midway-fatcms 0.0.2 → 0.0.3

package/src/libs/utils/render-utils.ts

@@ -1,223 +1,223 @@
-import * as _ from 'lodash';
-import * as moment from 'moment';
-import { Context } from '@midwayjs/koa';
-import { parseJsonObject } from './functions';
-import { getExtLocalLoaderPort } from './fatcms-request';
-import { TypeUtils } from '../crud-pro/utils/TypeUtils';
-import { ISessionInfo } from '@/models/userSession';
-
-// const demo = {"schema":[
-//   {"title":"资源配置","name":"fileList","type":"array","properties":{"fileUrl":{"label":"文件URL","component":"Input","xProps":{"hasClear":true},"width":500}}}],
-//   "data":{"fileList":[{"settingKey":"n1iqmu8qnc_1","fileUrl":"aa"},{"settingKey":"n1iqmu8rml_2","fileUrl":"aa"}]
-// }}
-
-interface IFileElement {
-  fileUrl: string;
-  fileType?: string;
-  isModule?: boolean;
-}
-
-interface IRenderUtilsProps {
-  ctx: Context;
-  package_assets: any;
-  workbenchInfo: any;
-  userInfo?: ISessionInfo;
-  appInfo?: any;
-  fatcmscsrftoken: string;
-  urlcsrftoken: string;
-}
-
-function parseCookie(cookieStr: string): any {
-  const cookies = {};
-
-  if (!cookieStr) {
-    return cookies;
-  }
-
-  // 分割每个 cookie 项
-  const cookieItems = cookieStr.split(';');
-
-  for (const item of cookieItems) {
-    // 去除空白字符
-    const trimmedItem = item.trim();
-    if (!trimmedItem) {
-      continue;
-    }
-
-    // 找到第一个等号的位置
-    const eqIndex = trimmedItem.indexOf('=');
-    if (eqIndex === -1) {
-      continue;
-    }
-
-    // 提取 key 和 value
-    const key = trimmedItem.substring(0, eqIndex).trim();
-    const value = trimmedItem.substring(eqIndex + 1).trim();
-
-    // 处理可能的引号
-    if (value.startsWith('"') && value.endsWith('"')) {
-      cookies[key] = value.slice(1, -1);
-    } else {
-      cookies[key] = value;
-    }
-  }
-
-  return cookies;
-}
-
-
-function isMobileUserAgent(userAgent = '') {
-  // 空值处理
-  if (!userAgent) return false;
-
-  // 转为小写统一匹配
-  const ua = userAgent.toLowerCase();
-
-  // 【核心】移动端关键词（覆盖主流系统）
-  const mobileKeywords = /android|iphone|ipod|ios|mobile|blackberry|iemobile|opera mini|windows phone|harmonyos/i;
-  // 【排除项】平板/PC关键词（避免误判）
-  const excludeKeywords = /ipad|tablet|playbook|kindle|pc|windows nt|macintosh|linux x86_64/i;
-
-  // 判断规则：包含移动端关键词 + 不包含排除项关键词
-  const isMatchMobile = mobileKeywords.test(ua);
-  const isExclude = excludeKeywords.test(ua);
-
-  return isMatchMobile && !isExclude;
-}
-
-class RenderUtils {
-  public readonly ctx: Context;
-  public readonly fileList: IFileElement[];
-  public readonly workbenchInfo: any;
-  public readonly userInfo: ISessionInfo;
-  public readonly appInfo: any;
-  public readonly cookieInfo: any;
-  public readonly fatcmscsrftoken: string;
-  public readonly urlcsrftoken: string;
-  public readonly isMobileUserAgent: boolean;
-  public readonly isMobileByQuery: boolean;
-
-  constructor(props: IRenderUtilsProps) {
-    this.ctx = props.ctx;
-    const query = props.ctx?.query || {};
-    const headers = props.ctx?.headers || {};
-    this.workbenchInfo = props.workbenchInfo || {};
-    this.userInfo = props.userInfo || ({} as ISessionInfo);
-    this.appInfo = props.appInfo || {};
-    this.fatcmscsrftoken = props.fatcmscsrftoken;
-    this.urlcsrftoken = props.urlcsrftoken;
-    this.cookieInfo = parseCookie(headers?.cookie);
-    this.isMobileUserAgent = isMobileUserAgent(headers['user-agent'] || '');
-    this.isMobileByQuery = `${query['__is_mobile_request__']}` === 'true'
-
-    const packageAssets = parseJsonObject(props.package_assets) || {};
-    const fileList = _.get(packageAssets, 'data.fileList');
-
-
-    if (Array.isArray(fileList)) {
-      this.fileList = fileList.filter(f => {
-        return f && f.fileUrl && typeof f.fileUrl === 'string' && f.fileUrl.length > 5; // 至少五个字符。
-      });
-    } else {
-      this.fileList = [];
-      const time = moment().format('YYYY-MM-DD HH:mm:ss.SSS');
-      console.info(
-        time +
-        ' 解析fileList为空==>' +
-        JSON.stringify({
-          workbench_code: this.workbenchInfo?.workbench_code,
-          app_code: this.appInfo?.app_code,
-        })
-      );
-    }
-  }
-
-  renderCsrfToken() {
-    return `<script>window.__fatcmscsrftoken = "${this.fatcmscsrftoken}";</script>`;
-  }
-
-  renderUrlCsrfToken() {
-    return `<script>window.__fatcmsUrlCsrfToken = "${this.urlcsrftoken}";</script>`;
-  }
-
-  renderUserInfo() {
-    const userInfoClone = { ...this.userInfo };
-    delete userInfoClone.privateKey;
-    return `<script>window.__user_info = ${JSON.stringify(userInfoClone)}  </script>`;
-  }
-
-  renderWorkbenchInfo() {
-    const infoPick = _.pick(this.workbenchInfo, ['id', 'workbench_code', 'workbench_name', 'workbench_domain', 'workbench_desc', 'config_type', 'config_content']);
-    return `<script>window.__workbench_info = ${JSON.stringify(infoPick)}</script>`;
-  }
-
-  renderAppInfo() {
-    const infoPick = _.pick(this.appInfo, ['id', 'app_code', 'app_name', 'app_type', 'app_desc', 'config_type', 'config_content']);
-    return `<script>window.__app_info = ${JSON.stringify(infoPick)}</script>`;
-  }
-
-
-
-
-
-  renderCookieInfo(keys: string) {
-    try {
-      const cookies = this.cookieInfo;
-      const cookieObj = {};
-      if (typeof keys === 'string') {
-        const keyArr = keys.split(',');
-        for (let i = 0; i < keyArr.length; i++) {
-          const keyName = keyArr[i];
-          cookieObj[keyName] = cookies[keyName];
-        }
-      }
-      return `<script>window.__cookie_info = ${JSON.stringify(cookieObj)}</script>`;
-    } catch (e) {
-      return `<script>window.__cookie_info_error = ${e}; </script>`;
-    }
-  }
-
-
-
-
-  renderJsAssets() {
-    const fileList = this.fileList.filter(s => {
-      return s.fileType === 'js' || s.fileUrl.endsWith('.js');
-    });
-    const arr = fileList.map(f => {
-      if (f.isModule) {
-        return `<script type="module" crossorigin src="${f.fileUrl}" ></script>`;
-      }
-      return `<script src="${f.fileUrl}" ></script>`;
-    });
-    return arr.join('\n');
-  }
-
-  renderCssAssets() {
-    const fileList = this.fileList.filter(s => {
-      return s.fileType === 'css' || s.fileUrl.endsWith('.css');
-    });
-    const fileUrlList = fileList.map(f => {
-      return f.fileUrl;
-    });
-
-    const arr = fileUrlList.map(url => {
-      return `<link href="${url}" rel="stylesheet" />`;
-    });
-    return arr.join('\n');
-  }
-
-  renderExtLocalLoaderPortByDevHeader() {
-    const loaderPort = getExtLocalLoaderPort(this.ctx);
-    if (loaderPort && TypeUtils.isNumeric(loaderPort)) {
-      return `<script>window.__local_loader_port_from_dev_header = ${loaderPort}</script>`;
-    }
-    return '';
-  }
-}
-
-function createRenderUtils(props: IRenderUtilsProps) {
-  return new RenderUtils(props);
-}
-
-export { createRenderUtils };
+import * as _ from 'lodash';
+import * as moment from 'moment';
+import { Context } from '@midwayjs/koa';
+import { parseJsonObject } from './functions';
+import { getExtLocalLoaderPort } from './fatcms-request';
+import { TypeUtils } from '../crud-pro/utils/TypeUtils';
+import { ISessionInfo } from '@/models/userSession';
+
+// const demo = {"schema":[
+//   {"title":"资源配置","name":"fileList","type":"array","properties":{"fileUrl":{"label":"文件URL","component":"Input","xProps":{"hasClear":true},"width":500}}}],
+//   "data":{"fileList":[{"settingKey":"n1iqmu8qnc_1","fileUrl":"aa"},{"settingKey":"n1iqmu8rml_2","fileUrl":"aa"}]
+// }}
+
+interface IFileElement {
+  fileUrl: string;
+  fileType?: string;
+  isModule?: boolean;
+}
+
+interface IRenderUtilsProps {
+  ctx: Context;
+  package_assets: any;
+  workbenchInfo: any;
+  userInfo?: ISessionInfo;
+  appInfo?: any;
+  fatcmscsrftoken: string;
+  urlcsrftoken: string;
+}
+
+function parseCookie(cookieStr: string): any {
+  const cookies = {};
+
+  if (!cookieStr) {
+    return cookies;
+  }
+
+  // 分割每个 cookie 项
+  const cookieItems = cookieStr.split(';');
+
+  for (const item of cookieItems) {
+    // 去除空白字符
+    const trimmedItem = item.trim();
+    if (!trimmedItem) {
+      continue;
+    }
+
+    // 找到第一个等号的位置
+    const eqIndex = trimmedItem.indexOf('=');
+    if (eqIndex === -1) {
+      continue;
+    }
+
+    // 提取 key 和 value
+    const key = trimmedItem.substring(0, eqIndex).trim();
+    const value = trimmedItem.substring(eqIndex + 1).trim();
+
+    // 处理可能的引号
+    if (value.startsWith('"') && value.endsWith('"')) {
+      cookies[key] = value.slice(1, -1);
+    } else {
+      cookies[key] = value;
+    }
+  }
+
+  return cookies;
+}
+
+
+function isMobileUserAgent(userAgent = '') {
+  // 空值处理
+  if (!userAgent) return false;
+
+  // 转为小写统一匹配
+  const ua = userAgent.toLowerCase();
+
+  // 【核心】移动端关键词（覆盖主流系统）
+  const mobileKeywords = /android|iphone|ipod|ios|mobile|blackberry|iemobile|opera mini|windows phone|harmonyos/i;
+  // 【排除项】平板/PC关键词（避免误判）
+  const excludeKeywords = /ipad|tablet|playbook|kindle|pc|windows nt|macintosh|linux x86_64/i;
+
+  // 判断规则：包含移动端关键词 + 不包含排除项关键词
+  const isMatchMobile = mobileKeywords.test(ua);
+  const isExclude = excludeKeywords.test(ua);
+
+  return isMatchMobile && !isExclude;
+}
+
+class RenderUtils {
+  public readonly ctx: Context;
+  public readonly fileList: IFileElement[];
+  public readonly workbenchInfo: any;
+  public readonly userInfo: ISessionInfo;
+  public readonly appInfo: any;
+  public readonly cookieInfo: any;
+  public readonly fatcmscsrftoken: string;
+  public readonly urlcsrftoken: string;
+  public readonly isMobileUserAgent: boolean;
+  public readonly isMobileByQuery: boolean;
+
+  constructor(props: IRenderUtilsProps) {
+    this.ctx = props.ctx;
+    const query = props.ctx?.query || {};
+    const headers = props.ctx?.headers || {};
+    this.workbenchInfo = props.workbenchInfo || {};
+    this.userInfo = props.userInfo || ({} as ISessionInfo);
+    this.appInfo = props.appInfo || {};
+    this.fatcmscsrftoken = props.fatcmscsrftoken;
+    this.urlcsrftoken = props.urlcsrftoken;
+    this.cookieInfo = parseCookie(headers?.cookie);
+    this.isMobileUserAgent = isMobileUserAgent(headers['user-agent'] || '');
+    this.isMobileByQuery = `${query['__is_mobile_request__']}` === 'true'
+
+    const packageAssets = parseJsonObject(props.package_assets) || {};
+    const fileList = _.get(packageAssets, 'data.fileList');
+
+
+    if (Array.isArray(fileList)) {
+      this.fileList = fileList.filter(f => {
+        return f && f.fileUrl && typeof f.fileUrl === 'string' && f.fileUrl.length > 5; // 至少五个字符。
+      });
+    } else {
+      this.fileList = [];
+      const time = moment().format('YYYY-MM-DD HH:mm:ss.SSS');
+      console.info(
+        time +
+        ' 解析fileList为空==>' +
+        JSON.stringify({
+          workbench_code: this.workbenchInfo?.workbench_code,
+          app_code: this.appInfo?.app_code,
+        })
+      );
+    }
+  }
+
+  renderCsrfToken() {
+    return `<script>window.__fatcmscsrftoken = "${this.fatcmscsrftoken}";</script>`;
+  }
+
+  renderUrlCsrfToken() {
+    return `<script>window.__fatcmsUrlCsrfToken = "${this.urlcsrftoken}";</script>`;
+  }
+
+  renderUserInfo() {
+    const userInfoClone = { ...this.userInfo };
+    delete userInfoClone.privateKey;
+    return `<script>window.__user_info = ${JSON.stringify(userInfoClone)}  </script>`;
+  }
+
+  renderWorkbenchInfo() {
+    const infoPick = _.pick(this.workbenchInfo, ['id', 'workbench_code', 'workbench_name', 'workbench_domain', 'workbench_desc', 'config_type', 'config_content']);
+    return `<script>window.__workbench_info = ${JSON.stringify(infoPick)}</script>`;
+  }
+
+  renderAppInfo() {
+    const infoPick = _.pick(this.appInfo, ['id', 'app_code', 'app_name', 'app_type', 'app_desc', 'config_type', 'config_content']);
+    return `<script>window.__app_info = ${JSON.stringify(infoPick)}</script>`;
+  }
+
+
+
+
+
+  renderCookieInfo(keys: string) {
+    try {
+      const cookies = this.cookieInfo;
+      const cookieObj = {};
+      if (typeof keys === 'string') {
+        const keyArr = keys.split(',');
+        for (let i = 0; i < keyArr.length; i++) {
+          const keyName = keyArr[i];
+          cookieObj[keyName] = cookies[keyName];
+        }
+      }
+      return `<script>window.__cookie_info = ${JSON.stringify(cookieObj)}</script>`;
+    } catch (e) {
+      return `<script>window.__cookie_info_error = ${e}; </script>`;
+    }
+  }
+
+
+
+
+  renderJsAssets() {
+    const fileList = this.fileList.filter(s => {
+      return s.fileType === 'js' || s.fileUrl.endsWith('.js');
+    });
+    const arr = fileList.map(f => {
+      if (f.isModule) {
+        return `<script type="module" crossorigin src="${f.fileUrl}" ></script>`;
+      }
+      return `<script src="${f.fileUrl}" ></script>`;
+    });
+    return arr.join('\n');
+  }
+
+  renderCssAssets() {
+    const fileList = this.fileList.filter(s => {
+      return s.fileType === 'css' || s.fileUrl.endsWith('.css');
+    });
+    const fileUrlList = fileList.map(f => {
+      return f.fileUrl;
+    });
+
+    const arr = fileUrlList.map(url => {
+      return `<link href="${url}" rel="stylesheet" />`;
+    });
+    return arr.join('\n');
+  }
+
+  renderExtLocalLoaderPortByDevHeader() {
+    const loaderPort = getExtLocalLoaderPort(this.ctx);
+    if (loaderPort && TypeUtils.isNumeric(loaderPort)) {
+      return `<script>window.__local_loader_port_from_dev_header = ${loaderPort}</script>`;
+    }
+    return '';
+  }
+}
+
+function createRenderUtils(props: IRenderUtilsProps) {
+  return new RenderUtils(props);
+}
+
+export { createRenderUtils };

package/src/middleware/forbidden.middleware.ts

@@ -8,7 +8,11 @@ const BLACK_EQUAL_LIST = [
   '/config.json',
   '/backend/.env',
   '/.env',
+  '/.env.dev',
+  '/.env.prod',
   '/.env.local',
+  '/.env.staging',
+  '/.env.example',
   '/.env.production',
   '/.env.development',
   '/application.yml',
@@ -18,6 +22,7 @@ const BLACK_EQUAL_LIST = [
   '/config.yml',
   '/db.ini',
   '/database.yml',
+  '/api/.env',
   // 安全相关文件
   '/.well-known/security.txt',
   '/security.txt',
@@ -163,7 +168,7 @@ const SUSPICIOUS_USER_AGENTS = [
 
 /**
  * 安全防护中间件 - 黑名单路径拦截
- * 
+ *
  * 核心职责：
  * 1. 防御恶意爬虫：拦截常见的配置文件探测请求（.env、config.json等）
  * 2. 防御漏洞扫描：阻止安全扫描工具对敏感目录的探测（.git、.aws等）
@@ -171,13 +176,13 @@ const SUSPICIOUS_USER_AGENTS = [
  * 4. 防御路径遍历：检测并阻止 ../ 等路径遍历攻击尝试
  * 5. 识别攻击工具：检测User-Agent中的sqlmap、nikto等渗透测试工具
  * 6. 性能优化：提前拦截无效请求，避免进入业务逻辑层消耗资源
- * 
+ *
  * 应用场景：
  * - 公网暴露的Web应用：防止自动化工具批量扫描敏感路径
  * - 云原生部署环境：保护云服务配置文件不被探测（.aws、.env等）
  * - 多技术栈迁移：新系统可能残留旧技术栈痕迹，统一拦截避免误暴露
  * - 安全合规要求：主动防御已知的常见攻击路径，降低安全风险
- * 
+ *
  * 拦截策略：
  * - User-Agent检测：识别常见扫描工具（sqlmap, nikto, nmap, metasploit等）
  * - 路径遍历检测：阻止 ../, ..\, %2e%2e%2f 等编码后的遍历尝试
@@ -185,13 +190,13 @@ const SUSPICIOUS_USER_AGENTS = [
  * - 前缀匹配：.git/、.svn/、.aws/等版本控制和云服务目录
  * - 模糊匹配：wp-admin、wp-content等WordPress相关路径
  * - 后缀匹配：.php/.jsp/.asp等脚本文件、.bak/.sql等敏感文件
- * 
+ *
  * 防御能力增强：
  * - 支持30+种敏感配置文件拦截
  * - 支持50+种敏感目录前缀拦截
  * - 支持40+种危险文件后缀拦截
  * - 支持10+种常见攻击工具识别
- * 
+ *
  * 注意事项：
  * 此中间件拦截的路径在实际项目中并不存在，仅为安全防护层。
  * 被拦截的请求会立即返回404，不会进入后续业务逻辑。
@@ -288,8 +293,13 @@ export class ForbiddenMiddleware implements IMiddleware<Context, NextFunction> {
    * 检查是否包含路径遍历政击特征
    */
   private hasPathTraversal(path: string): boolean {
-    const decodedPath = decodeURIComponent(path);
-    return SUSPICIOUS_QUERY_PATTERNS.some(pattern => decodedPath.includes(pattern));
+    try {
+      const decodedPath = decodeURIComponent(path);
+      return SUSPICIOUS_QUERY_PATTERNS.some(pattern => decodedPath.includes(pattern));
+    } catch (e) {
+      // URL解码失败（如包含非法编码字符），直接判定为可疑请求
+      return true;
+    }
   }
 
   /**

package/src/middleware/global.middleware.ts

@@ -77,7 +77,7 @@ function handleNullRes(res: any): ICommonResult {
  * @param res
  */
 function handleArrayRes(res: any): ICommonResult {
-  if (Array.isArray(res) && res.length) {
+  if (Array.isArray(res)) {
     return { success: true, data: res };
   }
   return res;

package/src/models/SystemEntities.ts

@@ -79,6 +79,7 @@ export enum ProxyUserContextEnum {
   NO_PASS = 0,
   BASIC_INFO = 1,
   SESSION_INFO = 2,
+  BASIC_INFO_BIZ_EXT = 3,
 }
 
 export interface IProxyApiEntity extends IApiBaseEntity {

package/src/models/WorkbenchInfoTools.ts

@@ -1,19 +1,19 @@
-import { parseJsonObject } from "@/libs/utils/functions";
-import { IWorkbenchConfig, IWorkbenchEntity} from "./SystemEntities";
-
-
-
-export class WorkbenchInfoTools {
-    private parsedConfigContent: IWorkbenchConfig = null;
-    constructor(private readonly workbenchInfo: IWorkbenchEntity) {
-    }
-
-    public getWorkbenchConfig(): IWorkbenchConfig {
-        if (this.parsedConfigContent) {
-            return this.parsedConfigContent;
-        }
-        const configObj: IWorkbenchConfig = parseJsonObject(this.workbenchInfo?.config_content);
-        this.parsedConfigContent = configObj || {};
-        return this.parsedConfigContent;
-    }
-}
+import { parseJsonObject } from "@/libs/utils/functions";
+import { IWorkbenchConfig, IWorkbenchEntity} from "./SystemEntities";
+
+
+
+export class WorkbenchInfoTools {
+    private parsedConfigContent: IWorkbenchConfig = null;
+    constructor(private readonly workbenchInfo: IWorkbenchEntity) {
+    }
+
+    public getWorkbenchConfig(): IWorkbenchConfig {
+        if (this.parsedConfigContent) {
+            return this.parsedConfigContent;
+        }
+        const configObj: IWorkbenchConfig = parseJsonObject(this.workbenchInfo?.config_content);
+        this.parsedConfigContent = configObj || {};
+        return this.parsedConfigContent;
+    }
+}

package/src/service/AuthService.ts

@@ -178,6 +178,9 @@ export class AuthService extends BaseService {
       if (!isEnableSuperAdmin(this.ctx)) {
         return null;
       }
+      if(!Array.isArray(superAdminList)) {
+        return null;
+      }
       return superAdminList.find((s)=>{
         return s.login_name === loginName;
       })