doomiwork 4.1.2 → 4.1.3

package/configuration/routerconfig.js

@@ -129,7 +129,7 @@ module.exports.loadController=(app, routes)=> {
             if (modules.length > 0) {
                 for (const modulePath of modules) {
                     //if (app.logger) app.logger.trace('initlize controller [%s] for baseUrl [%s]', modulePath, baseUrl);
-                    console.log('initlize controller [%s] for baseUrl [%s]', modulePath, baseUrl);
+                    // console.log('initlize controller [%s] for baseUrl [%s]', modulePath, baseUrl);
                     const controllModule = require(modulePath);
                     const controller = new controllModule(app);
                     app.use(baseUrl, controller.router);

package/core/controller.js

@@ -182,11 +182,12 @@ class controller {
     */
     async getListData(req, dataKey, configFile = 0) {
         if (this.logger) this.logger.trace("准备获取dataconfig文件中对应的 %s list数据",dataKey)
-        const listinfo = getListInfo(req, dataKey, configFile,this._daoModel);
+        const ignorefilter = await this._redisHelper.get('key:ignorefilter');
+        const listinfo = getListInfo(req, dataKey, configFile, this._daoModel, ignorefilter==1);
         if (!listinfo) return { successed: false, errcode: -10, errmsg:`缺失${dataKey}对应的查询语句`};
 
         ////直接操作数据库之前，可由子类再次Handler
-        let beforeData = await this.beforeAccessDB(req, listinfo.sql,null, "list", this);
+        let beforeData = await this.beforeAccessDB(req, listinfo.sql, listinfo.params, "list", this);
         ////如果返回Null,则表示不加载数据了
         if (beforeData.canceled === true) return { successed: false, errorcode: 1, errmsg: "操作取消" };
         ////操作数据库

package/core/database/daoBase.js

@@ -101,17 +101,17 @@ class mysqlDao extends dao{
     /**
      * 删除记录
      */
-    deleteSql(id) { 
-        const ids = (id + '').trim().split(',').map(x => '\'' + x + '\'');
+    deleteSql() { 
+        // const ids = (id + '').trim().split(',').map(x => '\'' + x + '\'');
         ////如果是逻辑删除，则只将记录的删除状态设置为1
         if(this.tableoption.logicDelete)  {
 
-            let sqlDelete = `update ${this.tableoption.tableName} set #DELETEBY# #DELETEDATE# ${this.tableoption.logicDeleteField || 'rec_isdeleted'} =1 where ${this.tableoption.primaryKey} in (?) ${this.tableoption.forcefilter}`; 
+            let sqlDelete = `update ${this.tableoption.tableName} set #DELETEBY# #DELETEDATE# ${this.tableoption.logicDeleteField || 'rec_isdeleted'} =1 where ${this.tableoption.primaryKey} =? ${this.tableoption.forcefilter}`; 
             sqlDelete = sqlDelete.replace('#DELETEBY#', this.tableoption.logDeleteBy?`${this.tableoption.logDeleteBy}=?,`:'')
             sqlDelete = sqlDelete.replace('#DELETEDATE#', this.tableoption.logDeleteDate ? `${this.tableoption.logDeleteDate}=now(),` : '');
             return sqlDelete;
         }
-        return `delete from ${this.tableoption.tableName} where ${this.tableoption.primaryKey} in (?) ${this.tableoption.forcefilter}`; 
+        return `delete from ${this.tableoption.tableName} where ${this.tableoption.primaryKey} =? ${this.tableoption.forcefilter}`; 
     }
 
     /**
@@ -131,9 +131,9 @@ class mysqlDao extends dao{
     async delete(Sql, id,userid) { 
         const ids = (id + '').trim().split(',').map(x => '\'' + x + '\'');
         if (this.tableoption.logicDelete && this.tableoption.logDeleteBy){
-            return this.executeSql(Sql, [userid, ids.join(',')]); 
+            return this.executeSql(Sql, [userid, id]);  //ids.join(',')]); 
         }
-        return this.executeSql(Sql, ids.join(',')); 
+        return this.executeSql(Sql, id); //ids.join(',')); 
         ///
         //return this.executeSql(Sql, id); 
         /*if (result.successed && this.tableoption.logicDelete && userid && (this.tableoption.logDeleteBy || this.tableoption.logDeleteDate)){

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "doomiwork",
-  "version": "4.1.2",
+  "version": "4.1.3",
   "description": "doomisoft nodejs web framework",
   "main": "index.js",
   "scripts": {

package/utilities/requestparser-param.js

@@ -0,0 +1,226 @@
+const { parseKeyValue, validatorParamsType } = require('./keywordparse');
+const dataconfig = require('../configuration/dataconfig').getCurrent();
+const mysql = require('mysql');
+const ORDER_STRING = ['asc', 'desc']
+const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bCASE\b)|(\bWHEN\b)|(\bSLEEP\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
+
+function appendSearchCondition2Count(originSql, searchCondition) {
+    ///如果包含了这个特定的字符，则替换
+    if (originSql.indexOf('#APPENDSEARCH#') >= 0)
+        return originSql.replace('#APPENDSEARCH#', searchCondition);
+    return originSql + ' ' + searchCondition;
+}
+/**
+ * 检查是否有Sql注入的风险
+ * @param {*} sql 
+ */
+function checkSqlInjection(sql) {
+    if (!sql) return sql;
+    //let sqlError = sql.match(FORBID_SQL_KEYWORD); //strict ? sql.match(FORBID_SQL_KEYWORD_STRICT):sql.match(FORBID_SQL_KEYWORD);
+    //if (sqlError && sqlError.length > 0) return '';
+    if (FORBID_SQL_KEYWORD.test(sql)) return '';
+    return sql;
+}
+/*
+* 根据对应列表的配置(dataConfig.list.search),从请求上下文中获取用户进行搜索的参数信息
+*/
+module.exports.getSearchCondition = (option) => {
+    let paraCopy = option || {};
+    if (!paraCopy.request || !paraCopy.refer) return '';
+    if (!paraCopy.valueFrom) paraCopy.valueFrom = "all";
+    const request = paraCopy.request;
+    let retSearch = [],params = [];
+    paraCopy.refer.forEach(element => {
+        //retSearch.push(this.parseTagInSql(request, element.pattern, false,true));
+        const paramSql=this.parseTagForParamtersSearch(request, element);
+        if (paramSql.sql) {
+            retSearch.push(paramSql.sql);
+            params = params.concat(paramSql.params||[]);
+        }
+    });
+    return  {filter:retSearch.join(''),params}
+    //return retSearch.join('');
+}
+
+/**
+ * 解析sql字符串中特殊的占位符
+ * @param {*} req 
+ * @param {*} sql 
+ * @param {*} allowNull 
+ * @returns 
+ */
+module.exports.parseTagInSql = (req, sql, allowNull = true,isSearch=false) => {
+    if (!sql) return '';
+    ///定义正则准备查找sql中的特定关键字
+    const matched = sql.match(/@.*?@/g);
+    if (!matched || matched.length <= 0) return sql;
+    let parseKeyWordIsNull = false;
+
+    const charReg = /\s+|:|=/gi
+    matched.forEach(ele => {
+        let matchValue = ele.substring(1, ele.length - 1);
+        ///不允许特殊字符出现
+        let notdo = matchValue.match(charReg);
+        if (notdo && notdo.length > 0) return;
+
+        let noQuoteProtect = matchValue[0] == '!';
+        if (noQuoteProtect) {
+            matchValue = matchValue.substring(1);
+        }
+        ///是否有格式要求
+        let validformat = matchValue.split('|');
+        matchValue = validformat[0];
+        let keyValue = (parseKeyValue(req, matchValue) || '')+''; //utility.ifNull(keyParse.parseKeyValue(req, matchValue), '')+'';
+        if (!keyValue) {
+            parseKeyWordIsNull = true;
+        } else if (typeof (keyValue) === 'string') {
+            keyValue = noQuoteProtect || isSearch ? checkSqlInjection(mysql.escape(keyValue)) : mysql.escape(keyValue)
+            keyValue = keyValue.substr(1, keyValue.length - 2);
+            ///验证参数的格式合法性
+            if (keyValue && validformat.length > 1) {
+                // console.log(`参数格式合法检查==>${validformat[1]}:${matchValue} = ${keyValue}`)
+                keyValue = validatorParamsType(keyValue, validformat[1], validformat[2])
+            }
+            if (!keyValue) {
+                parseKeyWordIsNull = true;
+            }
+            ///没有引号保护下发现了sql注入，则用1=0不返回任何结果
+            if (!keyValue && noQuoteProtect) {
+                keyValue = '1=0'
+            }
+        } else {  ////数组形式的参数，目前框架不支持，统一认为为sql注入攻击,全部忽略
+            // console.log(`参数非法==>类型${typeof (keyValue)}:${matchValue} = ${keyValue}`)
+            parseKeyWordIsNull = true;
+            keyValue = ''
+        }
+        sql = sql.replace(ele, keyValue);
+    });
+    if (!allowNull && parseKeyWordIsNull) return '';
+    return sql;
+}
+
+/**
+ * 为列表查询定义参数化查询
+ * @param {*} req 
+ * @param {*} sql 
+ * @param {*} allowNull 
+ * @param {*} isSearch 
+ * @returns 
+ */
+module.exports.parseTagForParamtersSearch = (req, filterSetting={}) => {
+    let {pattern:sql,mode=''} = filterSetting;
+    if (!sql) return {sql:''};
+    ///定义正则准备查找sql中的特定关键字
+    const matched = sql.match(/@.*?@/g);
+    let params = [];
+    if (!matched || matched.length <= 0) return {sql};
+    for(const ele of matched){
+        let patternModel = mode;
+        let matchValue = ele.substring(1, ele.length - 1);
+        ///不允许特殊字符出现
+        let noQuoteProtect = matchValue[0] == '!';
+        if (noQuoteProtect) {
+            matchValue = matchValue.substring(1);
+            patternModel='';
+        }
+        ///是否有格式要求
+        let validformat = matchValue.split('|');
+        matchValue = validformat[0];
+        let keyValue = (parseKeyValue(req, matchValue) || '') + ''; //utility.ifNull(keyParse.parseKeyValue(req, matchValue), '')+'';
+        if (keyValue && typeof (keyValue) === 'string') {
+            ///验证参数的格式合法性
+            if (keyValue && validformat.length > 1) {
+                keyValue = validatorParamsType(keyValue, validformat[1], validformat[2])
+            }
+        }
+        ///如果解析不出这个KeyValue ,则认为当前这条SQL过滤无效
+        if (!keyValue) return {sql:'',params:[]};
+        if (keyValue) {
+            switch (patternModel.toLowerCase()) {
+                case 'like':
+                    sql = sql.replace(ele, '?');    ///变成参数化查询
+                    params.push('%' + keyValue + '%')
+                break;
+                case 'in':
+                    sql = sql.replace(ele, '?');    ///变成参数化查询
+                    params.push(keyValue.split(','))
+                break;
+                default:
+                    sql = sql.replace(ele, '?');    ///变成参数化查询
+                    params.push(keyValue)
+                break;
+            }
+        }
+    }
+    return {sql,params};
+}
+/*
+* 列表请求上下文中获取需要的信息
+* 如Page ,PageSize , Sort 等等
+*/
+module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
+    if (!dataKey) return null;
+    ///确认是否是需要导出Excel
+    const export2Excel = (req.query.exportexcel + "").toLowerCase() === "true";
+    let { page = 1, rows: pageSize = 100, sort, order, clientFilter: filter } = req.query
+    ///防止sortSql 注入在排序的参数中
+    if (sort) sort = checkSqlInjection(sort);
+    // 防止页面数据传入非数字
+    if (isNaN(pageSize)) pageSize = 30;
+    // 防止页面数据传入非数字
+    if (!page || isNaN(page)) page = 1
+    ///最大允许获取100条数据
+    pageSize =Math.max(0,Math.min(pageSize, 10000));
+    ///拼接排序的语句
+    if (order && sort && ORDER_STRING.includes(order.toLowerCase())) sort = sort + ' ' + order
+    //req.order =req.sort? utility.ifNull((req.body.order || req.query.order), ""):'';
+    const dataConfig = dataconfig.getConfig(dataKey, cfgType);
+    if (dataConfig && dataConfig.list) {
+        req.dataConfig = dataConfig
+        let { sql, listsql, countsql, sqltype = 'sql', field, footer, search, sort: constsort } = dataConfig.list
+        /**解析查询条件 */
+        const searchCondition = this.getSearchCondition({ request: req, refer: search });
+        /**排序方式 *///
+        sort = sort || constsort;
+        /**来自req请求参数中的过滤条件 */
+        let clientfilter = checkSqlInjection(this.parseTagInSql(req, filter, false));
+        //如果配置文件中不是直接的sql语句，则从DAO对象中的指定方法来获取sql
+        if (sqltype !== 'sql' && listsql && typeof (dao[listsql]) === 'function') {
+            sql = dao[sql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
+            if (dao[countsql] && typeof (dao[countsql]) === 'function')
+                countsql = dao[countsql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
+        }
+
+        /**根据过滤条件、排序条件、分页获取的方式，和原始sql拼接成最终获取数据的sql */
+        if (sqltype==='sql'){
+            sql = this.parseTagInSql(req, sql) +
+                ' ' + searchCondition.filter + clientfilter +
+                (sort ? (' order by ' + sort) : '') +
+                (export2Excel ? '' : ' limit ' + Number(pageSize) + ' OFFSET ' + (Math.max(Number(page), 1) - 1) * Number(pageSize)) +
+                /////在Sql中再放入获取总记录数的语句
+                ';SELECT FOUND_ROWS() AS total;';
+            /*** 如果存在汇总列的sql，则把SQL放置在最末尾 */
+            if (countsql) {
+                sql += appendSearchCondition2Count(this.parseTagInSql(req, countsql), searchCondition.filter)
+            }
+        }
+        ///如果存在统计的SQL，则参数需要Double一次
+        const sqlParams = countsql ? [].concat(searchCondition.params, searchCondition.params):searchCondition.params;
+        return { sql, fields: field, params: sqlParams, footers: footer, page, hascounter: countsql?true:false };
+    }
+}
+/*
+* 详细页面请求上下文中获取需要的信息
+* 如Page ,PageSize , Sort 等等
+*/
+module.exports.getDetailInfo = (req,dataKey) => {
+    if (dataKey) {
+        const dataConfig = dataconfig.getConfig(dataKey);
+        if (dataConfig && dataConfig.detail) {
+            req.dataConfig = dataConfig;
+            const { primary, field: fields, primaryIsAutoIncrease } = dataConfig.detail;
+            return { primary, fields, autoincrease: primaryIsAutoIncrease }
+        }
+    }
+    return null;
+}

package/utilities/requestparser.js

@@ -16,8 +16,9 @@ function appendSearchCondition2Count(originSql, searchCondition) {
  */
 function checkSqlInjection(sql) {
     if (!sql) return sql;
-    let sqlError = sql.match(FORBID_SQL_KEYWORD); //strict ? sql.match(FORBID_SQL_KEYWORD_STRICT):sql.match(FORBID_SQL_KEYWORD);
-    if (sqlError && sqlError.length > 0) return '';
+    if (FORBID_SQL_KEYWORD.test(sql)) return '';
+    //let sqlError = sql.match(FORBID_SQL_KEYWORD); //strict ? sql.match(FORBID_SQL_KEYWORD_STRICT):sql.match(FORBID_SQL_KEYWORD);
+    //if (sqlError && sqlError.length > 0) return '';
     return sql;
 }
 /*
@@ -30,7 +31,7 @@ module.exports.getSearchCondition = (option) => {
     const request = paraCopy.request;
     let retSearch = [];
     paraCopy.refer.forEach(element => {
-        retSearch.push(this.parseTagInSql(request, element.pattern, false,true));
+        retSearch.push(this.parseTagInSql(request, element.pattern, false));
     });
     return retSearch.join('');
 }
@@ -42,7 +43,7 @@ module.exports.getSearchCondition = (option) => {
  * @param {*} allowNull 
  * @returns 
  */
-module.exports.parseTagInSql = (req, sql, allowNull = true,isSearch=false) => {
+module.exports.parseTagInSql = (req, sql, allowNull = true) => {
     if (!sql) return '';
     ///定义正则准备查找sql中的特定关键字
     const matched = sql.match(/@.*?@/g);
@@ -67,7 +68,7 @@ module.exports.parseTagInSql = (req, sql, allowNull = true,isSearch=false) => {
         if (!keyValue) {
             parseKeyWordIsNull = true;
         } else if (typeof (keyValue) === 'string') {
-            keyValue = noQuoteProtect || isSearch ? checkSqlInjection(mysql.escape(keyValue)) : mysql.escape(keyValue)
+            keyValue = noQuoteProtect ? checkSqlInjection(mysql.escape(keyValue)) : mysql.escape(keyValue)
             keyValue = keyValue.substr(1, keyValue.length - 2);
             ///验证参数的格式合法性
             if (keyValue && validformat.length > 1) {
@@ -96,7 +97,7 @@ module.exports.parseTagInSql = (req, sql, allowNull = true,isSearch=false) => {
 * 列表请求上下文中获取需要的信息
 * 如Page ,PageSize , Sort 等等
 */
-module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
+module.exports.getListInfo = (req, dataKey, cfgType = 0, dao,ignorefilter=false) => {
     if (!dataKey) return null;
     ///确认是否是需要导出Excel
     const export2Excel = (req.query.exportexcel + "").toLowerCase() === "true";
@@ -117,7 +118,7 @@ module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
         req.dataConfig = dataConfig
         let { sql, listsql, countsql, sqltype = 'sql', field, footer, search, sort: constsort } = dataConfig.list
         /**解析查询条件 */
-        const searchCondition = this.getSearchCondition({ request: req, refer: search });
+        const searchCondition = ignorefilter?'':this.getSearchCondition({ request: req, refer: search });
         /**排序方式 *///
         sort = sort || constsort;
         /**来自req请求参数中的过滤条件 */