doomiwork 3.6.1 → 3.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/utilities/requestparser.js +40 -1
package/package.json
CHANGED
|
@@ -3,7 +3,8 @@ const keyParse = require('./keywordparse');
|
|
|
3
3
|
const dataconfig = require('../configuration/dataconfig').getCurrent();
|
|
4
4
|
const mysql = require('mysql');
|
|
5
5
|
const ORDER_STRING= ['asc','desc']
|
|
6
|
-
const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
|
|
6
|
+
const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
|
|
7
|
+
const Moment = require('moment');
|
|
7
8
|
// const FORBID_SQL_KEYWORD_STRICT = /;|(--)|(\bOR\b)|(\bAND\b)|(\bWHERE\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
|
|
8
9
|
|
|
9
10
|
class RequestParser {
|
|
@@ -43,12 +44,22 @@ class RequestParser {
|
|
|
43
44
|
if (noQuoteProtect){
|
|
44
45
|
matchValue = matchValue.substring(1);
|
|
45
46
|
}
|
|
47
|
+
///是否有格式要求
|
|
48
|
+
let validformat = matchValue.split('|');
|
|
49
|
+
matchValue = validformat[0];
|
|
46
50
|
let keyValue = utility.ifNull(keyParse.parseKeyValue(req, matchValue),'');
|
|
47
51
|
if(!keyValue) {
|
|
48
52
|
parseKeyWordIsNull = true;
|
|
49
53
|
}else if (typeof(keyValue)==='string'){
|
|
50
54
|
keyValue = noQuoteProtect ? this.checkSqlInjection(mysql.escape(keyValue)):mysql.escape(keyValue)
|
|
51
55
|
keyValue = keyValue.substr(1, keyValue.length - 2);
|
|
56
|
+
///验证参数的格式合法性
|
|
57
|
+
if (keyValue && validformat.length>1){
|
|
58
|
+
keyValue = this.validatorParamsType(keyValue, validformat[1], validformat[2])
|
|
59
|
+
}
|
|
60
|
+
if (!keyValue){
|
|
61
|
+
parseKeyWordIsNull = true;
|
|
62
|
+
}
|
|
52
63
|
///没有引号保护下发现了sql注入,则用1=0不返回任何结果
|
|
53
64
|
if (!keyValue && noQuoteProtect) {
|
|
54
65
|
keyValue = '1=0'
|
|
@@ -66,6 +77,34 @@ class RequestParser {
|
|
|
66
77
|
return originSql.replace('#APPENDSEARCH#',searchCondition);
|
|
67
78
|
return originSql + ' '+ searchCondition;
|
|
68
79
|
}
|
|
80
|
+
/**
|
|
81
|
+
* 校验参数的类型
|
|
82
|
+
* @param {*} value
|
|
83
|
+
* @param {*} dataType
|
|
84
|
+
* @param {*} defaultValue
|
|
85
|
+
* @returns
|
|
86
|
+
*/
|
|
87
|
+
static validatorParamsType(value,dataType,defaultValue=null){
|
|
88
|
+
if (!value || !dataType) return value;
|
|
89
|
+
switch (dataType.toLowerCase()){
|
|
90
|
+
case 'guid': ///限制长度为36位的GUID
|
|
91
|
+
if (value.length != 36 || value.split('-').length != 5) return defaultValue;
|
|
92
|
+
break;
|
|
93
|
+
case 'number': ///限制为数字
|
|
94
|
+
if (isNaN(value)) return defaultValue;
|
|
95
|
+
break;
|
|
96
|
+
case 'date': ///限制为日期,格式输出为YYYY-MM-DD
|
|
97
|
+
let date = Date.parse(value);
|
|
98
|
+
if (isNaN(date)) return defaultValue;
|
|
99
|
+
return Moment(date).format('YYYY-MM-DD');
|
|
100
|
+
case 'datetime': ///限制为包含时间的日期
|
|
101
|
+
let datetime = Date.parse(value);
|
|
102
|
+
if (isNaN(datetime)) return defaultValue;
|
|
103
|
+
return datetime;
|
|
104
|
+
}
|
|
105
|
+
return value;
|
|
106
|
+
|
|
107
|
+
}
|
|
69
108
|
/**
|
|
70
109
|
* 检查是否有Sql注入的风险
|
|
71
110
|
* @param {*} sql
|