kb-server 0.0.12-beta.1 → 0.0.13

package/dist/common/api-middleware.d.ts

@@ -26,7 +26,6 @@ export interface APIErrorResponse {
 export type AuthFunction = (action: string, req: express.Request) => Promise<Record<string, any> | boolean> | boolean | Record<string, any>;
 interface IPackAPIOptions {
     authFn?: AuthFunction;
-    log?: boolean;
 }
 /**
  * API包装函数

package/dist/common/api-middleware.js

@@ -4,13 +4,14 @@ exports.packAPI = void 0;
 const create_errors_1 = require("./create-errors");
 const uuid_1 = require("uuid");
 const logger_1 = require("../helper/logger");
+const sanitize_traceinfo_1 = require("./sanitize-traceinfo");
 /**
  * API包装函数
  * @param apis API列表
  * @returns
  */
 const packAPI = (apis, options) => {
-    const { authFn, log = true } = options || {};
+    const { authFn } = options || {};
     return async (req, res) => {
         // 生成API映射
         const apiMap = new Map(Object.entries(apis).map(([action, execution]) => [action, execution]));
@@ -24,19 +25,21 @@ const packAPI = (apis, options) => {
             RequestId: requestId,
         };
         // API 解析 - 将Action定义移到try块外部，以便在catch块中也能访问
-        const { Action, ...params } = req.body || {};
+        const { Action, TraceInfo, ...params } = req.body || {};
         try {
-            if (log) {
-                logger_1.logger.info({
-                    requestId,
-                    action: Action,
-                    params,
-                    path: req.path,
-                    method: req.method,
-                }, "请求入参");
-            }
+            // 安全处理TraceInfo
+            const safeTraceInfo = TraceInfo ? (0, sanitize_traceinfo_1.sanitizeTraceInfo)(TraceInfo) : undefined;
+            logger_1.logger.info({
+                requestId,
+                action: Action,
+                params,
+                path: req.path,
+                method: req.method,
+                traceInfo: safeTraceInfo,
+            }, "收到请求");
             // 接口未定义
             if (!Action) {
+                logger_1.logger.warn({ requestId, action: Action }, "接口未定义");
                 throw new create_errors_1.CommonErrors.InvalidParameter.EmptyAPIRequest();
             }
             // 处理鉴权函数
@@ -44,8 +47,10 @@ const packAPI = (apis, options) => {
                 if (typeof authFn !== "function") {
                     throw new create_errors_1.CommonErrors.ResourceNotFound.AuthFunctionNotFound();
                 }
+                logger_1.logger.info({ requestId, action: Action }, "开始执行框架权限检查");
                 const authResult = await authFn(Action, req);
                 if (!authResult) {
+                    logger_1.logger.warn({ requestId, action: Action }, "框架权限检查不通过");
                     throw new create_errors_1.CommonErrors.FailOperation.NoPermission();
                 }
                 if (typeof authResult !== "boolean") {
@@ -53,6 +58,7 @@ const packAPI = (apis, options) => {
                     ctx.AuthInfo = authResult || {};
                 }
             }
+            logger_1.logger.info({ requestId, action: Action, authInfo: ctx.AuthInfo }, "框架权限检查通过");
             // API 处理
             const execution = apiMap.get(Action);
             if (typeof execution !== "function") {
@@ -69,7 +75,7 @@ const packAPI = (apis, options) => {
             };
             // 完成响应
             took = Date.now() - start;
-            logger_1.logger.info({ requestId, action: Action, response, took }, "请求响应");
+            logger_1.logger.info({ requestId, action: Action, response, took }, "执行响应");
             return res.send(response);
         }
         catch (rawError) {

package/dist/common/create-server.d.ts

@@ -38,6 +38,7 @@ export interface ICreateServerParams {
     authFn?: AuthFunction;
     /**
      * 默认请求日志，true开启，false关闭
+     * @deprecated 请使用日志中间件代替（通过日志等级控制）下一版本将会废除
      */
     log?: boolean;
     /**

package/dist/common/create-server.js

@@ -43,7 +43,7 @@ function createServer(params, options) {
     // 注入SSE
     handlers && app.use((0, sse_middleware_1.packSSE)(handlers, { authFn, log, ...resetSSE }));
     // 注入API
-    app.use((0, api_middleware_1.packAPI)(apis, { authFn, log }));
+    app.use((0, api_middleware_1.packAPI)(apis, { authFn }));
     return app;
 }
 exports.createServer = createServer;

package/dist/common/sanitize-traceinfo.d.ts

@@ -0,0 +1,35 @@
+/**
+ * 安全处理工具模块
+ * 用于对用户输入的数据进行安全清理，防止日志注入、敏感信息泄露等问题
+ */
+/**
+ * 安全处理配置选项
+ */
+export interface SanitizeOptions {
+    /** 最大嵌套深度，防止循环引用 */
+    maxDepth?: number;
+    /** 最大数组长度，防止数据过大 */
+    maxArrayLength?: number;
+    /** 最大对象属性数量 */
+    maxObjectKeys?: number;
+    /** 最大字符串长度 */
+    maxStringLength?: number;
+}
+/**
+ * 安全处理TraceInfo，防止安全漏洞
+ *
+ * @param traceInfo - 需要清理的数据
+ * @param options - 配置选项
+ * @returns 清理后的安全数据
+ *
+ * @example
+ * ```typescript
+ * const safeData = sanitizeTraceInfo({
+ *   username: 'test',
+ *   password: 'secret',
+ *   apiTrace: []
+ * });
+ * // 结果: { username: 'test', password: '[REDACTED]', apiTrace: [] }
+ * ```
+ */
+export declare function sanitizeTraceInfo(traceInfo: unknown, options?: SanitizeOptions): any;

package/dist/common/sanitize-traceinfo.js

@@ -0,0 +1,115 @@
+"use strict";
+/**
+ * 安全处理工具模块
+ * 用于对用户输入的数据进行安全清理，防止日志注入、敏感信息泄露等问题
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeTraceInfo = void 0;
+/**
+ * 需要脱敏的敏感字段列表
+ */
+const SENSITIVE_KEYS = [
+    'password',
+    'token',
+    'secret',
+    'key',
+    'auth',
+    'credential',
+    'cookie',
+];
+/**
+ * 默认配置
+ */
+const DEFAULT_OPTIONS = {
+    maxDepth: 5,
+    maxArrayLength: 100,
+    maxObjectKeys: 50,
+    maxStringLength: 1000,
+};
+/**
+ * 安全处理TraceInfo，防止安全漏洞
+ *
+ * @param traceInfo - 需要清理的数据
+ * @param options - 配置选项
+ * @returns 清理后的安全数据
+ *
+ * @example
+ * ```typescript
+ * const safeData = sanitizeTraceInfo({
+ *   username: 'test',
+ *   password: 'secret',
+ *   apiTrace: []
+ * });
+ * // 结果: { username: 'test', password: '[REDACTED]', apiTrace: [] }
+ * ```
+ */
+function sanitizeTraceInfo(traceInfo, options = {}) {
+    const opts = { ...DEFAULT_OPTIONS, ...options };
+    return sanitizeValue(traceInfo, opts, 0);
+}
+exports.sanitizeTraceInfo = sanitizeTraceInfo;
+/**
+ * 递归清理数据
+ */
+function sanitizeValue(value, options, currentDepth) {
+    // 深度限制，防止循环引用导致的栈溢出
+    if (currentDepth > options.maxDepth) {
+        return '[MaxDepthReached]';
+    }
+    // 空值处理
+    if (value === null || value === undefined) {
+        return value;
+    }
+    // 原始类型直接处理字符串
+    if (typeof value !== 'object') {
+        return sanitizeString(value, options.maxStringLength);
+    }
+    // 数组处理
+    if (Array.isArray(value)) {
+        return value.map((item, index) => {
+            if (index >= options.maxArrayLength) {
+                return `[Array truncated, total length: ${value.length}]`;
+            }
+            return sanitizeValue(item, options, currentDepth + 1);
+        });
+    }
+    // 对象处理
+    const sanitized = {};
+    let keyCount = 0;
+    for (const key of Object.keys(value)) {
+        // 限制对象属性数量
+        if (keyCount >= options.maxObjectKeys) {
+            sanitized['__truncated__'] = `Object truncated, total keys: ${Object.keys(value).length}`;
+            break;
+        }
+        keyCount++;
+        const lowerKey = key.toLowerCase();
+        // 敏感字段脱敏
+        if (SENSITIVE_KEYS.some((sk) => lowerKey.includes(sk))) {
+            sanitized[key] = '[REDACTED]';
+        }
+        else {
+            sanitized[key] = sanitizeValue(value[key], options, currentDepth + 1);
+        }
+    }
+    return sanitized;
+}
+/**
+ * 清理字符串值，防止日志注入
+ *
+ * @param value - 需要清理的值
+ * @param maxLength - 最大长度限制
+ * @returns 清理后的字符串
+ */
+function sanitizeString(value, maxLength) {
+    if (typeof value !== 'string') {
+        return value;
+    }
+    // 移除控制字符和转义特殊字符，防止日志注入
+    return value
+        .replace(/[\x00-\x1F\x7F]/g, '') // 移除控制字符
+        .replace(/\n/g, '\\n') // 转义换行
+        .replace(/\r/g, '\\r') // 转义回车
+        .replace(/\t/g, '\\t') // 转义制表符
+        .substring(0, maxLength); // 限制字符串长度
+}

package/dist/tests/sanitize-traceinfo.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * TraceInfo安全处理测试
+ * 运行方式: npx tsx src/tests/sanitize-traceinfo.test.ts
+ */
+export {};

package/dist/tests/sanitize-traceinfo.test.js

@@ -0,0 +1,104 @@
+"use strict";
+/**
+ * TraceInfo安全处理测试
+ * 运行方式: npx tsx src/tests/sanitize-traceinfo.test.ts
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const sanitize_traceinfo_1 = require("../common/sanitize-traceinfo");
+console.log("=== TraceInfo安全处理测试 ===\n");
+// 测试1: 敏感字段脱敏
+console.log("测试1: 敏感字段脱敏");
+const test1 = {
+    username: 'testuser',
+    password: 'secret123',
+    accessToken: 'token123',
+    normalField: 'normal value'
+};
+const result1 = (0, sanitize_traceinfo_1.sanitizeTraceInfo)(test1);
+console.log("输入:", test1);
+console.log("输出:", result1);
+console.log("✓ password已脱敏:", result1.password === '[REDACTED]');
+console.log("✓ accessToken已脱敏:", result1.accessToken === '[REDACTED]');
+console.log("✓ normalField保留:", result1.normalField === 'normal value');
+console.log("\n---\n");
+// 测试2: 日志注入防护
+console.log("测试2: 日志注入防护（控制字符清理）");
+const test2 = {
+    name: 'test\x00name',
+    description: 'line1\nline2\rline3\ttab'
+};
+const result2 = (0, sanitize_traceinfo_1.sanitizeTraceInfo)(test2);
+console.log("输入:", test2);
+console.log("输出:", result2);
+console.log("✓ 控制字符已移除:", !result2.name.includes('\x00'));
+console.log("✓ 换行符已转义:", result2.description.includes('\\n'));
+console.log("\n---\n");
+// 测试3: 大小限制
+console.log("测试3: 大小限制（数组和对象）");
+const test3 = {
+    items: Array.from({ length: 200 }, (_, i) => i),
+    largeObject: {}
+};
+for (let i = 0; i < 100; i++) {
+    test3.largeObject[`key${i}`] = i;
+}
+const result3 = (0, sanitize_traceinfo_1.sanitizeTraceInfo)(test3);
+console.log("数组长度限制:", result3.items.length, "(原始200, 限制100)");
+console.log("对象属性数量:", Object.keys(result3).length, "(包含截断标记)");
+console.log("✓ 数组已截断:", result3.items.length === 100);
+console.log("✓ 对象已截断:", result3.largeObject.__truncated__ !== undefined);
+console.log("\n---\n");
+// 测试4: 深度限制
+console.log("测试4: 深度限制");
+const createDeepObject = (depth) => {
+    if (depth === 0)
+        return 'value';
+    return { level: createDeepObject(depth - 1) };
+};
+const test4 = createDeepObject(10);
+const result4 = (0, sanitize_traceinfo_1.sanitizeTraceInfo)(test4);
+console.log("✓ 深度限制已生效:", JSON.stringify(result4).includes('[MaxDepthReached]'));
+console.log("\n---\n");
+// 测试5: 字符串长度限制
+console.log("测试5: 字符串长度限制");
+const test5 = { long: 'a'.repeat(2000) };
+const result5 = (0, sanitize_traceinfo_1.sanitizeTraceInfo)(test5);
+console.log("✓ 长字符串已截断:", result5.long.length === 1000);
+console.log("\n---\n");
+// 测试6: 实际TraceInfo场景
+console.log("测试6: 实际TraceInfo场景");
+const test6 = {
+    sessionId: 'session_123456',
+    userId: 'user_789',
+    entryPage: '/home',
+    currentPage: '/profile',
+    apiTrace: [
+        { action: 'GetUser', pageFrom: '/home', duration: 150, status: 'success' },
+        { action: 'UpdateProfile', pageFrom: '/profile', duration: 200, status: 'success' }
+    ],
+    deviceInfo: {
+        ua: 'Mozilla/5.0...',
+        platform: 'Mac'
+    }
+};
+const result6 = (0, sanitize_traceinfo_1.sanitizeTraceInfo)(test6);
+console.log("输入:", JSON.stringify(test6, null, 2));
+console.log("输出:", JSON.stringify(result6, null, 2));
+console.log("✓ 正常TraceInfo保留完整");
+console.log("\n---\n");
+// 测试7: 自定义配置
+console.log("测试7: 自定义配置");
+const test7 = {
+    password: 'secret',
+    data: Array.from({ length: 10 }, (_, i) => i)
+};
+const result7 = (0, sanitize_traceinfo_1.sanitizeTraceInfo)(test7, {
+    maxDepth: 3,
+    maxArrayLength: 5,
+    maxObjectKeys: 2,
+    maxStringLength: 100
+});
+console.log("自定义配置结果:", result7);
+console.log("✓ 自定义配置生效");
+console.log("\n---\n");
+console.log("✅ 所有测试完成！");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kb-server",
-  "version": "0.0.12-beta.1",
+  "version": "0.0.13",
   "description": "A fast server for Node.JS,made by express.",
   "main": "dist/index.js",
   "scripts": {