doomiwork 4.1.3 → 4.1.4

package/core/controller.js

@@ -182,7 +182,6 @@ class controller {
     */
     async getListData(req, dataKey, configFile = 0) {
         if (this.logger) this.logger.trace("准备获取dataconfig文件中对应的 %s list数据",dataKey)
-        const ignorefilter = await this._redisHelper.get('key:ignorefilter');
         const listinfo = getListInfo(req, dataKey, configFile, this._daoModel, ignorefilter==1);
         if (!listinfo) return { successed: false, errcode: -10, errmsg:`缺失${dataKey}对应的查询语句`};
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "doomiwork",
-  "version": "4.1.3",
+  "version": "4.1.4",
   "description": "doomisoft nodejs web framework",
   "main": "index.js",
   "scripts": {
@@ -15,9 +15,9 @@
   "license": "ISC",
   "dependencies": {
     "express": "^4.17.1",
-    "moment": "^2.29.1",
+    "moment": "^2.29.4",
     "mysql": "^2.18.1",
     "node-uuid": "^1.4.8",
-    "node-xlsx": "^0.23.0"
+    "node-xlsx": "^0.24.0"
   }
 }

package/utilities/keywordparse.js

@@ -55,14 +55,14 @@ module.exports.parseKeyValue=(req,str)=>{
  * @param {*} defaultValue 如果不满足，则返回默认的
  * @returns 
  */
-module.exports.validatorParamsType=(value, dataType, defaultValue = null)=> {
+module.exports.validatorParamsType = (value, dataType, defaultValue = null, inscope=[])=> {
     if (!value || !dataType) return value;
     switch (dataType.toLowerCase()) {
         case 'guid':       ///限制长度为36位的GUID
-            if (value.length != 36 || value.split('-').length != 5) return defaultValue;
+            if (value.length != 36 || value.split('-').length != 5) value= defaultValue;
             break;
         case 'number':   ///限制为数字
-            if (isNaN(value)) return defaultValue;
+            if (isNaN(value)) value= defaultValue;
             break;
         case 'date':       ///限制为日期，格式输出为YYYY-MM-DD
             let date = Date.parse(value);
@@ -72,8 +72,25 @@ module.exports.validatorParamsType=(value, dataType, defaultValue = null)=> {
             let datetime = Date.parse(value);
             if (isNaN(datetime)) return defaultValue;
             return datetime;
+        case 'array':      ///返回数组
+            value= value.split(',');
     }
-    return value;
+    ///检查值在不在范围内取值
+    let inRange = true;
+    if (inscope.length > 0 && value) {
+        inRange = false;
+        if (Array.isArray(value)) {
+            for(const item of value){
+                if (inscope.some(scope => scope.toLowerCase() === item.toLowerCase())){
+                    inRange = true;
+                    break;
+                } 
+            }
+        } else {
+            inRange = inscope.some(scope => scope.toLowerCase() === value.toLowerCase())
+        }
+    }
+    return inRange ? value : defaultValue;
 }
 
 /**

package/utilities/{requestparser-param.js → requestparser-bak.js}

@@ -2,7 +2,7 @@
 const dataconfig = require('../configuration/dataconfig').getCurrent();
 const mysql = require('mysql');
 const ORDER_STRING = ['asc', 'desc']
-const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bCASE\b)|(\bWHEN\b)|(\bSLEEP\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
+const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
 
 function appendSearchCondition2Count(originSql, searchCondition) {
     ///如果包含了这个特定的字符，则替换
@@ -16,9 +16,9 @@ function appendSearchCondition2Count(originSql, searchCondition) {
  */
 function checkSqlInjection(sql) {
     if (!sql) return sql;
+    if (FORBID_SQL_KEYWORD.test(sql)) return '';
     //let sqlError = sql.match(FORBID_SQL_KEYWORD); //strict ? sql.match(FORBID_SQL_KEYWORD_STRICT):sql.match(FORBID_SQL_KEYWORD);
     //if (sqlError && sqlError.length > 0) return '';
-    if (FORBID_SQL_KEYWORD.test(sql)) return '';
     return sql;
 }
 /*
@@ -29,17 +29,11 @@ module.exports.getSearchCondition = (option) => {
     if (!paraCopy.request || !paraCopy.refer) return '';
     if (!paraCopy.valueFrom) paraCopy.valueFrom = "all";
     const request = paraCopy.request;
-    let retSearch = [],params = [];
+    let retSearch = [];
     paraCopy.refer.forEach(element => {
-        //retSearch.push(this.parseTagInSql(request, element.pattern, false,true));
-        const paramSql=this.parseTagForParamtersSearch(request, element);
-        if (paramSql.sql) {
-            retSearch.push(paramSql.sql);
-            params = params.concat(paramSql.params||[]);
-        }
+        retSearch.push(this.parseTagInSql(request, element.pattern, false));
     });
-    return  {filter:retSearch.join(''),params}
-    //return retSearch.join('');
+    return retSearch.join('');
 }
 
 /**
@@ -49,7 +43,7 @@ module.exports.getSearchCondition = (option) => {
  * @param {*} allowNull 
  * @returns 
  */
-module.exports.parseTagInSql = (req, sql, allowNull = true,isSearch=false) => {
+module.exports.parseTagInSql = (req, sql, allowNull = true) => {
     if (!sql) return '';
     ///定义正则准备查找sql中的特定关键字
     const matched = sql.match(/@.*?@/g);
@@ -74,7 +68,7 @@ module.exports.parseTagInSql = (req, sql, allowNull = true,isSearch=false) => {
         if (!keyValue) {
             parseKeyWordIsNull = true;
         } else if (typeof (keyValue) === 'string') {
-            keyValue = noQuoteProtect || isSearch ? checkSqlInjection(mysql.escape(keyValue)) : mysql.escape(keyValue)
+            keyValue = noQuoteProtect ? checkSqlInjection(mysql.escape(keyValue)) : mysql.escape(keyValue)
             keyValue = keyValue.substr(1, keyValue.length - 2);
             ///验证参数的格式合法性
             if (keyValue && validformat.length > 1) {
@@ -99,66 +93,11 @@ module.exports.parseTagInSql = (req, sql, allowNull = true,isSearch=false) => {
     return sql;
 }
 
-/**
- * 为列表查询定义参数化查询
- * @param {*} req 
- * @param {*} sql 
- * @param {*} allowNull 
- * @param {*} isSearch 
- * @returns 
- */
-module.exports.parseTagForParamtersSearch = (req, filterSetting={}) => {
-    let {pattern:sql,mode=''} = filterSetting;
-    if (!sql) return {sql:''};
-    ///定义正则准备查找sql中的特定关键字
-    const matched = sql.match(/@.*?@/g);
-    let params = [];
-    if (!matched || matched.length <= 0) return {sql};
-    for(const ele of matched){
-        let patternModel = mode;
-        let matchValue = ele.substring(1, ele.length - 1);
-        ///不允许特殊字符出现
-        let noQuoteProtect = matchValue[0] == '!';
-        if (noQuoteProtect) {
-            matchValue = matchValue.substring(1);
-            patternModel='';
-        }
-        ///是否有格式要求
-        let validformat = matchValue.split('|');
-        matchValue = validformat[0];
-        let keyValue = (parseKeyValue(req, matchValue) || '') + ''; //utility.ifNull(keyParse.parseKeyValue(req, matchValue), '')+'';
-        if (keyValue && typeof (keyValue) === 'string') {
-            ///验证参数的格式合法性
-            if (keyValue && validformat.length > 1) {
-                keyValue = validatorParamsType(keyValue, validformat[1], validformat[2])
-            }
-        }
-        ///如果解析不出这个KeyValue ,则认为当前这条SQL过滤无效
-        if (!keyValue) return {sql:'',params:[]};
-        if (keyValue) {
-            switch (patternModel.toLowerCase()) {
-                case 'like':
-                    sql = sql.replace(ele, '?');    ///变成参数化查询
-                    params.push('%' + keyValue + '%')
-                break;
-                case 'in':
-                    sql = sql.replace(ele, '?');    ///变成参数化查询
-                    params.push(keyValue.split(','))
-                break;
-                default:
-                    sql = sql.replace(ele, '?');    ///变成参数化查询
-                    params.push(keyValue)
-                break;
-            }
-        }
-    }
-    return {sql,params};
-}
 /*
 * 列表请求上下文中获取需要的信息
 * 如Page ,PageSize , Sort 等等
 */
-module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
+module.exports.getListInfo = (req, dataKey, cfgType = 0, dao,ignorefilter=false) => {
     if (!dataKey) return null;
     ///确认是否是需要导出Excel
     const export2Excel = (req.query.exportexcel + "").toLowerCase() === "true";
@@ -179,34 +118,32 @@ module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
         req.dataConfig = dataConfig
         let { sql, listsql, countsql, sqltype = 'sql', field, footer, search, sort: constsort } = dataConfig.list
         /**解析查询条件 */
-        const searchCondition = this.getSearchCondition({ request: req, refer: search });
+        const searchCondition = ignorefilter?'':this.getSearchCondition({ request: req, refer: search });
         /**排序方式 *///
         sort = sort || constsort;
         /**来自req请求参数中的过滤条件 */
         let clientfilter = checkSqlInjection(this.parseTagInSql(req, filter, false));
         //如果配置文件中不是直接的sql语句，则从DAO对象中的指定方法来获取sql
         if (sqltype !== 'sql' && listsql && typeof (dao[listsql]) === 'function') {
-            sql = dao[sql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
+            sql = dao[sql](req, { page, rows: pageSize, sort, filter: searchCondition, client: clientfilter });
             if (dao[countsql] && typeof (dao[countsql]) === 'function')
-                countsql = dao[countsql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
+                countsql = dao[countsql](req, { page, rows: pageSize, sort, filter: searchCondition, client: clientfilter });
         }
 
         /**根据过滤条件、排序条件、分页获取的方式，和原始sql拼接成最终获取数据的sql */
         if (sqltype==='sql'){
             sql = this.parseTagInSql(req, sql) +
-                ' ' + searchCondition.filter + clientfilter +
+                ' ' + searchCondition + clientfilter +
                 (sort ? (' order by ' + sort) : '') +
                 (export2Excel ? '' : ' limit ' + Number(pageSize) + ' OFFSET ' + (Math.max(Number(page), 1) - 1) * Number(pageSize)) +
                 /////在Sql中再放入获取总记录数的语句
                 ';SELECT FOUND_ROWS() AS total;';
             /*** 如果存在汇总列的sql，则把SQL放置在最末尾 */
             if (countsql) {
-                sql += appendSearchCondition2Count(this.parseTagInSql(req, countsql), searchCondition.filter)
+                sql += appendSearchCondition2Count(this.parseTagInSql(req, countsql), searchCondition)
             }
         }
-        ///如果存在统计的SQL，则参数需要Double一次
-        const sqlParams = countsql ? [].concat(searchCondition.params, searchCondition.params):searchCondition.params;
-        return { sql, fields: field, params: sqlParams, footers: footer, page, hascounter: countsql?true:false };
+        return { sql, fields: field, footers: footer, page, hascounter: countsql?true:false };
     }
 }
 /*

package/utilities/requestparser.js

@@ -2,7 +2,7 @@
 const dataconfig = require('../configuration/dataconfig').getCurrent();
 const mysql = require('mysql');
 const ORDER_STRING = ['asc', 'desc']
-const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
+const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bCASE\b)|(\bWHEN\b)|(\bSLEEP\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
 
 function appendSearchCondition2Count(originSql, searchCondition) {
     ///如果包含了这个特定的字符，则替换
@@ -17,8 +17,6 @@ function appendSearchCondition2Count(originSql, searchCondition) {
 function checkSqlInjection(sql) {
     if (!sql) return sql;
     if (FORBID_SQL_KEYWORD.test(sql)) return '';
-    //let sqlError = sql.match(FORBID_SQL_KEYWORD); //strict ? sql.match(FORBID_SQL_KEYWORD_STRICT):sql.match(FORBID_SQL_KEYWORD);
-    //if (sqlError && sqlError.length > 0) return '';
     return sql;
 }
 /*
@@ -29,11 +27,16 @@ module.exports.getSearchCondition = (option) => {
     if (!paraCopy.request || !paraCopy.refer) return '';
     if (!paraCopy.valueFrom) paraCopy.valueFrom = "all";
     const request = paraCopy.request;
-    let retSearch = [];
+    let retSearch = [],params = [];
     paraCopy.refer.forEach(element => {
-        retSearch.push(this.parseTagInSql(request, element.pattern, false));
+        const paramSql = this.parseTagForParameterize(request, element);
+        if (paramSql.sql) {
+            retSearch.push(paramSql.sql);
+            params = params.concat(paramSql.params||[]);
+        }
     });
-    return retSearch.join('');
+    return  {filter:retSearch.join(''),params}
+    //return retSearch.join('');
 }
 
 /**
@@ -49,7 +52,6 @@ module.exports.parseTagInSql = (req, sql, allowNull = true) => {
     const matched = sql.match(/@.*?@/g);
     if (!matched || matched.length <= 0) return sql;
     let parseKeyWordIsNull = false;
-
     const charReg = /\s+|:|=/gi
     matched.forEach(ele => {
         let matchValue = ele.substring(1, ele.length - 1);
@@ -69,19 +71,14 @@ module.exports.parseTagInSql = (req, sql, allowNull = true) => {
             parseKeyWordIsNull = true;
         } else if (typeof (keyValue) === 'string') {
             keyValue = noQuoteProtect ? checkSqlInjection(mysql.escape(keyValue)) : mysql.escape(keyValue)
-            keyValue = keyValue.substr(1, keyValue.length - 2);
+            keyValue = keyValue.substring(1, keyValue.length - 1);
             ///验证参数的格式合法性
-            if (keyValue && validformat.length > 1) {
-                // console.log(`参数格式合法检查==>${validformat[1]}:${matchValue} = ${keyValue}`)
-                keyValue = validatorParamsType(keyValue, validformat[1], validformat[2])
-            }
+            if (keyValue && validformat.length > 1)  keyValue = validatorParamsType(keyValue, validformat[1], validformat[2])
             if (!keyValue) {
                 parseKeyWordIsNull = true;
             }
             ///没有引号保护下发现了sql注入，则用1=0不返回任何结果
-            if (!keyValue && noQuoteProtect) {
-                keyValue = '1=0'
-            }
+            if (!keyValue && noQuoteProtect)  keyValue = '1=0'
         } else {  ////数组形式的参数，目前框架不支持，统一认为为sql注入攻击,全部忽略
             // console.log(`参数非法==>类型${typeof (keyValue)}:${matchValue} = ${keyValue}`)
             parseKeyWordIsNull = true;
@@ -93,11 +90,59 @@ module.exports.parseTagInSql = (req, sql, allowNull = true) => {
     return sql;
 }
 
+/**
+ * 为列表查询定义参数化查询
+ * @param {*} req 
+ * @param {*} sql 
+ * @param {*} allowNull 
+ * @param {*} isSearch 
+ * @returns 
+ */
+module.exports.parseTagForParameterize = (req, filterSetting={}) => {
+    ///type=parameter表示参数化方式查询
+    ///type=joint 表示拼接sql语句查询
+    ///scope=[] 表示需要解析的字段必须在此列表内容中
+    let {pattern:sql,type='parameter',inscope=[]} = filterSetting;
+    if (!sql) return {sql:''};
+    ///定义正则准备查找sql中的特定关键字
+    const matched = sql.match(/@.*?@/g);
+    let params = [];
+    if (!matched || matched.length <= 0) return {sql};
+    for(const ele of matched){
+        let matchValue = ele.substring(1, ele.length - 1);
+        ///检查是否有特殊的字符比如 % 等
+        const specialRegex = /^[^a-zA-Z0-9]*(.*?)[^a-zA-Z0-9]*$/
+        const matchContent = matchValue.match(specialRegex);
+        matchValue = matchContent ? matchContent[1]:matchValue;
+        if (!matchValue) return {sql:'',params:[]};
+        ///是否有格式要求
+        let validformat = matchValue.split('|');
+        matchValue = validformat[0];
+        let keyValue = parseKeyValue(req, matchValue)||''; //utility.ifNull(keyParse.parseKeyValue(req, matchValue), '')+'';
+        if (keyValue && validformat.length > 1) keyValue = validatorParamsType(keyValue, validformat[1], validformat[2], inscope)
+        ///如果解析不出这个KeyValue ,则认为当前这条SQL过滤无效
+        if (!keyValue) return {sql:'',params:[]};
+        if (keyValue) {
+            if(type.toLowerCase() === 'parameter'){
+                sql = sql.replace(ele, '?');    ///变成参数化查询
+                if (Array.isArray(keyValue))
+                    params.push(keyValue)
+                else
+                    params.push(matchContent[0].replace(matchContent[1], keyValue));// '%' + keyValue + '%')
+            } else if (type.toLowerCase() === 'joint'){ ///拼接sql语句查询
+                ///拼接的SQL语句，keyvalue必须在scope列表中，否则不予拼接
+                const result = inscope.some(item => item.toLowerCase() === matchValue.toLowerCase());
+                if (result)sql = sql.replace(ele, keyValue); 
+            }
+        }
+    }
+    return {sql,params};
+}
 /*
 * 列表请求上下文中获取需要的信息
 * 如Page ,PageSize , Sort 等等
 */
-module.exports.getListInfo = (req, dataKey, cfgType = 0, dao,ignorefilter=false) => {
+module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
     if (!dataKey) return null;
     ///确认是否是需要导出Excel
     const export2Excel = (req.query.exportexcel + "").toLowerCase() === "true";
@@ -118,32 +163,34 @@ module.exports.getListInfo = (req, dataKey, cfgType = 0, dao,ignorefilter=false)
         req.dataConfig = dataConfig
         let { sql, listsql, countsql, sqltype = 'sql', field, footer, search, sort: constsort } = dataConfig.list
         /**解析查询条件 */
-        const searchCondition = ignorefilter?'':this.getSearchCondition({ request: req, refer: search });
+        const searchCondition = this.getSearchCondition({ request: req, refer: search });
         /**排序方式 *///
         sort = sort || constsort;
         /**来自req请求参数中的过滤条件 */
         let clientfilter = checkSqlInjection(this.parseTagInSql(req, filter, false));
         //如果配置文件中不是直接的sql语句，则从DAO对象中的指定方法来获取sql
         if (sqltype !== 'sql' && listsql && typeof (dao[listsql]) === 'function') {
-            sql = dao[sql](req, { page, rows: pageSize, sort, filter: searchCondition, client: clientfilter });
+            sql = dao[sql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
             if (dao[countsql] && typeof (dao[countsql]) === 'function')
-                countsql = dao[countsql](req, { page, rows: pageSize, sort, filter: searchCondition, client: clientfilter });
+                countsql = dao[countsql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
         }
 
         /**根据过滤条件、排序条件、分页获取的方式，和原始sql拼接成最终获取数据的sql */
         if (sqltype==='sql'){
             sql = this.parseTagInSql(req, sql) +
-                ' ' + searchCondition + clientfilter +
+                ' ' + searchCondition.filter + clientfilter +
                 (sort ? (' order by ' + sort) : '') +
                 (export2Excel ? '' : ' limit ' + Number(pageSize) + ' OFFSET ' + (Math.max(Number(page), 1) - 1) * Number(pageSize)) +
                 /////在Sql中再放入获取总记录数的语句
                 ';SELECT FOUND_ROWS() AS total;';
             /*** 如果存在汇总列的sql，则把SQL放置在最末尾 */
             if (countsql) {
-                sql += appendSearchCondition2Count(this.parseTagInSql(req, countsql), searchCondition)
+                sql += appendSearchCondition2Count(this.parseTagInSql(req, countsql), searchCondition.filter)
             }
         }
-        return { sql, fields: field, footers: footer, page, hascounter: countsql?true:false };
+        ///如果存在统计的SQL，则参数需要Double一次
+        const sqlParams = countsql ? [].concat(searchCondition.params, searchCondition.params):searchCondition.params;
+        return { sql, fields: field, params: sqlParams, footers: footer, page, hascounter: countsql?true:false };
     }
 }
 /*