计SQL
                 let countsql = '';
@@ -106,7 +144,8 @@ class RequestParser {
                 /**根据过滤条件、排序条件、分页获取的方式，和原始sql拼接成最终获取数据的sql */
                 req.listSql =      this.parseAndReplaceSql(req,listsql) +
                                      ' ' + req.searchCondition + clientFilter +
-                                    (utility.isNullOrEmpty(req.sort) ? '' : (' order by ' + (req.sort+' '+req.order))) +
+                                    //(utility.isNullOrEmpty(req.sort) ? '' : (' order by ' + (req.sort+' '+req.order))) +
+                                    (req.sort ? (' order by ' + req.sort ):'') +
                                     (export2Excel?'':' limit ' + req.pageSize + ' OFFSET ' + (req.page - 1) * req.pageSize) +
                                      /////在Sql中再放入获取总记录数的语句
                                     ';SELECT FOUND_ROWS() AS total;';

package/utilities/transferutility.js CHANGED Viewed

@@ -75,7 +75,7 @@ class ViewHelper {
                     continue;
                 }
                 //验证值的类型是否正确，主要验证是否数字
-                if(element.type){
+                if (element.type && postValue){
                     switch (element.type.toLowerCase()){
                         case 'number':  ///验证是否是数字
                             if (isNaN(postValue)) return { successed: false, errcode: 4, errmsg: '字段类型错误(Number)', name: element.mapping }