doomiwork 4.1.9 → 4.2.0

package/utilities/requestparser.js

@@ -1,239 +0,0 @@
-const { parseKeyValue, validatorParamsType } = require('./keywordparse');
-const dataconfig = require('../configuration/dataconfig').getCurrent();
-const mysql = require('mysql');
-const ORDER_STRING = ['asc', 'desc']
-const FORBID_SQL_KEYWORD = /;|(--)|(\bWHERE\b)|(\bCASE\b)|(\bWHEN\b)|(\bSLEEP\b)|(\bSHOW\b)|(\bCOUNT\(\b)|(\bCREATE\b)|(\bCALL\b)|(\bBY\b)|(\bORDER\b)|(\bJOIN\b)|(\bUNION\b)|(\bFROM\b)|(\bSELECT\b)|(\bDROP\b)|(\bTRUNCATE\b)|(\bDELETE\b)|(\bUPDATE\b)|(\bINSERT\b)|(\bEXEC\b)|(\bEXECUTE\b)/gi;
-
-function appendSearchCondition2Count(originSql, searchCondition) {
-    ///如果包含了这个特定的字符，则替换
-    if (originSql.indexOf('#APPENDSEARCH#') >= 0)
-        return originSql.replace('#APPENDSEARCH#', searchCondition);
-    return originSql + ' ' + searchCondition;
-}
-/**
- * 检查是否有Sql注入的风险
- * @param {*} sql 
- */
-function checkSqlInjection(sql) {
-    if (!sql) return sql;
-    if (FORBID_SQL_KEYWORD.test(sql)) return '';
-    return sql;
-}
-
-function isEmptyValue(value){
-    if (value === undefined || value === null || value === '') return true;
-    return false;
-}
-/*
-* 根据对应列表的配置(dataConfig.list.search),从请求上下文中获取用户进行搜索的参数信息
-*/
-module.exports.getSearchCondition = (option) => {
-    let paraCopy = option || {};
-    if (!paraCopy.request || !paraCopy.refer) return { filter:'', params:[] };
-    if (!paraCopy.valueFrom) paraCopy.valueFrom = "all";
-    const request = paraCopy.request;
-    let retSearch = [],params = [];
-    paraCopy.refer.forEach(element => {
-        const paramSql = this.parseTagForParameterize(request, element);
-        if (paramSql.sql) {
-            retSearch.push(paramSql.sql);
-            params = params.concat(paramSql.params||[]);
-        }
-    });
-    return  {filter:retSearch.join(''),params}
-    //return retSearch.join('');
-}
-
-/**
- * 解析sql字符串中特殊的占位符
- * @param {*} req 
- * @param {*} sql 
- * @param {*} allowNull 
- * @returns 
- */
-module.exports.parseTagInSql = (req, sql, allowNull = true) => {
-    if (!sql) return '';
-    ///定义正则准备查找sql中的特定关键字
-    const matched = sql.match(/@.*?@/g);
-    if (!matched || matched.length <= 0) return sql;
-    let parseKeyWordIsNull = false;
-    const charReg = /\s+|:|=/gi
-    matched.forEach(ele => {
-        let matchValue = ele.substring(1, ele.length - 1);
-        ///不允许特殊字符出现
-        let notdo = matchValue.match(charReg);
-        if (notdo && notdo.length > 0) return;
-
-        let noQuoteProtect = matchValue[0] == '!';
-        if (noQuoteProtect)   matchValue = matchValue.substring(1);
-        ///是否有格式要求
-        let validformat = matchValue.split('|');
-        matchValue = validformat[0];
-        let keyValue = (parseKeyValue(req, matchValue) || '')+''; //utility.ifNull(keyParse.parseKeyValue(req, matchValue), '')+'';
-        if (!keyValue) {
-            parseKeyWordIsNull = true;
-        } else if (typeof (keyValue) === 'string') {
-            keyValue = noQuoteProtect ? checkSqlInjection(mysql.escape(keyValue)) : mysql.escape(keyValue)
-            keyValue = keyValue.substring(1, keyValue.length - 1);
-            ///验证参数的格式合法性
-            if (keyValue && validformat.length > 1)  keyValue = validatorParamsType(keyValue, validformat[1], validformat[2])
-            if (!keyValue) {
-                parseKeyWordIsNull = true;
-            }
-            ///没有引号保护下发现了sql注入，则用1=0不返回任何结果
-            if (!keyValue && noQuoteProtect)  keyValue = '1=0'
-        } else {  ////数组形式的参数，目前框架不支持，统一认为为sql注入攻击,全部忽略
-            // console.log(`参数非法==>类型${typeof (keyValue)}:${matchValue} = ${keyValue}`)
-            parseKeyWordIsNull = true;
-            keyValue = ''
-        }
-        sql = sql.replace(ele, keyValue);
-    });
-    if (!allowNull && parseKeyWordIsNull) return '';
-    return sql;
-}
-
-
-/**
- * 为列表查询定义参数化查询
- * @param {*} req 
- * @param {*} sql 
- * @param {*} allowNull 
- * @param {*} isSearch 
- * @returns 
- */
-module.exports.parseTagForParameterize = (req, filterSetting={}) => {
-    ///type=parameter表示参数化方式查询
-    ///type=joint 表示拼接sql语句查询
-    ///scope=[] 表示需要解析的字段必须在此列表内容中
-    let {pattern:sql,type='parameter',inscope=[],allowEmpty=false} = filterSetting;
-    if (!sql) return {sql:''};
-    ///定义正则准备查找sql中的特定关键字
-    const matched = sql.match(/@.*?@/g);
-    let params = [];
-    if (!matched || matched.length <= 0) return {sql};
-    for(const ele of matched){
-        let matchValue = ele.substring(1, ele.length - 1);
-        ///检查是否有特殊的字符比如 % 等
-        const specialRegex = /^[^a-zA-Z0-9]*(.*?)[^a-zA-Z0-9]*$/
-        const matchContent = matchValue.match(specialRegex);
-        matchValue = matchContent ? matchContent[1]:matchValue;
-        if (!matchValue) return {sql:'',params:[]};
-        ///是否有格式要求
-        let validformat = matchValue.split('|');
-        matchValue = validformat[0];
-        
-        let keyValue = parseKeyValue(req, matchValue)||''; //utility.ifNull(keyParse.parseKeyValue(req, matchValue), '')+'';
-        if (keyValue && validformat.length > 1) keyValue = validatorParamsType(keyValue, validformat[1], validformat[2], inscope)
-        ///如果解析不出这个KeyValue ,则认为当前这条SQL过滤无效
-        if (isEmptyValue(keyValue) && !allowEmpty) return {sql:'',params:[]};
-        // if (keyValue) {
-        if(type.toLowerCase() === 'parameter'){
-            sql = sql.replace(ele, '?');    ///变成参数化查询
-            if (Array.isArray(keyValue))
-                params.push(keyValue)
-            else
-                params.push(matchContent[0].replace(matchContent[1], keyValue));// '%' + keyValue + '%')
-        } else if (type.toLowerCase() === 'joint'){ ///拼接sql语句查询
-            ///拼接的SQL语句，keyvalue必须在scope列表中，否则不予拼接
-            const result = inscope.some(item => item.toLowerCase() === matchValue.toLowerCase());
-            if (result)sql = sql.replace(ele, keyValue||''); 
-        }
-        // }
-    }
-    return {sql,params};
-}
-
-/**
- * 检查排序字段是否合法
- * @param {*} sortField 
- * @returns 
- */
-function sortFieldIsLegal(sortField,allowedFields = []){
-    /// 没有传递排序字段，则不用检查
-    if (!sortField) return sortField;
-    /// 检查排序字段是否在允许的字段列表中,如果存在allowedFields，则只允许在allowedFields中排序
-    if (allowedFields && allowedFields.length) {
-        if(allowedFields.map(item => item.toLowerCase()).includes(sortField.toLowerCase())) return sortField;
-        /// 如果不在allowedFields中，则不允许使用传入的字段名进行排序，防止sql注入
-        return null;
-    }
-    /// 如果allowedFields为空，则检查排序的字段是否合法，防止sql注入
-    if (sortField.indexOf(' ') >= 0 || sortField.indexOf('(') >= 0 || sortField.indexOf(')') >= 0) return null;
-    return checkSqlInjection(sortField);
-}
-
-/*
-* 列表请求上下文中获取需要的信息
-* 如Page ,PageSize , Sort 等等
-*/
-module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
-    if (!dataKey) return null;
-    const dataConfig = dataconfig.getConfig(dataKey, cfgType);
-    if (!dataConfig?.list) return null;
-    ///确认是否是需要导出Excel
-    const export2Excel = (req.query.exportexcel + "").toLowerCase() === "true";
-    let { page = 1, rows: pageSize = 100, sort, order, clientFilter: filter } = req.query
-    ///防止sortSql 注入在排序的参数中
-    if (sort) sort = sortFieldIsLegal(sort, dataConfig.list.allow_sort_fields) //checkSqlInjection(sort);
-    // 防止页面数据传入非数字
-    if (isNaN(pageSize)) pageSize = 30;
-    // 防止页面数据传入非数字
-    if (!page || isNaN(page)) page = 1
-    ///最大允许获取100条数据
-    pageSize =Math.max(0,Math.min(pageSize, 10000));
-    ///拼接排序的语句
-    if (order && sort && ORDER_STRING.includes(order.toLowerCase())) sort = sort + ' ' + order
-    //req.order =req.sort? utility.ifNull((req.body.order || req.query.order), ""):'';
-    
-    if (dataConfig && dataConfig.list) {
-        req.dataConfig = dataConfig
-        let { sql, listsql, countsql, sqltype = 'sql', field, footer, search, sort: constsort } = dataConfig.list
-        /**解析查询条件 */
-        const searchCondition = this.getSearchCondition({ request: req, refer: search });
-        /**排序方式 *///
-        sort = sort || constsort;
-        /**来自req请求参数中的过滤条件 */
-        const clientfilter = null;// 不再支持可以通过客户端传递过滤条件，防止sql注入 //checkSqlInjection(this.parseTagInSql(req, filter, false));
-        let SqlParameters = [];
-        //如果配置文件中不是直接的sql语句，则从DAO对象中的指定方法来获取sql
-        if (sqltype !== 'sql' && listsql && typeof (dao[listsql]) === 'function') {
-            sql = dao[sql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
-            if (dao[countsql] && typeof (dao[countsql]) === 'function')
-                countsql = dao[countsql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
-        }
-
-        /**根据过滤条件、排序条件、分页获取的方式，和原始sql拼接成最终获取数据的sql */
-        if (sqltype==='sql'){
-            const mainParameterlizedSql = this.parseTagForParameterize(req, { pattern: sql, allowEmpty:true });
-            if (!mainParameterlizedSql.sql) return null;
-            sql = `${mainParameterlizedSql.sql} ${searchCondition.filter ||''} ${sort ? (' order by ' + sort) : ''} ${export2Excel ? '' : ' limit ' + Number(pageSize) + ' OFFSET ' + (Math.max(Number(page), 1) - 1) * Number(pageSize)};SELECT FOUND_ROWS() AS total;`;
-            SqlParameters = SqlParameters.concat(mainParameterlizedSql.params || [], searchCondition.params);
-            /*** 如果存在汇总列的sql，则把SQL放置在最末尾 */
-            if (countsql) {
-                const countParameterlizedSql = this.parseTagForParameterize(req, { pattern: countsql, allowEmpty: true });
-                if (!countParameterlizedSql.sql) return null;
-                sql += appendSearchCondition2Count(countParameterlizedSql.sql, searchCondition.filter||'')
-                SqlParameters = SqlParameters.concat(countParameterlizedSql.params || [], searchCondition.params);
-            }
-        }
-        ///如果存在统计的SQL，则参数需要Double一次
-        // const sqlParams = countsql ? [].concat(searchCondition.params, searchCondition.params):searchCondition.params;
-        return { sql, fields: field, params: SqlParameters, footers: footer, page, hascounter: countsql?true:false };
-    }
-}
-/*
-* 详细页面请求上下文中获取需要的信息
-* 如Page ,PageSize , Sort 等等
-*/
-module.exports.getDetailInfo = (req,dataKey) => {
-    if (dataKey) {
-        const dataConfig = dataconfig.getConfig(dataKey);
-        if (dataConfig && dataConfig.detail) {
-            req.dataConfig = dataConfig;
-            const { primary, field: fields, primaryIsAutoIncrease } = dataConfig.detail;
-            return { primary, fields, autoincrease: primaryIsAutoIncrease }
-        }
-    }
-    return null;
-}

package/utilities/tokenutility.js

@@ -1,45 +0,0 @@
-/**
- * 后台路由授权访问的Token验证
- */
-// const cache     =  require('doomi-helper').redisHelper.getInstance();
-class TokenUtility {
-    constructor(cacheinstance){
-        this.cache = cacheinstance;
-    }
-    setToken(token, tokenObject, expire) {
-        // if (typeof tokenObject != "string") tokenObject = JSON.stringify(tokenObject);
-        return this.cache.set(token, tokenObject, expire);
-    }
-    ///从缓存中获取用户
-    async getToken(token,isObject=true) {
-        let value = await this.cache.get(token);
-        if (!value) return value;
-        return isObject ? JSON.parse(value) : value;
-    }
-    /**
-     * token是否有效
-     * @param {*} token 
-     */
-    async tokenIsValid(token){
-        return (await this.getToken(token,false))!=null
-    }
-    /**
-     * 删除Token
-     * @param {*} token 
-     */
-    deleteToken(token){
-        this.cache.delete(token);
-    }
-    /**
-     * 延长token的有效期
-     * @param {*} token 
-     * @param {*} tokenObject 
-     * @param {*} expire 
-     */
-    extendToken(token,expire) {
-        return this.cache.expire(token,expire);
-    }
-}
-exports = module.exports.TokenHelper = (cacheinstance)=>{
-    return new TokenUtility(cacheinstance)
-};

package/utilities/transferutility.js

@@ -1,105 +0,0 @@
-const { parseKeyValue, formatValue, validatorParamsType } = require('./keywordparse');
-/**
-* 将结果转化为Mapping对应的键值输出
-* @param {*} originalResult 
-* @param {*} fieldConfig 
-* @returns transferName2Mapping
-*/
-module.exports.Data2View = (originalResult, fieldConfig) => {
-    if (!originalResult) return { successed: true, data: null };
-    if (!fieldConfig || fieldConfig.length == 0) return { successed: true, data: originalResult };//return success({successed:true,data:originalResult});
-
-    let retResult = [];
-    for (const row of originalResult) {
-        let item = {};
-        for (const element of fieldConfig) {
-            ///如果该字段的序列化仅用于向后保存，则序列化到
-            ///前端页面的时候就不再输出了
-            if (element.direction == "backonly") continue;
-            let rawValue = row[element.name];
-            if (!rawValue && element.nullValue) rawValue = element.nullValue;
-            ///格式化输出
-            if (element.format) {
-                rawValue = formatValue(rawValue, element.format)
-            }
-            item[element.mapping || element.name] = rawValue;
-        }
-        retResult.push(item);
-    }
-    return { successed: true, data: retResult };
-
-}
-/**
- * 数据准备保存到数据库中，从视图提交的数据中进行转换
- * @param {*} req 
- * @param {*} fieldConfig 
- * @param {*} doWhat 
- * @returns transferMapping2Name
- */
-module.exports.View2Data = (req, fieldConfig, doWhat) => {
-    let model = {}, tmpModel = {};
-    // var ingoreKey = req.query.ingoreNullKey != null && req.query.ingoreNullKey == 'true';
-    if (Array.isArray(fieldConfig)) {
-        for (const element of fieldConfig) {
-            ///如果该字段的序列化仅用于向前端输出，保存时忽略
-            if (element.direction == "frontonly") continue;
-            if (element.action && element.action.indexOf(doWhat) < 0) continue;
-            let bodyKey = element.mapping || element.name;
-            let postValue = req.body[bodyKey];
-            ////body中没有这个属性
-            //&& element.ignoreundefined == true
-            if (postValue === undefined) {
-                if ((doWhat == 'update' && !element.required) ||
-                    (doWhat == 'create' && !element.required && !element.default && !element.nullValue))
-                    continue;
-            }
-            ///去除两边的空格,默认是去掉空格
-            if (typeof (postValue) === 'string') {
-                if ((!element.trim || element.trim == true)) postValue.trim();
-                if (element.maxlength && postValue.length > element.maxlength) {
-                    return { successed: false, errcode: 6, errmsg: '输入的长度超出,最大允许' + element.maxlength, name: element.mapping }
-                }
-            }
-
-            ///如果提交的值为空
-            if (!postValue) { // if (commonHelper.isNullOrEmpty(postValue)) {
-                if (element.nullValue)
-                    postValue = parseKeyValue(req, element.nullValue);
-                else
-                    postValue = null;
-            }
-            if (!postValue && element.default) postValue = element.default;
-            ///不允许为空值
-            if (element.required === true && !postValue) return { successed: false, errcode: 5, errmsg: '请填写必填字段内容', name: bodyKey }
-            // //空值则不替换或不设置该字段
-            // if (!postValue && element.ignorenull===true){
-            //     continue;
-            // }
-            //验证值的类型是否正确，主要验证是否数字
-            if (element.type && postValue && !validatorParamsType(postValue, element.type)) {
-                return { successed: false, errcode: 4, errmsg: `提交的值与要求的类型不匹配:(${bodyKey},${element.type})`, name: bodyKey }
-            }
-            ///格式化结果 : 这个可以用，暂时先去掉
-            // if (postValue && element.format) {
-            //     if (stringHelper.startWith(element.format, '{') && stringHelper.endsWith(element.format, '}'))
-            //         postValue = stringHelper.format(element.format, postValue);
-            //     else {
-            //         postValue = ViewHelper.specialFormatValue(element.format, postValue, false);
-            //     }
-            // }
-            ////这个字段是否需要放在其他对象中
-            if (element.model) {
-                let modelitem = tmpModel[element.model] || {};
-                modelitem[element.name] = postValue;
-                tmpModel[element.model] = modelitem;
-            }
-            else
-                model[element.name] = postValue;
-        }
-
-    }
-    else
-        model = req.body;
-    req.modellist = tmpModel;
-    return { successed: true, data: model };
-}