npm - doomiwork - Versions diffs - 3.6.0 → 3.6.2 - Mend

doomiwork 3.6.0 → 3.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/utilities/requestparser.js +40 -1
package/utilities/transferutility.js +4 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "doomiwork",
-  "version": "3.6.0",
+  "version": "3.6.2",
   "description": "doomisoft nodejs web framework",
   "main": "index.js",
   "scripts": {

package/utilities/requestparser.js CHANGED Viewed

@@ -3,7 +3,8 @@ const keyParse = require('./keywordparse');
 const dataconfig = require('../configuration/dataconfig').getCurrent();
 const mysql = require('mysql');
 const ORDER_STRING= ['asc','desc']
-const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
+const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
+const Moment = require('moment');
 // const FORBID_SQL_KEYWORD_STRICT = /;|(--)|(\bOR\b)|(\bAND\b)|(\bWHERE\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
 class RequestParser {
@@ -43,12 +44,22 @@ class RequestParser {
             if (noQuoteProtect){
                 matchValue = matchValue.substring(1);
             }
+            ///是否有格式要求
+            let validformat = matchValue.split('|');
+            matchValue = validformat[0];
             let keyValue = utility.ifNull(keyParse.parseKeyValue(req, matchValue),'');
             if(!keyValue) {
                 parseKeyWordIsNull = true;
             }else if (typeof(keyValue)==='string'){
                 keyValue = noQuoteProtect ? this.checkSqlInjection(mysql.escape(keyValue)):mysql.escape(keyValue)
                 keyValue = keyValue.substr(1, keyValue.length - 2);
+                ///验证参数的格式合法性
+                if (keyValue && validformat.length>1){
+                    keyValue = this.validatorParamsType(keyValue, validformat[1], validformat[2])
+                }
+                if (!keyValue){
+                    parseKeyWordIsNull = true;
+                }
                 ///没有引号保护下发现了sql注入，则用1=0不返回任何结果
                 if (!keyValue && noQuoteProtect) {
                     keyValue = '1=0'
@@ -66,6 +77,34 @@ class RequestParser {
             return originSql.replace('#APPENDSEARCH#',searchCondition);
         return originSql + ' '+ searchCondition;
     }
+    /**
+     * 校验参数的类型
+     * @param {*} value
+     * @param {*} dataType
+     * @param {*} defaultValue
+     * @returns
+     */
+    static validatorParamsType(value,dataType,defaultValue=null){
+        if (!value || !dataType) return value;
+        switch (dataType.toLowerCase()){
+            case 'guid':       ///限制长度为36位的GUID
+                if (value.length != 36 || value.split('-').length != 5) return defaultValue;
+                break;
+            case 'number':   ///限制为数字
+                if (isNaN(value)) return defaultValue;
+                break;
+            case 'date':       ///限制为日期，格式输出为YYYY-MM-DD
+                let date = Date.parse(value);
+                if (isNaN(date)) return defaultValue;
+                return Moment(date).format('YYYY-MM-DD');
+            case 'datetime':   ///限制为包含时间的日期
+                let datetime = Date.parse(value);
+                if (isNaN(datetime)) return defaultValue;
+                return datetime;
+        }
+        return value;
+    }
     /**
      * 检查是否有Sql注入的风险
      * @param {*} sql

package/utilities/transferutility.js CHANGED Viewed

@@ -6,8 +6,10 @@ class ViewHelper {
     * 将结果集转换为视图需要的结果
     */
     static transferName2Mapping(originalResult, fieldConfig) {
-        if (originalResult == null) success({ successed: true, data: null });
-        if (!fieldConfig || fieldConfig.length == 0) return { successed: true, data: originalResult };//return success({successed:true,data:originalResult});
+        if (originalResult == null) {
+            return { successed: true, data: null };
+        }
+        if (!fieldConfig || fieldConfig.length == 0)  return { successed: true, data: originalResult };//return success({successed:true,data:originalResult});
         var retResult = [];
         originalResult.forEach(function (row) {
             var item = {};