npm - doomiwork - Versions diffs - 3.7.0 → 3.7.2 - Mend

doomiwork 3.7.0 → 3.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/core/controller.js +6 -0
package/core/database/daoBase.js +3 -2
package/core/database/mysqlbase.js +1 -1
package/package.json +1 -1
package/utilities/requestparser.js +66 -61

package/core/controller.js CHANGED Viewed

@@ -78,6 +78,12 @@ class controller {
                result = await instance[actionType.func](req, datakey);
             ////执行完CRUD方法之后的处理
             result = await instance.afterCRUD(result,actionType,datakey,url,req,res)
+            //CJJ add
+            if (req.query.exportexcel === 'true' && result.buffer && result.successed) {
+                res.attachment('export.xlsx');
+                return res.end(result.buffer);
+            }
             return res.json(result)
         })
     }

package/core/database/daoBase.js CHANGED Viewed

@@ -128,8 +128,8 @@ class mysqlDao extends dao{
     async update(Sql, model, id) {return this.executeSql(Sql, [model, id]);}
     ///删除记录
     async delete(Sql, id,userid) {
-        let result = await this.executeSql(Sql, id);
-        if (result.successed && this.tableoption.logicDelete && userid && (this.tableoption.logDeleteBy || this.tableoption.logDeleteDate)){
+        return this.executeSql(Sql, id);
+        /*if (result.successed && this.tableoption.logicDelete && userid && (this.tableoption.logDeleteBy || this.tableoption.logDeleteDate)){
             let sqlLog = `update ${this.tableoption.tableName} set ? where ${this.tableoption.primaryKey}=? ${this.tableoption.forcefilter}`;
             let model = {};
             if (this.tableoption.logDeleteBy){
@@ -141,6 +141,7 @@ class mysqlDao extends dao{
             if (Object.keys(model).length>0) this.executeSql(sqlLog, [model, id]);
         }
         return result;
+        */
     }
     /**
      * 获取对应数据的权限设置

package/core/database/mysqlbase.js CHANGED Viewed

@@ -117,7 +117,7 @@ class Database {
                 if (err) {
                     this.logger.error("Database Query Error :" + err, sqlCommand);
                     this.logError(null, '数据库操作错误:' + err + sqlCommand)
-                    return success(Object.assign(apiResult.DB_EXECUTE_FAILED, { errmessage: err.message }));
+                    return success(Object.assign(apiResult.DB_EXECUTE_FAILED, { errmessage:'数据库操作错误'}));// err.message }));
                 }
                 return success({ successed: true, rows: rows });//,fields:fields});
             });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "doomiwork",
-  "version": "3.7.0",
+  "version": "3.7.2",
   "description": "doomisoft nodejs web framework",
   "main": "index.js",
   "scripts": {

package/utilities/requestparser.js CHANGED Viewed

@@ -2,8 +2,8 @@
 const keyParse = require('./keywordparse');
 const dataconfig = require('../configuration/dataconfig').getCurrent();
 const mysql = require('mysql');
-const ORDER_STRING= ['asc','desc']
-const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
+const ORDER_STRING = ['asc', 'desc']
+const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
 const Moment = require('moment');
 // const FORBID_SQL_KEYWORD_STRICT = /;|(--)|(\bOR\b)|(\bAND\b)|(\bWHERE\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
@@ -25,57 +25,62 @@ class RequestParser {
     /*
     解析sql字符串中特殊的占位符
     */
-    static parseAndReplaceSql(req,sql,allowNull=true){
+    static parseAndReplaceSql(req, sql, allowNull = true) {
         if (!sql) return '';
         ///定义正则准备查找sql中的特定关键字
-        const matched=sql.match(/@.*?@/g);
-        if (!matched || matched.length<=0) return sql;
+        const matched = sql.match(/@.*?@/g);
+        if (!matched || matched.length <= 0) return sql;
         let parseKeyWordIsNull = false;
         const charReg = /\s+|:|=/gi
-        matched.forEach(ele=>{
-            let matchValue = ele.substring(1,ele.length-1);
+        matched.forEach(ele => {
+            let matchValue = ele.substring(1, ele.length - 1);
             ///不允许特殊字符出现
-            let notdo =  matchValue.match(charReg);
-            if (notdo && notdo.length>0)return;
+            let notdo = matchValue.match(charReg);
+            if (notdo && notdo.length > 0) return;
             //if (matchValue.indexOf(' ')>=0 || matchValue.indexOf(':')>=0 || matchValue.indexOf('=')>=0) return;
             let noQuoteProtect = matchValue[0] == '!';
-            if (noQuoteProtect){
+            if (noQuoteProtect) {
                 matchValue = matchValue.substring(1);
             }
             ///是否有格式要求
             let validformat = matchValue.split('|');
             matchValue = validformat[0];
-            let keyValue = utility.ifNull(keyParse.parseKeyValue(req, matchValue),'');
-            if(!keyValue) {
+            let keyValue = utility.ifNull(keyParse.parseKeyValue(req, matchValue), '');
+            if (!keyValue) {
                 parseKeyWordIsNull = true;
-            }else if (typeof(keyValue)==='string'){
-                keyValue = noQuoteProtect ? this.checkSqlInjection(mysql.escape(keyValue)):mysql.escape(keyValue)
+            } else if (typeof (keyValue) === 'string') {
+                keyValue = noQuoteProtect ? this.checkSqlInjection(mysql.escape(keyValue)) : mysql.escape(keyValue)
                 keyValue = keyValue.substr(1, keyValue.length - 2);
                 ///验证参数的格式合法性
-                if (keyValue && validformat.length>1){
+                if (keyValue && validformat.length > 1) {
+                    // console.log(`参数格式合法检查==>${validformat[1]}:${matchValue} = ${keyValue}`)
                     keyValue = this.validatorParamsType(keyValue, validformat[1], validformat[2])
                 }
-                if (!keyValue){
+                if (!keyValue) {
                     parseKeyWordIsNull = true;
                 }
                 ///没有引号保护下发现了sql注入，则用1=0不返回任何结果
                 if (!keyValue && noQuoteProtect) {
                     keyValue = '1=0'
                 }
+            } else {  ////数组形式的参数，目前框架不支持，统一认为为sql注入攻击,全部忽略
+                console.log(`参数非法==>类型${typeof (keyValue)}:${matchValue} = ${keyValue}`)
+                parseKeyWordIsNull = true;
+                keyValue = ''
             }
-            sql=sql.replace(ele,keyValue);
+            sql = sql.replace(ele, keyValue);
         });
         if (!allowNull && parseKeyWordIsNull) return '';
         return sql;
     }
-    static appendSearchCondition2Count(originSql,searchCondition){
+    static appendSearchCondition2Count(originSql, searchCondition) {
         ///如果包含了这个特定的字符，则替换
-        if (originSql.indexOf('#APPENDSEARCH#')>=0)
-            return originSql.replace('#APPENDSEARCH#',searchCondition);
-        return originSql + ' '+ searchCondition;
+        if (originSql.indexOf('#APPENDSEARCH#') >= 0)
+            return originSql.replace('#APPENDSEARCH#', searchCondition);
+        return originSql + ' ' + searchCondition;
     }
     /**
      * 校验参数的类型
@@ -84,9 +89,9 @@ class RequestParser {
      * @param {*} defaultValue
      * @returns
      */
-    static validatorParamsType(value,dataType,defaultValue=null){
+    static validatorParamsType(value, dataType, defaultValue = null) {
         if (!value || !dataType) return value;
-        switch (dataType.toLowerCase()){
+        switch (dataType.toLowerCase()) {
             case 'guid':       ///限制长度为36位的GUID
                 if (value.length != 36 || value.split('-').length != 5) return defaultValue;
                 break;
@@ -109,21 +114,21 @@ class RequestParser {
      * 检查是否有Sql注入的风险
      * @param {*} sql
      */
-    static checkSqlInjection(sql){
-        if(!sql) return sql;
+    static checkSqlInjection(sql) {
+        if (!sql) return sql;
         let sqlError = sql.match(FORBID_SQL_KEYWORD); //strict ? sql.match(FORBID_SQL_KEYWORD_STRICT):sql.match(FORBID_SQL_KEYWORD);
-        if (sqlError && sqlError.length>0) return '';
+        if (sqlError && sqlError.length > 0) return '';
         return sql;
     }
     /*
     * 列表请求上下文中获取需要的信息
     * 如Page ,PageSize , Sort 等等
     */
-    static getListInfo(req,cfgType=0,dao) {
+    static getListInfo(req, cfgType = 0, dao) {
         const dataKey = utility.ifNull(req.dataKey, req.query.datakey);
         ///确认是否是需要导出Excel
-        const export2Excel =(req.query.exportexcel+"").toLowerCase()==="true";
-        req.page = req.query.page || req.body.page|| 1;
+        const export2Excel = (req.query.exportexcel + "").toLowerCase() === "true";
+        req.page = req.query.page || req.body.page || 1;
         req.pageSize = req.query.rows || req.body.rows || 100;
         req.sort = req.query.sort || req.body.sort;
         ///防止sortSql 注入
@@ -132,7 +137,7 @@ class RequestParser {
             req.sort = this.checkSqlInjection(req.sort);
         }
         //防止注入式Sql
-        if (isNaN(req.pageSize)){
+        if (isNaN(req.pageSize)) {
             req.pageSize = 30;
         }
         //防止注入式Sql
@@ -140,61 +145,61 @@ class RequestParser {
             req.page = 1;
         }
         ///最大允许获取100条数据
-        req.pageSize = Math.min(req.pageSize,100);
+        req.pageSize = Math.min(req.pageSize, 100);
         let order = (req.body.order || req.query.order || '').trim().toLowerCase();
-        if (order && req.sort){
-            if (ORDER_STRING.indexOf(order)>=0) {
+        if (order && req.sort) {
+            if (ORDER_STRING.indexOf(order) >= 0) {
                 req.sort = req.sort + ' ' + order
             }
         }
         //req.order =req.sort? utility.ifNull((req.body.order || req.query.order), ""):'';
         if (dataKey) {
-            req.dataConfig = dataconfig.getConfig(dataKey,cfgType);
+            req.dataConfig = dataconfig.getConfig(dataKey, cfgType);
             if (req.dataConfig && req.dataConfig.list) {
                 req.sqltype = req.dataConfig.list.sqltype || 'sql';
                 req.fieldsMapping = req.dataConfig.list.field;
                 req.footerMapping = req.dataConfig.list.footer;
                 /**解析查询条件 */
                 req.searchCondition = this.getSearchCondition({ request: req, refer: req.dataConfig.list.search });
-                /**排序方式 */
-                req.sort = req.sort || req.dataConfig.list.sort;
-                /**来自req请求参数中的过滤条件 */
-                let clientFilter = this.checkSqlInjection(this.parseAndReplaceSql(req,req.query.clientFilter),false);
-                let listsql='';
+                /**排序方式 */// req.sort || //稍后恢复
+                req.sort = req.dataConfig.list.sort;
+                /**来自req请求参数中的过滤条件 */  //稍后恢复
+                let clientFilter = '';// this.checkSqlInjection(this.parseAndReplaceSql(req,req.query.clientFilter),false);
+                let listsql = '';
                 ///是否有列表尾部的统计SQL
                 let countsql = '';
-                switch (req.sqltype){
-                    case "sql":
-                        listsql  = req.dataConfig.list.sql;
-                        countsql    = req.dataConfig.list.countsql;
+                switch (req.sqltype) {
+                    case "sql":
+                        listsql = req.dataConfig.list.sql;
+                        countsql = req.dataConfig.list.countsql;
                         break;
                     case "property":
                         if (dao && dao.constantsql) {
-                            listsql  = dao.constantsql[listsql].list;
-                            countsql    = dao.constantsql[listsql].countsql;
+                            listsql = dao.constantsql[listsql].list;
+                            countsql = dao.constantsql[listsql].countsql;
                         }
                         break;
                     case "func":
-                        if (dao && dao[listsql] && typeof(dao[listsql])==='function' )
-                        listsql = dao[listsql]();
+                        if (dao && dao[listsql] && typeof (dao[listsql]) === 'function')
+                            listsql = dao[listsql]();
                         break;
                 }
                 /**根据过滤条件、排序条件、分页获取的方式，和原始sql拼接成最终获取数据的sql */
-                req.listSql =      this.parseAndReplaceSql(req,listsql) +
-                                     ' ' + req.searchCondition + clientFilter +
-                                    //(utility.isNullOrEmpty(req.sort) ? '' : (' order by ' + (req.sort+' '+req.order))) +
-                                    (req.sort ? (' order by ' + req.sort ):'') +
-                                    (export2Excel?'':' limit ' + req.pageSize + ' OFFSET ' + (req.page - 1) * req.pageSize) +
-                                     /////在Sql中再放入获取总记录数的语句
-                                    ';SELECT FOUND_ROWS() AS total;';
+                req.listSql = this.parseAndReplaceSql(req, listsql) +
+                    ' ' + req.searchCondition + clientFilter +
+                    //(utility.isNullOrEmpty(req.sort) ? '' : (' order by ' + (req.sort+' '+req.order))) +
+                    (req.sort ? (' order by ' + req.sort) : '') +
+                    (export2Excel ? '' : ' limit ' + Number(req.pageSize) + ' OFFSET ' + (Number(req.page) - 1) * Number(req.pageSize)) +
+                    /////在Sql中再放入获取总记录数的语句
+                    ';SELECT FOUND_ROWS() AS total;';
                 /*** 如果存在汇总列的sql，则把SQL放置在最末尾 */
-                if(countsql){
+                if (countsql) {
                     req.countSql = true;
-                    req.listSql+= this.appendSearchCondition2Count(
-                        this.parseAndReplaceSql(req,countsql),
-                        req.searchCondition)+';'
-                }
+                    req.listSql += this.appendSearchCondition2Count(
+                        this.parseAndReplaceSql(req, countsql),
+                        req.searchCondition) + ';'
+                }
             }
         }
     }
@@ -208,7 +213,7 @@ class RequestParser {
             req.dataConfig = dataconfig.getConfig(dataKey);
             if (req.dataConfig && req.dataConfig.detail) {
                 ///主键存储
-                req.primary=req.dataConfig.detail.primary;
+                req.primary = req.dataConfig.detail.primary;
                 req.fieldsMapping = req.dataConfig.detail.field;
                 req.primaryIsAutoIncrease = req.dataConfig.detail.primaryIsAutoIncrease;
             }