npm - mm_os - Versions diffs - 3.2.9 → 3.3.1 - Mend

mm_os 3.2.9 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/README.md +47 -1
package/core/base/mqtt/index.js +1109 -1106
package/core/base/web/index.js +245 -156
package/core/com/event/README.md +4 -4
package/core/com/event/com.json +3 -3
package/core/com/event/config.tpl.json +18 -18
package/core/com/event/drive.js +132 -132
package/core/com/event/index.js +344 -344
package/core/com/event/script.js +25 -25
package/core/com/middleware/com.js +152 -151
package/core/com/socket/config.tpl.json +2 -2
package/core/com/socket/drive.js +2 -2
package/core/com/socket/index.js +1 -1
package/core/com/sql/drive.js +7 -7
package/core/com/static/index.js +1 -1
package/index.js +34 -5
package/middleware/cors/index.js +112 -96
package/middleware/cors/middleware.json +18 -7
package/middleware/csrf/index.js +202 -0
package/middleware/csrf/middleware.json +24 -0
package/middleware/ip_firewall/index.js +476 -0
package/middleware/ip_firewall/middleware.json +109 -0
package/middleware/mqtt_base/middleware.json +2 -1
package/middleware/security_audit/index.js +543 -0
package/middleware/security_audit/middleware.json +48 -0
package/middleware/waf/index.js +273 -7
package/middleware/waf/middleware.json +2 -1
package/middleware/waf_ddos/index.js +520 -0
package/middleware/waf_ddos/middleware.json +38 -0
package/middleware/waf_xss/index.js +269 -0
package/middleware/waf_xss/middleware.json +18 -0
package/middleware/web_after/middleware.json +2 -1
package/middleware/web_base/middleware.json +2 -1
package/middleware/web_before/middleware.json +3 -2
package/middleware/web_check/middleware.json +2 -1
package/middleware/web_main/middleware.json +2 -1
package/middleware/web_proxy/middleware.json +2 -1
package/middleware/web_render/middleware.json +2 -1
package/middleware/web_socket/middleware.json +4 -3
package/middleware/web_static/middleware.json +2 -1
package/package.json +28 -15
package/middleware/log/index.js +0 -32
package/middleware/log/middleware.json +0 -9
package/middleware/performance/index.js +0 -143
package/middleware/performance/middleware.json +0 -16
package/middleware/rate_limit/index.js +0 -112
package/middleware/rate_limit/middleware.json +0 -10
package/middleware/waf_ip/index.js +0 -168
package/middleware/waf_ip/middleware.json +0 -10
package/nodemon.json +0 -31
package/package.txt +0 -1
package/rps.bat +0 -3
package/test.js +0 -10
package/tps.bat +0 -3
package/update.bat +0 -1
package//347/263/273/347/273/237/346/236/266/346/236/204/350/257/204/344/274/260/344/270/216/344/274/230/345/214/226/345/273/272/350/256/256.md +0 -599

package/middleware/cors/index.js CHANGED Viewed

@@ -1,103 +1,119 @@
 /**
- * 跨域请求
- * @param {Object} server 服务
- * @param {Object} config 配置参数
+ * CORS跨域中间件
+ * 处理跨域资源共享(CORS)配置
  */
-module.exports = function(server, config) {
-	var cos = config.cos;
-	if (cos && cos.status) {
-		if (cos.headers && cos.origin !== "*") {
-			/* 跨域限制（web防火墙） */
-			server.use(async (ctx, next) => {
-				try {
-					var req = ctx.request;
+class CorsMiddleware {
+    constructor() {
+        this.default = {
+            // 启用CORS
+            enable: true,
+            // 允许的源
+            origin: '*',
+            // 允许的请求头
+            headers: '*',
+            // 允许的HTTP方法
+            methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'HEAD'],
+            // 允许携带凭证
+            credentials: false,
+            // 预检请求的有效期(秒)
+            max_age: 3600,
+            // 暴露的响应头
+            expose_headers: [],
+            // 忽略的路径
+            ignore_paths: []
+        };
+    }
+}
-					// 允许来自所有域名请求
-					ctx.set('Access-Control-Allow-Origin', cos.origin);
-					// 这样就能只允许 http://localhost:8080 这个域名的请求了
-					// ctx.set("Access-Control-Allow-Origin", "http://localhost:8080");
+CorsMiddleware.prototype.init = function(config) {
+    this.config = Object.assign({}, this.default, config || {});
+    return this;
+};
-					// 字段是必需的。它也是一个逗号分隔的字符串，表明服务器支持的所有头信息字段.
-					if (req.method == "OPTIONS") {
-						ctx.set('Access-Control-Allow-Headers', cos.headers);
+CorsMiddleware.prototype.run = async function(ctx, next) {
+    const config = this.config;
+    if (!config.enable) {
+        return await next();
+    }
+    // 检查是否应该忽略该路径
+    const path = ctx.path;
+    if (config.ignore_paths.some(p => path.startsWith(p))) {
+        return await next();
+    }
+    // 设置CORS头
+    this._setCorsHeaders(ctx, config);
+    // 处理预检请求
+    if (ctx.method === 'OPTIONS') {
+        ctx.status = 204;
+        return;
+    }
+    await next();
+};
-						// 服务器收到请求以后，检查了Origin、Access-Control-Request-Method和Access-Control-Request-Headers字段以后，确认允许跨源请求，就可以做出回应。
-						// Content-Type表示具体请求中的媒体类型信息
-						// ctx.set("Content-Type", "application/json;charset=utf-8");
-						// 设置所允许的HTTP请求方法PUT,POST,GET,DELETE,HEAD,OPTIONS
-						// ctx.set('Access-Control-Allow-Methods', 'GET,POST');
+CorsMiddleware.prototype._setCorsHeaders = function(ctx, config) {
+    // 设置Access-Control-Allow-Origin
+    if (config.origin === '*') {
+        ctx.set('Access-Control-Allow-Origin', '*');
+    } else if (Array.isArray(config.origin)) {
+        const requestOrigin = ctx.get('Origin');
+        if (config.origin.includes(requestOrigin)) {
+            ctx.set('Access-Control-Allow-Origin', requestOrigin);
+        }
+    } else {
+        ctx.set('Access-Control-Allow-Origin', config.origin);
+    }
+    // 设置Access-Control-Allow-Headers
+    if (config.headers === '*') {
+        ctx.set('Access-Control-Allow-Headers', '*');
+    } else if (Array.isArray(config.headers)) {
+        ctx.set('Access-Control-Allow-Headers', config.headers.join(', '));
+    } else {
+        ctx.set('Access-Control-Allow-Headers', config.headers);
+    }
+    // 设置Access-Control-Allow-Methods
+    ctx.set('Access-Control-Allow-Methods', config.methods.join(', '));
+    // 设置Access-Control-Allow-Credentials
+    if (config.credentials) {
+        ctx.set('Access-Control-Allow-Credentials', 'true');
+    }
+    // 设置Access-Control-Max-Age
+    if (config.max_age > 0) {
+        ctx.set('Access-Control-Max-Age', config.max_age.toString());
+    }
+    // 设置Access-Control-Expose-Headers
+    if (config.expose_headers.length > 0) {
+        ctx.set('Access-Control-Expose-Headers', config.expose_headers.join(', '));
+    }
+};
-						// 该字段可选。它的值是一个布尔值，表示是否允许发送Cookie。默认情况下，Cookie不包括在CORS请求之中。
-						// 当设置成允许请求携带cookie时，需要保证"Access-Control-Allow-Origin"是服务器有的域名，而不能是"*";
-						// ctx.set("Access-Control-Allow-Credentials", 'false');
+// 创建中间件实例
+const middleware = new CorsMiddleware();
-						// 该字段可选，用来指定本次预检请求的有效期，单位为秒。
-						// 当请求方法是PUT或DELETE等特殊方法或者Content-Type字段的类型是application/json时，服务器会提前发送一次请求进行验证
-						// 下面的的设置只本次验证的有效时间，即在该时间段内服务端可以不用进行验证
-						// ctx.set("Access-Control-Max-Age", '3600');
-						/*
-						CORS请求时，XMLHttpRequest对象的getResponseHeader()方法只能拿到6个基本字段：
-						    Cache-Control、
-						    Content-Language、
-						    Content-Type、
-						    Expires、
-						    Last-Modified、
-						    Pragma
-						*/
-						// 需要获取其他字段时，使用Access-Control-Expose-Headers，
-						// getResponseHeader('myData')可以返回我们所需的值
-						// ctx.set("Access-Control-Expose-Headers", "myData");
-						ctx.status = 204;
-					} else {
-						await next();
-					}
-				} catch (error) {
-					$.log.error('CORS中间件错误(origin限制):', error);
-					// 出错时默认允许请求继续处理
-					await next();
-				}
-			});
-		} else if (cos.headers && cos.headers !== "*") {
-			/* 跨域限制（web防火墙） */
-			server.use(async (ctx, next) => {
-				try {
-					var req = ctx.request;
-					// 允许来自所有域名请求
-					ctx.set('Access-Control-Allow-Origin', '*');
-					// ctx.set('Access-Control-Allow-Methods', 'GET,POST,OPTIONS');
-					if (req.method === 'OPTIONS') {
-						ctx.set('Access-Control-Allow-Headers', cos.headers);
-						ctx.status = 204;
-					} else {
-						await next();
-					}
-				} catch (error) {
-					$.log.error('CORS中间件错误(headers限制):', error);
-					// 出错时默认允许请求继续处理
-					await next();
-				}
-			});
-		} else {
-			/* 跨域限制（web防火墙） */
-			server.use(async (ctx, next) => {
-				try {
-					var req = ctx.request;
-					// 允许来自所有域名请求
-					ctx.set('Access-Control-Allow-Origin', '*');
-					// ctx.set('Access-Control-Allow-Methods', 'GET,POST,OPTIONS');
-					if (req.method === 'OPTIONS') {
-						ctx.set('Access-Control-Allow-Headers', '*');
-						ctx.status = 204;
-					} else {
-						await next();
-					}
-				} catch (error) {
-					$.log.error('CORS中间件错误(完全宽松):', error);
-					// 出错时默认允许请求继续处理
-					await next();
-				}
-			});
-		}
-	}
-	return server;
-};
+// 导出符合系统期望的函数
+exports = module.exports = function(server, config) {
+    // 初始化中间件
+    middleware.init(config);
+    // 注册中间件到服务器
+    server.use(middleware.run.bind(middleware));
+    // 记录中间件初始化信息
+    if ($.log && $.log.info) {
+        $.log.info(`CORS中间件已加载: 启用=${middleware.config.enable}, 源=${middleware.config.origin}`);
+    }
+    return server;
+};
+// 保留原始实例，以便其他方式调用
+exports.middleware = middleware;

package/middleware/cors/middleware.json CHANGED Viewed

@@ -1,9 +1,20 @@
 {
-	"name": "web_cors",
-	"title": "web跨域请求",
-	"description": "用于跨域请求限制",
-	"version": "1.0",
-	"type": "web",
-	"process_type": "common_before",
-	"sort": 50
+  "name": "cors",
+  "title": "CORS跨域中间件",
+  "description": "处理跨域资源共享(CORS)配置，支持灵活的跨域策略",
+  "version": "1.0",
+  "type": "web",
+  "process_type": "common_before",
+  "sort": 15,
+  "state": 1,
+  "config": {
+    "enable": true,
+    "origin": "*",
+    "headers": "*",
+    "methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"],
+    "credentials": false,
+    "max_age": 3600,
+    "expose_headers": [],
+    "ignore_paths": []
+  }
 }

package/middleware/csrf/index.js ADDED Viewed

@@ -0,0 +1,202 @@
+/**
+ * CSRF保护中间件
+ * 防止跨站请求伪造攻击
+ */
+class CsrfMiddleware {
+    constructor() {
+        this.default = {
+            // 启用CSRF保护
+            enable: true,
+            // CSRF令牌的Cookie名称
+            cookie_name: 'csrf_token',
+            // CSRF令牌的请求头名称
+            header_name: 'X-CSRF-Token',
+            // CSRF令牌的表单字段名称
+            form_field: '_csrf',
+            // CSRF令牌的过期时间(毫秒)
+            max_age: 3600000, // 1小时
+            // 忽略的HTTP方法
+            ignore_methods: ['GET', 'HEAD', 'OPTIONS'],
+            // 忽略的路径
+            ignore_paths: [],
+            // 是否生成新的令牌
+            generate_new: true,
+            // 是否验证来源
+            check_origin: true,
+            // 是否记录CSRF攻击尝试
+            log: true,
+            // 是否阻止恶意请求
+            block: true,
+            // 允许的来源域名
+            allowed_origins: []
+        };
+    }
+}
+CsrfMiddleware.prototype.init = function(config) {
+    this.config = Object.assign({}, this.default, config || {});
+    return this;
+};
+CsrfMiddleware.prototype.run = async function(ctx, next) {
+    const config = this.config;
+    if (!config.enable) {
+        return await next();
+    }
+    // 生成CSRF令牌
+    const token = await this._generateToken(ctx);
+    // 将令牌添加到上下文，供模板使用
+    ctx.state.csrf = token;
+    // 检查是否需要验证CSRF
+    if (!this._shouldSkipCsrfValidation(ctx, config)) {
+        // 验证来源
+        if (config.check_origin && !this._validateOrigin(ctx, config)) {
+            if (config.block) {
+                ctx.status = 403;
+                ctx.body = {
+                    code: 403,
+                    msg: 'Forbidden: Invalid request origin'
+                };
+                return;
+            }
+        }
+        // 验证CSRF令牌
+        if (!this._validateToken(ctx, config)) {
+            if (config.block) {
+                ctx.status = 403;
+                ctx.body = {
+                    code: 403,
+                    msg: 'Forbidden: Invalid CSRF token'
+                };
+                return;
+            }
+        }
+        // 如果需要生成新令牌
+        if (config.generate_new) {
+            await this._setNewToken(ctx, config);
+        }
+    }
+    await next();
+};
+CsrfMiddleware.prototype._generateToken = async function(ctx) {
+    let token = ctx.cookies.get(this.config.cookie_name);
+    // 如果没有令牌或需要生成新令牌，则创建一个新的
+    if (!token || this.config.generate_new) {
+        await this._setNewToken(ctx, this.config);
+        token = ctx.cookies.get(this.config.cookie_name);
+    }
+    return token;
+};
+CsrfMiddleware.prototype._setNewToken = async function(ctx, config) {
+    // 生成随机令牌
+    const token = this._createRandomToken();
+    // 将令牌存储到Cookie
+    ctx.cookies.set(config.cookie_name, token, {
+        httpOnly: false, // CSRF令牌需要从前端读取，所以不能设置httpOnly
+        maxAge: config.max_age,
+        sameSite: 'lax'
+    });
+};
+CsrfMiddleware.prototype._createRandomToken = function() {
+    return Math.random().toString(36).substring(2) +
+           Math.random().toString(36).substring(2) +
+           Math.random().toString(36).substring(2);
+};
+CsrfMiddleware.prototype._shouldSkipCsrfValidation = function(ctx, config) {
+    const method = ctx.method;
+    const path = ctx.path;
+    // 检查是否在忽略的方法列表中
+    if (config.ignore_methods.includes(method)) {
+        return true;
+    }
+    // 检查是否在忽略的路径列表中
+    if (config.ignore_paths.some(p => path.startsWith(p))) {
+        return true;
+    }
+    return false;
+};
+CsrfMiddleware.prototype._validateOrigin = function(ctx, config) {
+    const origin = ctx.get('Origin');
+    const host = ctx.get('Host');
+    // 如果没有Origin头，可能是同源请求
+    if (!origin) {
+        return true;
+    }
+    // 检查是否在允许的来源列表中
+    if (config.allowed_origins.length > 0) {
+        return config.allowed_origins.includes(origin);
+    }
+    // 默认情况下，只允许同源请求
+    return origin.includes(host);
+};
+CsrfMiddleware.prototype._validateToken = function(ctx, config) {
+    const tokenFromCookie = ctx.cookies.get(config.cookie_name);
+    // 从请求头获取令牌
+    const tokenFromHeader = ctx.get(config.header_name);
+    // 从请求体获取令牌
+    let tokenFromBody = null;
+    if (ctx.request.body && ctx.request.body[config.form_field]) {
+        tokenFromBody = ctx.request.body[config.form_field];
+    }
+    // 从查询参数获取令牌
+    const tokenFromQuery = ctx.query[config.form_field];
+    // 检查令牌是否匹配
+    const receivedToken = tokenFromHeader || tokenFromBody || tokenFromQuery;
+    if (!receivedToken || !tokenFromCookie) {
+        return false;
+    }
+    return receivedToken === tokenFromCookie;
+};
+// 创建中间件实例
+const middleware = new CsrfMiddleware();
+// 导出符合系统期望的函数
+exports = module.exports = function(server, config) {
+    // 获取当前中间件的配置（从middleware.json加载的配置）
+    var middleware_config = this && this.config ? this.config : config;
+    // 初始化中间件
+    middleware.init(middleware_config);
+    // 注册中间件到服务器
+    server.use(middleware.run.bind(middleware));
+    // 记录中间件初始化信息
+    if ($.log && $.log.info) {
+        $.log.info(`CSRF中间件已加载: 启用=${middleware.config.enable}, 忽略路径=${middleware.config.ignore_paths.length}`);
+    }
+    return server;
+};
+// 保留原始实例，以便其他方式调用
+exports.middleware = middleware;

package/middleware/csrf/middleware.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "csrf",
+  "title": "CSRF保护中间件",
+  "description": "防止跨站请求伪造攻击，提供安全的令牌验证机制",
+  "version": "1.0",
+  "type": "web",
+  "process_type": "common_before",
+  "sort": 20,
+  "state": 1,
+  "config": {
+    "enable": true,
+    "cookie_name": "csrf_token",
+    "header_name": "X-CSRF-Token",
+    "form_field": "_csrf",
+    "max_age": 3600000,
+    "ignore_methods": ["GET", "HEAD", "OPTIONS"],
+    "ignore_paths": ["/api/user/sign_in", "/user/login", "/login", "/admin/login"],
+    "generate_new": true,
+    "check_origin": true,
+    "log": true,
+    "block": true,
+    "allowed_origins": []
+  }
+}