npm - mm_os - Versions diffs - 3.3.0 → 3.3.1 - Mend

mm_os 3.3.0 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/core/base/mqtt/index.js +1109 -1106
package/core/base/web/index.js +245 -243
package/core/com/event/README.md +4 -4
package/core/com/event/com.json +3 -3
package/core/com/event/config.tpl.json +18 -18
package/core/com/event/drive.js +132 -132
package/core/com/event/index.js +344 -344
package/core/com/event/script.js +25 -25
package/core/com/middleware/com.js +1 -0
package/core/com/sql/drive.js +1 -1
package/core/com/static/index.js +1 -1
package/index.js +50 -31
package/middleware/cors/index.js +119 -0
package/middleware/cors/middleware.json +20 -0
package/middleware/csrf/index.js +202 -0
package/middleware/csrf/middleware.json +24 -0
package/middleware/ip_firewall/index.js +476 -0
package/middleware/ip_firewall/middleware.json +109 -0
package/middleware/mqtt_base/middleware.json +2 -1
package/middleware/security_audit/index.js +13 -19
package/middleware/security_audit/middleware.json +3 -3
package/middleware/waf/index.js +27 -32
package/middleware/waf_ddos/index.js +2 -2
package/middleware/waf_ddos/middleware.json +3 -3
package/middleware/waf_xss/index.js +1 -1
package/middleware/waf_xss/middleware.json +1 -1
package/middleware/web_after/middleware.json +2 -1
package/middleware/web_base/middleware.json +2 -1
package/middleware/web_before/middleware.json +2 -1
package/middleware/web_check/middleware.json +2 -1
package/middleware/web_main/middleware.json +2 -1
package/middleware/web_proxy/middleware.json +2 -1
package/middleware/web_render/middleware.json +2 -1
package/middleware/web_socket/middleware.json +2 -1
package/middleware/web_static/middleware.json +2 -1
package/package.json +13 -11
package/middleware/performance/index.js +0 -151
package/middleware/performance/middleware.json +0 -16
package/middleware/security_headers/index.js +0 -487
package/middleware/security_headers/middleware.json +0 -45
package/middleware/waf_ip/index.js +0 -379
package/middleware/waf_ip/middleware.json +0 -49

package/core/com/event/script.js CHANGED Viewed

@@ -1,26 +1,26 @@
-// 使用api管理器
-var api = $.api_admin('{0}', '{0}');
-// 首次启动更新api接口;
-api.update();
-// 使用mysql数据库管理器
-var sql = $.mysql_admin('sys', __dirname);
-// sql.setConfig($.config.mysql);
-// sql.open();
-/**
- * @description 接口主函数
- * @param {Object} ctx HTTP上下文
- * @param {Object} db 数据管理器,如: { next: async function{}, ret: {} }
- * @return {Object} 执行结果
- */
-async function main(ctx, db) {
-	// 使用模板引擎
-	db.tpl = new $.Tpl();
-	// 在这定义要访问的数据库 (分布式开发时设置不同的数据库名)
-	$.push(db, sql.db(), true);
-	return api.run(ctx, db);
-};
+// 使用api管理器
+var api = $.api_admin('{0}', '{0}');
+// 首次启动更新api接口;
+api.update();
+// 使用mysql数据库管理器
+var sql = $.mysql_admin('sys', __dirname);
+// sql.setConfig($.config.mysql);
+// sql.open();
+/**
+ * @description 接口主函数
+ * @param {Object} ctx HTTP上下文
+ * @param {Object} db 数据管理器,如: { next: async function{}, ret: {} }
+ * @return {Object} 执行结果
+ */
+async function main(ctx, db) {
+	// 使用模板引擎
+	db.tpl = new $.Tpl();
+	// 在这定义要访问的数据库 (分布式开发时设置不同的数据库名)
+	$.push(db, sql.db(), true);
+	return api.run(ctx, db);
+};
 exports.main = main;

package/core/com/middleware/com.js CHANGED Viewed

@@ -15,6 +15,7 @@ class Middleware {
 		this.init(config);
 	}
 }
 Middleware.prototype.init = function(config) {
 	if (config) {

package/core/com/sql/drive.js CHANGED Viewed

@@ -595,7 +595,7 @@ Drive.prototype.get_params = async function(db, fields) {
 					var name = o.name.replace(/`/g, '');
 					lt.push({
 						name,
-						title: title: o.title
+						title: o.title
 					});
 				}
 			}

package/core/com/static/index.js CHANGED Viewed

@@ -117,7 +117,7 @@ Static.prototype.getObj = async function(dir) {
  */
 Static.prototype.update_config_all = async function(path) {
 	if (!path) {
-		path = $.runPath + 'app' + $.slash;
+		path = './app'.fullname();
 	}
 	// 获取所有应用路径
 	var search_dir = "static";

package/index.js CHANGED Viewed

@@ -98,7 +98,7 @@ class OS {
 OS.prototype.initData = function(config) {
 	var p = config.runPath;
 	if (!p) {
-		config.runPath = $.runPath
+		config.runPath = $.runPath;
 	} else if (p.substring(p.length - 1) !== $.slash) {
 		config.runPath += $.slash;
 	}
@@ -216,34 +216,53 @@ OS.prototype.init = function(config) {
 	this.initErrorHandler();
 }
-/**
- * 运行基础数据
- * @param {Object} cg - 配置对象
- */
-OS.prototype.initBase = function(cg) {
-	var middleware = $.middleware;
-	middleware.update();
-	var mqtt, web;
-	if (cg.web && cg.web.state) {
-		web = new WEB(cg.web);
-		web.list = middleware.list.filter((o) => {
-			return !o.mode || o.mode == "web"
-		});
-		web.init();
-		this.web = web;
-	}
-	if (cg.mqtt && cg.mqtt.state) {
-		mqtt = new MQTT(Object.assign(cg.mqtt, {
-			redis: cg.redis,
-			mongodb: cg.mongodb
-		}));
-		mqtt.list = middleware.list.filter((o) => {
-			return o.mode == "mqtt"
-		});
-		mqtt.init();
-		this.mqtt = mqtt;
-	}
+/**
+ * 运行基础数据
+ * @param {Object} cg - 配置对象
+ */
+OS.prototype.initBase = function(cg) {
+	var middleware = $.middleware;
+	// 更新中间件配置，并且加载JS文件
+	middleware.update();
+	var mqtt, web;
+	if (cg.web && cg.web.state) {
+		web = new WEB(cg.web);
+		// 过滤出web模式的中间件
+		web.list = middleware.list.filter((o) => {
+			return !o.mode || o.mode == "web"
+		});
+		// 预加载中间件函数，确保list中的每个中间件都有func属性
+		if (web.list && web.list.length > 0) {
+			for (var i = 0; i < web.list.length; i++) {
+				var o = web.list[i];
+				try {
+					if (o.func_file && !o.func) {
+						o.func = require(o.func_file);
+					}
+				} catch (error) {
+					if ($.log && $.log.error) {
+						$.log.error(`预加载中间件失败: ${o.name}`, error);
+					} else {
+						console.error(`预加载中间件失败: ${o.name}`, error);
+					}
+				}
+			}
+		}
+		web.init();
+		this.web = web;
+	}
+	if (cg.mqtt && cg.mqtt.state) {
+		mqtt = new MQTT(Object.assign(cg.mqtt, {
+			redis: cg.redis,
+			mongodb: cg.mongodb
+		}));
+		mqtt.list = middleware.list.filter((o) => {
+			return o.mode == "mqtt"
+		});
+		mqtt.init();
+		this.mqtt = mqtt;
+	}
 }
 /**
@@ -261,8 +280,8 @@ OS.prototype.main = async function(state) {
 		if (cg.web.socket) {
 			tip += " socket";
 		}
-		var eventer = $.event_admin('api');
-		eventer.update();
+		var evt = $.event_admin('api');
+		evt.update();
 		this.web.run();
 	}

package/middleware/cors/index.js ADDED Viewed

@@ -0,0 +1,119 @@
+/**
+ * CORS跨域中间件
+ * 处理跨域资源共享(CORS)配置
+ */
+class CorsMiddleware {
+    constructor() {
+        this.default = {
+            // 启用CORS
+            enable: true,
+            // 允许的源
+            origin: '*',
+            // 允许的请求头
+            headers: '*',
+            // 允许的HTTP方法
+            methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'HEAD'],
+            // 允许携带凭证
+            credentials: false,
+            // 预检请求的有效期(秒)
+            max_age: 3600,
+            // 暴露的响应头
+            expose_headers: [],
+            // 忽略的路径
+            ignore_paths: []
+        };
+    }
+}
+CorsMiddleware.prototype.init = function(config) {
+    this.config = Object.assign({}, this.default, config || {});
+    return this;
+};
+CorsMiddleware.prototype.run = async function(ctx, next) {
+    const config = this.config;
+    if (!config.enable) {
+        return await next();
+    }
+    // 检查是否应该忽略该路径
+    const path = ctx.path;
+    if (config.ignore_paths.some(p => path.startsWith(p))) {
+        return await next();
+    }
+    // 设置CORS头
+    this._setCorsHeaders(ctx, config);
+    // 处理预检请求
+    if (ctx.method === 'OPTIONS') {
+        ctx.status = 204;
+        return;
+    }
+    await next();
+};
+CorsMiddleware.prototype._setCorsHeaders = function(ctx, config) {
+    // 设置Access-Control-Allow-Origin
+    if (config.origin === '*') {
+        ctx.set('Access-Control-Allow-Origin', '*');
+    } else if (Array.isArray(config.origin)) {
+        const requestOrigin = ctx.get('Origin');
+        if (config.origin.includes(requestOrigin)) {
+            ctx.set('Access-Control-Allow-Origin', requestOrigin);
+        }
+    } else {
+        ctx.set('Access-Control-Allow-Origin', config.origin);
+    }
+    // 设置Access-Control-Allow-Headers
+    if (config.headers === '*') {
+        ctx.set('Access-Control-Allow-Headers', '*');
+    } else if (Array.isArray(config.headers)) {
+        ctx.set('Access-Control-Allow-Headers', config.headers.join(', '));
+    } else {
+        ctx.set('Access-Control-Allow-Headers', config.headers);
+    }
+    // 设置Access-Control-Allow-Methods
+    ctx.set('Access-Control-Allow-Methods', config.methods.join(', '));
+    // 设置Access-Control-Allow-Credentials
+    if (config.credentials) {
+        ctx.set('Access-Control-Allow-Credentials', 'true');
+    }
+    // 设置Access-Control-Max-Age
+    if (config.max_age > 0) {
+        ctx.set('Access-Control-Max-Age', config.max_age.toString());
+    }
+    // 设置Access-Control-Expose-Headers
+    if (config.expose_headers.length > 0) {
+        ctx.set('Access-Control-Expose-Headers', config.expose_headers.join(', '));
+    }
+};
+// 创建中间件实例
+const middleware = new CorsMiddleware();
+// 导出符合系统期望的函数
+exports = module.exports = function(server, config) {
+    // 初始化中间件
+    middleware.init(config);
+    // 注册中间件到服务器
+    server.use(middleware.run.bind(middleware));
+    // 记录中间件初始化信息
+    if ($.log && $.log.info) {
+        $.log.info(`CORS中间件已加载: 启用=${middleware.config.enable}, 源=${middleware.config.origin}`);
+    }
+    return server;
+};
+// 保留原始实例，以便其他方式调用
+exports.middleware = middleware;

package/middleware/cors/middleware.json ADDED Viewed

@@ -0,0 +1,20 @@
+{
+  "name": "cors",
+  "title": "CORS跨域中间件",
+  "description": "处理跨域资源共享(CORS)配置，支持灵活的跨域策略",
+  "version": "1.0",
+  "type": "web",
+  "process_type": "common_before",
+  "sort": 15,
+  "state": 1,
+  "config": {
+    "enable": true,
+    "origin": "*",
+    "headers": "*",
+    "methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"],
+    "credentials": false,
+    "max_age": 3600,
+    "expose_headers": [],
+    "ignore_paths": []
+  }
+}

package/middleware/csrf/index.js ADDED Viewed

@@ -0,0 +1,202 @@
+/**
+ * CSRF保护中间件
+ * 防止跨站请求伪造攻击
+ */
+class CsrfMiddleware {
+    constructor() {
+        this.default = {
+            // 启用CSRF保护
+            enable: true,
+            // CSRF令牌的Cookie名称
+            cookie_name: 'csrf_token',
+            // CSRF令牌的请求头名称
+            header_name: 'X-CSRF-Token',
+            // CSRF令牌的表单字段名称
+            form_field: '_csrf',
+            // CSRF令牌的过期时间(毫秒)
+            max_age: 3600000, // 1小时
+            // 忽略的HTTP方法
+            ignore_methods: ['GET', 'HEAD', 'OPTIONS'],
+            // 忽略的路径
+            ignore_paths: [],
+            // 是否生成新的令牌
+            generate_new: true,
+            // 是否验证来源
+            check_origin: true,
+            // 是否记录CSRF攻击尝试
+            log: true,
+            // 是否阻止恶意请求
+            block: true,
+            // 允许的来源域名
+            allowed_origins: []
+        };
+    }
+}
+CsrfMiddleware.prototype.init = function(config) {
+    this.config = Object.assign({}, this.default, config || {});
+    return this;
+};
+CsrfMiddleware.prototype.run = async function(ctx, next) {
+    const config = this.config;
+    if (!config.enable) {
+        return await next();
+    }
+    // 生成CSRF令牌
+    const token = await this._generateToken(ctx);
+    // 将令牌添加到上下文，供模板使用
+    ctx.state.csrf = token;
+    // 检查是否需要验证CSRF
+    if (!this._shouldSkipCsrfValidation(ctx, config)) {
+        // 验证来源
+        if (config.check_origin && !this._validateOrigin(ctx, config)) {
+            if (config.block) {
+                ctx.status = 403;
+                ctx.body = {
+                    code: 403,
+                    msg: 'Forbidden: Invalid request origin'
+                };
+                return;
+            }
+        }
+        // 验证CSRF令牌
+        if (!this._validateToken(ctx, config)) {
+            if (config.block) {
+                ctx.status = 403;
+                ctx.body = {
+                    code: 403,
+                    msg: 'Forbidden: Invalid CSRF token'
+                };
+                return;
+            }
+        }
+        // 如果需要生成新令牌
+        if (config.generate_new) {
+            await this._setNewToken(ctx, config);
+        }
+    }
+    await next();
+};
+CsrfMiddleware.prototype._generateToken = async function(ctx) {
+    let token = ctx.cookies.get(this.config.cookie_name);
+    // 如果没有令牌或需要生成新令牌，则创建一个新的
+    if (!token || this.config.generate_new) {
+        await this._setNewToken(ctx, this.config);
+        token = ctx.cookies.get(this.config.cookie_name);
+    }
+    return token;
+};
+CsrfMiddleware.prototype._setNewToken = async function(ctx, config) {
+    // 生成随机令牌
+    const token = this._createRandomToken();
+    // 将令牌存储到Cookie
+    ctx.cookies.set(config.cookie_name, token, {
+        httpOnly: false, // CSRF令牌需要从前端读取，所以不能设置httpOnly
+        maxAge: config.max_age,
+        sameSite: 'lax'
+    });
+};
+CsrfMiddleware.prototype._createRandomToken = function() {
+    return Math.random().toString(36).substring(2) +
+           Math.random().toString(36).substring(2) +
+           Math.random().toString(36).substring(2);
+};
+CsrfMiddleware.prototype._shouldSkipCsrfValidation = function(ctx, config) {
+    const method = ctx.method;
+    const path = ctx.path;
+    // 检查是否在忽略的方法列表中
+    if (config.ignore_methods.includes(method)) {
+        return true;
+    }
+    // 检查是否在忽略的路径列表中
+    if (config.ignore_paths.some(p => path.startsWith(p))) {
+        return true;
+    }
+    return false;
+};
+CsrfMiddleware.prototype._validateOrigin = function(ctx, config) {
+    const origin = ctx.get('Origin');
+    const host = ctx.get('Host');
+    // 如果没有Origin头，可能是同源请求
+    if (!origin) {
+        return true;
+    }
+    // 检查是否在允许的来源列表中
+    if (config.allowed_origins.length > 0) {
+        return config.allowed_origins.includes(origin);
+    }
+    // 默认情况下，只允许同源请求
+    return origin.includes(host);
+};
+CsrfMiddleware.prototype._validateToken = function(ctx, config) {
+    const tokenFromCookie = ctx.cookies.get(config.cookie_name);
+    // 从请求头获取令牌
+    const tokenFromHeader = ctx.get(config.header_name);
+    // 从请求体获取令牌
+    let tokenFromBody = null;
+    if (ctx.request.body && ctx.request.body[config.form_field]) {
+        tokenFromBody = ctx.request.body[config.form_field];
+    }
+    // 从查询参数获取令牌
+    const tokenFromQuery = ctx.query[config.form_field];
+    // 检查令牌是否匹配
+    const receivedToken = tokenFromHeader || tokenFromBody || tokenFromQuery;
+    if (!receivedToken || !tokenFromCookie) {
+        return false;
+    }
+    return receivedToken === tokenFromCookie;
+};
+// 创建中间件实例
+const middleware = new CsrfMiddleware();
+// 导出符合系统期望的函数
+exports = module.exports = function(server, config) {
+    // 获取当前中间件的配置（从middleware.json加载的配置）
+    var middleware_config = this && this.config ? this.config : config;
+    // 初始化中间件
+    middleware.init(middleware_config);
+    // 注册中间件到服务器
+    server.use(middleware.run.bind(middleware));
+    // 记录中间件初始化信息
+    if ($.log && $.log.info) {
+        $.log.info(`CSRF中间件已加载: 启用=${middleware.config.enable}, 忽略路径=${middleware.config.ignore_paths.length}`);
+    }
+    return server;
+};
+// 保留原始实例，以便其他方式调用
+exports.middleware = middleware;

package/middleware/csrf/middleware.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "csrf",
+  "title": "CSRF保护中间件",
+  "description": "防止跨站请求伪造攻击，提供安全的令牌验证机制",
+  "version": "1.0",
+  "type": "web",
+  "process_type": "common_before",
+  "sort": 20,
+  "state": 1,
+  "config": {
+    "enable": true,
+    "cookie_name": "csrf_token",
+    "header_name": "X-CSRF-Token",
+    "form_field": "_csrf",
+    "max_age": 3600000,
+    "ignore_methods": ["GET", "HEAD", "OPTIONS"],
+    "ignore_paths": ["/api/user/sign_in", "/user/login", "/login", "/admin/login"],
+    "generate_new": true,
+    "check_origin": true,
+    "log": true,
+    "block": true,
+    "allowed_origins": []
+  }
+}