npm - mm_os - Versions diffs - 3.2.9 → 3.3.1 - Mend

mm_os 3.2.9 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/README.md +47 -1
package/core/base/mqtt/index.js +1109 -1106
package/core/base/web/index.js +245 -156
package/core/com/event/README.md +4 -4
package/core/com/event/com.json +3 -3
package/core/com/event/config.tpl.json +18 -18
package/core/com/event/drive.js +132 -132
package/core/com/event/index.js +344 -344
package/core/com/event/script.js +25 -25
package/core/com/middleware/com.js +152 -151
package/core/com/socket/config.tpl.json +2 -2
package/core/com/socket/drive.js +2 -2
package/core/com/socket/index.js +1 -1
package/core/com/sql/drive.js +7 -7
package/core/com/static/index.js +1 -1
package/index.js +34 -5
package/middleware/cors/index.js +112 -96
package/middleware/cors/middleware.json +18 -7
package/middleware/csrf/index.js +202 -0
package/middleware/csrf/middleware.json +24 -0
package/middleware/ip_firewall/index.js +476 -0
package/middleware/ip_firewall/middleware.json +109 -0
package/middleware/mqtt_base/middleware.json +2 -1
package/middleware/security_audit/index.js +543 -0
package/middleware/security_audit/middleware.json +48 -0
package/middleware/waf/index.js +273 -7
package/middleware/waf/middleware.json +2 -1
package/middleware/waf_ddos/index.js +520 -0
package/middleware/waf_ddos/middleware.json +38 -0
package/middleware/waf_xss/index.js +269 -0
package/middleware/waf_xss/middleware.json +18 -0
package/middleware/web_after/middleware.json +2 -1
package/middleware/web_base/middleware.json +2 -1
package/middleware/web_before/middleware.json +3 -2
package/middleware/web_check/middleware.json +2 -1
package/middleware/web_main/middleware.json +2 -1
package/middleware/web_proxy/middleware.json +2 -1
package/middleware/web_render/middleware.json +2 -1
package/middleware/web_socket/middleware.json +4 -3
package/middleware/web_static/middleware.json +2 -1
package/package.json +28 -15
package/middleware/log/index.js +0 -32
package/middleware/log/middleware.json +0 -9
package/middleware/performance/index.js +0 -143
package/middleware/performance/middleware.json +0 -16
package/middleware/rate_limit/index.js +0 -112
package/middleware/rate_limit/middleware.json +0 -10
package/middleware/waf_ip/index.js +0 -168
package/middleware/waf_ip/middleware.json +0 -10
package/nodemon.json +0 -31
package/package.txt +0 -1
package/rps.bat +0 -3
package/test.js +0 -10
package/tps.bat +0 -3
package/update.bat +0 -1
package//347/263/273/347/273/237/346/236/266/346/236/204/350/257/204/344/274/260/344/270/216/344/274/230/345/214/226/345/273/272/350/256/256.md +0 -599

package/middleware/waf_xss/index.js ADDED Viewed

@@ -0,0 +1,269 @@
+const mm_expand = require('mm_expand');
+/**
+ * XSS攻击防护中间件
+ */
+class Middleware {
+    /**
+     * 构造函数
+     */
+    constructor() {
+        this.default = {
+            // 过滤模式: sanitize(清理) | encode(编码) | both(同时进行)
+            mode: 'both',
+            // 是否过滤URL参数
+            query: true,
+            // 是否过滤表单数据
+            body: true,
+            // 是否过滤Cookie
+            cookie: true,
+            // 白名单标签
+            allowedTags: ['p', 'span', 'b', 'i', 'u', 'strong', 'em', 'br'],
+            // 白名单属性
+            allowedAttributes: ['id', 'class', 'style'],
+            // 是否记录XSS攻击尝试
+            log: true,
+            // 是否阻止恶意请求
+            block: true
+        };
+    }
+    /**
+     * 初始化中间件
+     * @param {Object} config 配置项
+     */
+    init(config) {
+        config = Object.assign({}, this.default, config);
+        this.config = config;
+        return function() {
+            // 返回中间件的run方法作为实际的处理函数
+            return function(ctx, next) {
+                return middleware.run(ctx, next);
+            };
+        };
+    }
+    /**
+     * 获取客户端真实IP
+     * 在代理环境中，优先从代理头获取真实IP
+     * @param {Object} ctx Koa上下文
+     * @returns {String} 客户端真实IP
+     */
+    getClientIp(ctx) {
+        const headers = ctx.headers;
+        // 优先检查常用代理头获取真实IP
+        // 注意：X-Forwarded-For 可能包含多个IP，取第一个非未知IP的值
+        const xForwardedFor = headers['x-forwarded-for'];
+        if (xForwardedFor) {
+            // X-Forwarded-For 格式通常为: client, proxy1, proxy2
+            const ips = xForwardedFor.split(',').map(ip => ip.trim());
+            for (let i = 0; i < ips.length; i++) {
+                const ip = ips[i];
+                if (ip && ip !== 'unknown' && ip !== '127.0.0.1' && ip !== '::1') {
+                    return ip;
+                }
+            }
+        }
+        // 检查其他常见的代理头
+        return headers['x-real-ip'] ||
+               headers['x-client-ip'] ||
+               headers['cf-connecting-ip'] || // CloudFlare
+               headers['fastly-client-ip'] || // Fastly
+               headers['true-client-ip'] || // Akamai and Cloudflare
+               ctx.ip; // 默认回退到ctx.ip
+    }
+    /**
+     * 执行中间件
+     * @param {Object} ctx Koa上下文
+     * @param {Function} next 下一个中间件
+     */
+    async run(ctx, next) {
+        const config = this.config;
+        let hasXSS = false;
+        let attackInfo = {};
+        // 清理URL查询参数
+        if (config.query && ctx.query) {
+            for (let key in ctx.query) {
+                const original = ctx.query[key];
+                const sanitized = this.sanitizeInput(original, config);
+                if (original !== sanitized) {
+                    ctx.query[key] = sanitized;
+                    hasXSS = true;
+                    attackInfo[`query.${key}`] = { original, sanitized };
+                }
+            }
+        }
+        // 清理请求体数据
+        if (config.body && ctx.request.body) {
+            this.cleanObject(ctx.request.body, config, attackInfo, 'body', hasXSS);
+        }
+        // 清理Cookie
+        if (config.cookie && ctx.cookies) {
+            const cookies = ctx.headers.cookie;
+            if (cookies) {
+                // 记录Cookie中的XSS尝试但不修改，因为修改Cookie需要重新设置
+                const cookieArr = cookies.split(';');
+                for (let cookie of cookieArr) {
+                    const [name, value] = cookie.split('=').map(item => item.trim());
+                    const sanitized = this.sanitizeInput(decodeURIComponent(value), config);
+                    if (value !== sanitized) {
+                        hasXSS = true;
+                        attackInfo[`cookie.${name}`] = { original: value, sanitized };
+                    }
+                }
+            }
+        }
+        // 记录XSS攻击尝试
+        if (hasXSS && config.log && $.log) {
+            $.log.warn('XSS Attack Attempt Detected:', {
+                ip: this.getClientIp(ctx),
+                path: ctx.path,
+                method: ctx.method,
+                attackInfo
+            });
+        }
+        // 阻止恶意请求
+        if (hasXSS && config.block) {
+            ctx.status = 403;
+            ctx.body = {
+                code: 403,
+                msg: 'Forbidden: Potential XSS attack detected'
+            };
+            return;
+        }
+        // 添加安全响应头
+        this.addSecurityHeaders(ctx);
+        await next();
+    }
+    /**
+     * 递归清理对象中的XSS内容
+     * @param {Object} obj 要清理的对象
+     * @param {Object} config 配置项
+     * @param {Object} attackInfo 攻击信息收集对象
+     * @param {String} prefix 路径前缀
+     * @param {Boolean} hasXSS 是否已发现XSS
+     */
+    cleanObject(obj, config, attackInfo, prefix, hasXSS) {
+        if (!obj || typeof obj !== 'object') return;
+        for (let key in obj) {
+            const path = `${prefix}.${key}`;
+            if (typeof obj[key] === 'string') {
+                const original = obj[key];
+                const sanitized = this.sanitizeInput(original, config);
+                if (original !== sanitized) {
+                    obj[key] = sanitized;
+                    hasXSS = true;
+                    attackInfo[path] = { original, sanitized };
+                }
+            } else if (typeof obj[key] === 'object') {
+                this.cleanObject(obj[key], config, attackInfo, path, hasXSS);
+            }
+        }
+    }
+    /**
+     * 清理输入内容
+     * @param {String} input 输入内容
+     * @param {Object} config 配置项
+     * @returns {String} 清理后的内容
+     */
+    sanitizeInput(input, config) {
+        if (!input || typeof input !== 'string') return input;
+        let output = input;
+        // 根据模式选择清理方式
+        if (config.mode === 'sanitize' || config.mode === 'both') {
+            output = this.sanitizeHTML(output, config);
+        }
+        if (config.mode === 'encode' || config.mode === 'both') {
+            output = this.encodeHTML(output);
+        }
+        return output;
+    }
+    /**
+     * 清理HTML内容
+     * @param {String} html HTML内容
+     * @param {Object} config 配置项
+     * @returns {String} 清理后的内容
+     */
+    sanitizeHTML(html, config) {
+        // 简单的HTML标签清理实现
+        // 在生产环境中，可以使用更强大的库如DOMPurify
+        let clean = html;
+        // 移除所有脚本标签
+        clean = clean.replace(/<script[^>]*>.*?<\/script>/gi, '');
+        // 移除所有事件处理器
+        clean = clean.replace(/\s+on\w+\s*=\s*["\']?[^"\'>\s]+/gi, '');
+        // 移除危险的URL协议
+        clean = clean.replace(/(src|href|data|action)\s*=\s*["\']?(javascript|data|vbscript):/gi, '$1=');
+        return clean;
+    }
+    /**
+     * 编码HTML特殊字符
+     * @param {String} html HTML内容
+     * @returns {String} 编码后的内容
+     */
+    encodeHTML(html) {
+        return String(html)
+            .replace(/&/g, '&amp;')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#39;');
+    }
+    /**
+     * 添加安全响应头
+     * @param {Object} ctx Koa上下文
+     */
+    addSecurityHeaders(ctx) {
+        // X-XSS-Protection 头
+        ctx.set('X-XSS-Protection', '1; mode=block');
+        // Content-Security-Policy 头
+		ctx.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");
+    }
+}
+// 创建中间件实例
+const middleware = new Middleware();
+// 导出符合系统期望的函数
+exports = module.exports = function(server, config) {
+    // 初始化中间件
+    const handlerFactory = middleware.init(config);
+    const middlewareHandler = handlerFactory();
+    // 直接使用server.use注册中间件
+    server.use(middlewareHandler);
+    // 记录中间件初始化信息
+    if ($.log && $.log.info) {
+        $.log.info(`XSS防护中间件已加载: 模式=${middleware.config.mode}, 过滤=${middleware.config.query ? 'query' : ''}${middleware.config.body ? ' body' : ''}${middleware.config.cookie ? ' cookie' : ''}`);
+    }
+    return server;
+};
+// 保留原始实例，以便其他方式调用
+exports.middleware = middleware;

package/middleware/waf_xss/middleware.json ADDED Viewed

@@ -0,0 +1,18 @@
+{
+  "name": "waf_xss",
+  "title": "XSS攻击防护中间件",
+  "type": "web_before",
+  "state": 1,
+  "sort": 10,
+  "desc": "提供全面的XSS攻击防护，包括输入过滤和安全响应头设置",
+  "config": {
+    "mode": "both",
+    "query": true,
+    "body": true,
+    "cookie": true,
+    "allowedTags": ["p", "span", "b", "i", "u", "strong", "em", "br"],
+    "allowedAttributes": ["id", "class", "style"],
+    "log": true,
+    "block": true
+  }
+}

package/middleware/web_after/middleware.json CHANGED Viewed

@@ -5,5 +5,6 @@
 	"version": "1.0",
 	"type": "web",
 	"process_type": "common_before",
-	"sort": 150
+	"sort": 150,
+	"state": 1
 }

package/middleware/web_base/middleware.json CHANGED Viewed

@@ -5,5 +5,6 @@
 	"version": "1.0",
 	"type": "web",
 	"process_type": "common_before",
-	"sort": 70
+	"sort": 70,
+	"state": 1
 }

package/middleware/web_before/middleware.json CHANGED Viewed

@@ -1,9 +1,10 @@
 {
-	"name": "web_berofe",
+	"name": "web_before",
 	"title": "web请求前",
 	"description": "用于",
 	"version": "1.0",
 	"type": "web",
 	"process_type": "common_before",
-	"sort": 80
+	"sort": 80,
+	"state": 1
 }

package/middleware/web_check/middleware.json CHANGED Viewed

@@ -5,5 +5,6 @@
 	"version": "1.0",
 	"type": "web",
 	"process_type": "common_before",
-	"sort": 90
+	"sort": 90,
+	"state": 1
 }

package/middleware/web_main/middleware.json CHANGED Viewed

@@ -5,5 +5,6 @@
 	"version": "1.0",
 	"type": "web",
 	"process_type": "common_before",
-	"sort": 100
+	"sort": 100,
+	"state": 1
 }

package/middleware/web_proxy/middleware.json CHANGED Viewed

@@ -5,5 +5,6 @@
 	"version": "1.0",
 	"type": "web",
 	"process_type": "worker",
-	"sort": 110
+	"sort": 110,
+	"state": 1
 }

package/middleware/web_render/middleware.json CHANGED Viewed

@@ -5,5 +5,6 @@
 	"version": "1.0",
 	"type": "web",
 	"process_type": "common_before",
-	"sort": 120
+	"sort": 120,
+	"state": 1
 }

package/middleware/web_socket/middleware.json CHANGED Viewed

@@ -1,9 +1,10 @@
 {
-	"name": "web_scoket",
-	"title": "webscoket通讯",
+	"name": "web_socket",
+	"title": "websocket通讯",
 	"description": "用于即时通讯",
 	"version": "1.0",
 	"type": "web",
 	"process_type": "master",
-	"sort": 130
+	"sort": 130,
+	"state": 1
 }

package/middleware/web_static/middleware.json CHANGED Viewed

@@ -5,5 +5,6 @@
 	"version": "1.0",
 	"type": "web",
 	"process_type": "worker",
-	"sort": 140
+	"sort": 140,
+	"state": 1
 }

package/package.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
 	"name": "mm_os",
-	"version": "3.2.9",
+	"version": "3.3.1",
 	"description": "这是超级美眉服务端框架，用于快速构建应用程序。",
 	"main": "index.js",
 	"scripts": {
-		"test": "cross-env NODE_ENV=test node ./demo/index.js",
-		"start": "node --trace-warnings ./demo/index.js",
-		"dev": "cross-env NODE_ENV=development nodemon ./demo/index.js"
+		"test": "cross-env NODE_ENV=test node --no-warnings=DEP0060 ./demo/index.js",
+		"start": "node --trace-warnings --no-warnings=DEP0060 ./demo/index.js",
+		"dev": "cross-env NODE_ENV=development nodemon --no-warnings=DEP0060 ./demo/index.js"
 	},
 	"repository": {
 		"type": "git",
@@ -29,30 +29,43 @@
 	],
 	"author": "邱文武",
 	"license": "ISC",
+	"files": [
+		"index.js",
+		"core/**",
+		"lib/**",
+		"middleware/**",
+		"conf.json",
+		"README.md",
+		"README.en.md",
+		"LICENSE"
+	],
 	"dependencies": {
-		"compressing": "^1.10.3",
-		"koa": "^3.0.0",
-		"koa-body": "^6.0.1",
+		"compressing": "^2.0.0",
+		"js-beautify": "^1.15.4",
+		"koa": "^3.1.1",
+		"koa-body": "^7.0.0",
 		"koa-compress": "^5.1.1",
 		"koa-send": "^5.0.1",
 		"koa-websocket": "^7.0.0",
 		"mm_check": "^1.5.0",
+		"mm_email": "^1.0.5",
 		"mm_excel": "^1.2.2",
-		"mm_expand": "^1.8.3",
+		"mm_expand": "^1.8.8",
 		"mm_html": "^1.1.7",
+		"mm_https": "^1.6.3",
 		"mm_koa_proxy": "^1.0.1",
-		"mm_logs": "^1.2.0",
-		"mm_machine": "^2.0.1",
-		"mm_mongodb": "^1.4.4",
+		"mm_logs": "^1.5.3",
+		"mm_machine": "^2.0.5",
+		"mm_mongodb": "^1.5.0",
 		"mm_mqtt": "^1.0.7",
-		"mm_mysql": "^2.0.2",
-		"mm_redis": "^1.4.2",
+		"mm_mysql": "^2.1.0",
+		"mm_redis": "^2.0.2",
 		"mm_ret": "^1.4.1",
 		"mm_session": "^1.5.0",
 		"mm_statics": "^1.5.1",
 		"mm_tpl": "^2.4.3",
 		"mm_xml": "^1.1.7",
 		"mosca": "^2.8.3",
-		"mqtt": "^5.13.1"
+		"mqtt": "^5.14.1"
 	}
-}
+}

package/middleware/log/index.js DELETED Viewed

@@ -1,32 +0,0 @@
-/**
- * web日志
- * @param {Object} server 服务
- * @param {Object} config 配置参数
- */
-module.exports = function(server, config) {
-	/* 跨域限制（web防火墙） */
-	server.use(async (ctx, next) => {
-		try {
-			var url = ctx.path + ctx.querystring;
-			var body = "";
-			if (ctx.request.body) {
-				try {
-					body = JSON.stringify(ctx.request.body);
-					if (body.length > 1024) {
-						body = body.substring(0, 1024) + "..."
-					}
-				} catch (jsonError) {
-					body = "[无法序列化请求体]";
-					$.log.error('日志中间件JSON序列化错误:', jsonError);
-				}
-			}
-			$.log.http(`${ctx.method}\t${url}\t${body}`);
-			await next();
-		} catch (error) {
-			$.log.error('log中间件错误:', error);
-			// 确保请求可以继续处理
-			await next();
-		}
-	});
-	return server;
-};

package/middleware/log/middleware.json DELETED Viewed

@@ -1,9 +0,0 @@
-{
-	"name": "web_log",
-	"title": "web请求日志",
-	"description": "用于记录http请求",
-	"version": "1.0",
-	"type": "web",
-	"process_type": "common_before",
-	"sort": 40
-}

package/middleware/performance/index.js DELETED Viewed

@@ -1,143 +0,0 @@
-/**
- * 请求性能监控中间件
- * 记录请求响应时间，监控慢请求，提供性能数据收集
- */
-module.exports = function(server, config) {
-  if(config.web && !config.web.performance) {
-    return server;
-  }
-  // 默认配置
-  const cg = Object.assign({
-    slowThreshold: 1000, // 慢请求阈值，单位毫秒
-    enableMetrics: true, // 是否启用性能指标收集
-    ignorePaths: []      // 忽略监控的路径
-  }, config);
-  // 性能监控数据收集器
-  const performanceData = {
-    counters: new Map(), // 请求计数器
-    responseTimes: new Map(), // 响应时间数据
-    slowRequests: [] // 慢请求记录
-  };
-  // 全局性能监控对象
-  $.performanceMonitor = {
-    record: function(path, responseTime) {
-      if (!cg.enableMetrics) return;
-      // 更新请求计数
-      if (!performanceData.counters.has(path)) {
-        performanceData.counters.set(path, 1);
-        performanceData.responseTimes.set(path, { sum: responseTime, count: 1, min: responseTime, max: responseTime });
-      } else {
-        performanceData.counters.set(path, performanceData.counters.get(path) + 1);
-        const stats = performanceData.responseTimes.get(path);
-        stats.sum += responseTime;
-        stats.count += 1;
-        stats.min = Math.min(stats.min, responseTime);
-        stats.max = Math.max(stats.max, responseTime);
-      }
-      // 记录慢请求
-      if (responseTime > cg.slowThreshold) {
-        performanceData.slowRequests.push({
-          path: path,
-          time: new Date(),
-          responseTime: responseTime
-        });
-        // 限制慢请求记录数量
-        if (performanceData.slowRequests.length > 1000) {
-          performanceData.slowRequests.shift();
-        }
-      }
-    },
-    getStats: function() {
-      const result = {};
-      performanceData.counters.forEach((count, path) => {
-        const times = performanceData.responseTimes.get(path);
-        result[path] = {
-          count: count,
-          avg: times.sum / times.count,
-          min: times.min,
-          max: times.max
-        };
-      });
-      return result;
-    },
-    getSlowRequests: function(limit = 100) {
-      return performanceData.slowRequests.slice(-limit);
-    },
-    reset: function() {
-      performanceData.counters.clear();
-      performanceData.responseTimes.clear();
-      performanceData.slowRequests = [];
-    }
-  };
-  // 性能监控中间件
-  server.use(async (ctx, next) => {
-    // 检查是否需要忽略此路径
-    const shouldIgnore = cg.ignorePaths.some(pattern => {
-      if (typeof pattern === 'string') {
-        return ctx.path === pattern;
-      } else if (pattern instanceof RegExp) {
-        return pattern.test(ctx.path);
-      }
-      return false;
-    });
-    if (shouldIgnore) {
-      await next();
-      return;
-    }
-    const start = Date.now();
-    const startTime = process.hrtime();
-    try {
-      await next();
-    } finally {
-      const ms = Date.now() - start;
-      const [seconds, nanoseconds] = process.hrtime(startTime);
-      const executionTime = seconds * 1000 + nanoseconds / 1000000;
-      // 设置响应时间头
-      ctx.set('X-Response-Time', `${ms}ms`);
-      // 记录性能数据
-      $.performanceMonitor.record(ctx.path, ms);
-      // 慢请求报警
-      if (ms > cg.slowThreshold) {
-        const clientIP = ctx.headers['x-forwarded-for'] || ctx.ip;
-        $.log.warn(`【慢请求】 ${ctx.method} ${ctx.path} - ${ms}ms - ${clientIP}`);
-        // 如果是非常慢的请求（超过阈值的2倍），记录更多信息
-        if (ms > cg.slowThreshold * 2) {
-          const userAgent = ctx.headers['user-agent'] || 'unknown';
-          let requestData = '';
-          try {
-            if (ctx.method !== 'GET' && ctx.request.body) {
-              const bodyStr = JSON.stringify(ctx.request.body);
-              // 限制记录的请求体大小
-              requestData = bodyStr.length > 1024 ? bodyStr.substring(0, 1024) + '...' : bodyStr;
-            }
-          } catch (e) {
-            requestData = '[无法序列化请求体]';
-          }
-          $.log.warn(`【慢请求详情】路径: ${ctx.path}, 方法: ${ctx.method}, 耗时: ${ms}ms, IP: ${clientIP}, UA: ${userAgent.substring(0, 200)}`);
-          if (requestData) {
-            $.log.warn(`【慢请求数据】${requestData}`);
-          }
-        }
-      }
-    }
-  });
-  return server;
-};

package/middleware/performance/middleware.json DELETED Viewed

@@ -1,16 +0,0 @@
-{
-  "name": "performance",
-  "title": "性能监控",
-  "description": "记录请求响应时间，监控慢请求，提供性能数据收集",
-  "mode": "web",
-  "priority": 10,
-  "config": {
-    "slowThreshold": 1000,
-    "enableMetrics": true,
-    "ignorePaths": [
-      "/favicon.ico",
-      "/robots.txt",
-      "/static/"
-    ]
-  }
-}