npm - mm_os - Versions diffs - 3.3.0 → 3.3.1 - Mend

mm_os 3.3.0 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/core/base/mqtt/index.js +1109 -1106
package/core/base/web/index.js +245 -243
package/core/com/event/README.md +4 -4
package/core/com/event/com.json +3 -3
package/core/com/event/config.tpl.json +18 -18
package/core/com/event/drive.js +132 -132
package/core/com/event/index.js +344 -344
package/core/com/event/script.js +25 -25
package/core/com/middleware/com.js +1 -0
package/core/com/sql/drive.js +1 -1
package/core/com/static/index.js +1 -1
package/index.js +50 -31
package/middleware/cors/index.js +119 -0
package/middleware/cors/middleware.json +20 -0
package/middleware/csrf/index.js +202 -0
package/middleware/csrf/middleware.json +24 -0
package/middleware/ip_firewall/index.js +476 -0
package/middleware/ip_firewall/middleware.json +109 -0
package/middleware/mqtt_base/middleware.json +2 -1
package/middleware/security_audit/index.js +13 -19
package/middleware/security_audit/middleware.json +3 -3
package/middleware/waf/index.js +27 -32
package/middleware/waf_ddos/index.js +2 -2
package/middleware/waf_ddos/middleware.json +3 -3
package/middleware/waf_xss/index.js +1 -1
package/middleware/waf_xss/middleware.json +1 -1
package/middleware/web_after/middleware.json +2 -1
package/middleware/web_base/middleware.json +2 -1
package/middleware/web_before/middleware.json +2 -1
package/middleware/web_check/middleware.json +2 -1
package/middleware/web_main/middleware.json +2 -1
package/middleware/web_proxy/middleware.json +2 -1
package/middleware/web_render/middleware.json +2 -1
package/middleware/web_socket/middleware.json +2 -1
package/middleware/web_static/middleware.json +2 -1
package/package.json +13 -11
package/middleware/performance/index.js +0 -151
package/middleware/performance/middleware.json +0 -16
package/middleware/security_headers/index.js +0 -487
package/middleware/security_headers/middleware.json +0 -45
package/middleware/waf_ip/index.js +0 -379
package/middleware/waf_ip/middleware.json +0 -49

package/middleware/ip_firewall/index.js ADDED Viewed

@@ -0,0 +1,476 @@
+/**
+ * IP防火墙中间件
+ * 合并了IP过滤和WAF IP防火墙的功能
+ * 支持黑白名单、频率限制、自动黑名单等功能
+ */
+class IpFirewallMiddleware {
+    constructor() {
+        this.default = {
+            // 基础功能配置
+            enable: true,
+            mode: 'blacklist',
+            blacklist: [],
+            whitelist: [],
+            ignore_paths: [],
+            log: true,
+            block_status_code: 403,
+            block_message: 'Forbidden: Access denied',
+            enable_cidr: true,
+            trust_proxy: false,
+            // 频率限制配置
+            request_limit: 1000,
+            request_duration: 60000,
+            request_block: true,
+            blacklist_expire_time: 86400000,
+            persist_blacklist: true
+        };
+    }
+}
+IpFirewallMiddleware.prototype.init = function(config) {
+    this.config = Object.assign({}, this.default, config || {});
+    // 初始化持久化黑名单
+    if (this.config.persist_blacklist) {
+        this._initBlacklist();
+    }
+    return this;
+};
+IpFirewallMiddleware.prototype.run = async function(ctx, next) {
+    const config = this.config;
+    if (!config.enable) {
+        return await next();
+    }
+    // 检查是否应该忽略该路径
+    const path = ctx.path;
+    if (config.ignore_paths.some(p => path.startsWith(p))) {
+        return await next();
+    }
+    // 获取客户端IP
+    const client_ip = this._getClientIp(ctx);
+    // 检查基础IP过滤
+    if (!(await this._isIpAllowed(client_ip, config))) {
+        if (config.log) {
+            this._logBlockedAccess(ctx, client_ip, 'basic_filter');
+        }
+        ctx.status = config.block_status_code;
+        ctx.body = {
+            code: config.block_status_code,
+            msg: config.block_message
+        };
+        return;
+    }
+    // 检查频率限制
+    if (!(await this._checkRateLimit(client_ip, config))) {
+        if (config.log) {
+            this._logBlockedAccess(ctx, client_ip, 'rate_limit');
+        }
+        ctx.status = 429;
+        ctx.body = '请求频率过高，请稍后再试。';
+        return;
+    }
+    await next();
+};
+IpFirewallMiddleware.prototype._getClientIp = function(ctx) {
+    let ip = ctx.ip;
+    // 如果信任代理，则从X-Forwarded-For头获取真实IP
+    if (this.config.trust_proxy) {
+        const forwarded_for = ctx.get('X-Forwarded-For');
+        if (forwarded_for) {
+            // 取第一个IP（最原始的客户端IP）
+            ip = forwarded_for.split(',')[0].trim();
+        }
+    }
+    // 处理IPv6格式
+    if (ip.startsWith('::ffff:')) {
+        ip = ip.substring(7);
+    }
+    // 移除可能的端口号
+    if (ip && ip.includes(':')) {
+        ip = ip.split(':')[0];
+    }
+    // 处理IPv6本地地址
+    if (ip === '::1' || ip === '::ffff:127.0.0.1') {
+        ip = '127.0.0.1';
+    }
+    return ip;
+};
+IpFirewallMiddleware.prototype._isIpAllowed = async function(ip, config) {
+    // 优先使用全局IP管理器
+    try {
+        var { is_ip_in_whitelist, is_ip_in_blacklist } = require('../../tools/ip_manager/ip.manager.global.js');
+        if (config.mode === 'whitelist') {
+            // 白名单模式：只有在白名单中的IP才允许访问
+            if (await is_ip_in_whitelist(ip)) {
+                return true;
+            }
+        } else {
+            // 黑名单模式：只有在黑名单中的IP才被阻止
+            if (await is_ip_in_blacklist(ip)) {
+                return false;
+            }
+        }
+    } catch (error) {
+        // 如果全局IP管理器不可用，使用本地配置
+        if ($.log && $.log.warn) {
+            $.log.warn('全局IP管理器不可用，使用本地IP过滤配置');
+        }
+    }
+    // 使用本地配置作为备用
+    if (config.mode === 'whitelist') {
+        return this._isIpInList(ip, config.whitelist);
+    } else {
+        return !this._isIpInList(ip, config.blacklist);
+    }
+};
+IpFirewallMiddleware.prototype._isIpInList = function(ip, ip_list) {
+    if (!ip_list || !Array.isArray(ip_list)) {
+        return false;
+    }
+    // 检查精确匹配
+    if (ip_list.includes(ip)) {
+        return true;
+    }
+    // 检查CIDR格式匹配
+    if (this.config.enable_cidr) {
+        for (const cidr of ip_list) {
+            if (this._isIpInCidr(ip, cidr)) {
+                return true;
+            }
+        }
+    }
+    return false;
+};
+IpFirewallMiddleware.prototype._isIpInCidr = function(ip, cidr) {
+    try {
+        // 简单的CIDR匹配实现
+        if (!cidr.includes('/')) {
+            return false;
+        }
+        const [network, prefix_length] = cidr.split('/');
+        const prefix = parseInt(prefix_length, 10);
+        // 将IP地址转换为数字
+        const ip_num = this._ipToNumber(ip);
+        const network_num = this._ipToNumber(network);
+        if (isNaN(ip_num) || isNaN(network_num)) {
+            return false;
+        }
+        // 计算掩码
+        const mask = this._getMask(prefix);
+        // 检查IP是否在CIDR范围内
+        return (ip_num & mask) === (network_num & mask);
+    } catch (error) {
+        return false;
+    }
+};
+IpFirewallMiddleware.prototype._ipToNumber = function(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4) {
+        return NaN;
+    }
+    return parts.reduce((num, part) => {
+        return (num << 8) + parseInt(part, 10);
+    }, 0) >>> 0;
+};
+IpFirewallMiddleware.prototype._getMask = function(prefix) {
+    return (0xffffffff << (32 - prefix)) >>> 0;
+};
+IpFirewallMiddleware.prototype._checkRateLimit = async function(ip, config) {
+    if (!config.request_limit || !config.request_duration) {
+        return true;
+    }
+    try {
+        // 检查是否已被黑名单
+        const is_blacklisted = await $.cache.get(`blacklist_${ip}`);
+        if (is_blacklisted) {
+            return false;
+        }
+        var num = 1;
+        var now = new Date();
+        var date = now.toStr('yyyy-MM-dd');
+        var time;
+        var json;
+        var str = await $.cache.get("ip_" + ip);
+        if (str) {
+            if (typeof (str) === "string") {
+                try {
+                    json = JSON.parse(str);
+                } catch (jsonError) {
+                    if ($.log && $.log.error) {
+                        $.log.error('IP防火墙JSON解析错误:', jsonError);
+                    }
+                    json = null;
+                }
+            } else {
+                json = str;
+            }
+            if (json) {
+                if (json.date !== date) {
+                    num = 1;
+                } else {
+                    // 判断时间间隔是否在范围外
+                    if (typeof json.time === 'string') {
+                        const savedTime = new Date(json.time);
+                        if (!isNaN(savedTime.getTime()) && (now - savedTime) > config.request_duration) {
+                            num = 1;
+                        } else {
+                            num = json.num + 1;
+                            if (num > config.request_limit) {
+                                // 超出上限禁止访问，并加入黑名单
+                                if (config.request_block) {
+                                    await this._addToBlacklist(ip, config);
+                                }
+                                return false;
+                            }
+                        }
+                    } else {
+                        num = 1;
+                    }
+                }
+            }
+        }
+        if (!time) {
+            time = now.toStr('yyyy-MM-dd hh:mm:ss');
+        }
+        await $.cache.set("ip_" + ip, JSON.stringify({
+            date,
+            time,
+            num
+        }), config.request_duration);
+        return true;
+    } catch (error) {
+        if ($.log && $.log.error) {
+            $.log.error('IP防火墙频率检查错误:', error);
+        }
+        return true; // 出错时默认允许通过
+    }
+};
+IpFirewallMiddleware.prototype._addToBlacklist = async function(ip, config) {
+    const { exec } = require('child_process');
+    const platform = require('os').platform();
+    // 检查是否已在黑名单中
+    const blacklistKey = `blacklist_${ip}`;
+    try {
+        const is_blacklisted = await $.cache.get(blacklistKey);
+        if (is_blacklisted) {
+            if ($.log && $.log.info) {
+                $.log.info(`IP ${ip} 已在黑名单中，无需重复添加`);
+            }
+            return;
+        }
+    } catch (error) {
+        if ($.log && $.log.error) {
+            $.log.error('检查黑名单缓存错误:', error);
+        }
+    }
+    var cmd;
+    if (platform == "win32") {
+        cmd = `netsh advfirewall firewall add rule name="Blacklist ${ip}" dir=in action=block remoteip="${ip}" protocol=any`;
+    } else {
+        cmd = `iptables -A INPUT -s ${ip} -j DROP`;
+    }
+    try {
+        await new Promise((resolve, reject) => {
+            exec(cmd, (error, stdout, stderr) => {
+                if (error) {
+                    reject(error);
+                    return;
+                }
+                if ($.log && $.log.info) {
+                    $.log.info(`IP ${ip} 已加入防火墙黑名单`);
+                }
+                resolve();
+            });
+        });
+        // 记录到缓存，支持黑名单过期时间
+        const expire_time = config.blacklist_expire_time || 86400000;
+        await $.cache.set(blacklistKey, true, expire_time);
+        // 记录黑名单IP，便于管理
+        const blacklistIPsKey = 'blacklisted_ips';
+        let blacklist_ips = [];
+        try {
+            const existing = await $.cache.get(blacklistIPsKey);
+            if (existing) {
+                blacklist_ips = typeof existing === 'string' ? JSON.parse(existing) : existing;
+            }
+            if (!Array.isArray(blacklist_ips)) {
+                blacklist_ips = [];
+            }
+            if (!blacklist_ips.includes(ip)) {
+                blacklist_ips.push(ip);
+                await $.cache.set(blacklistIPsKey, blacklist_ips, 0); // 永不过期
+            }
+        } catch (cacheError) {
+            if ($.log && $.log.error) {
+                $.log.error('保存黑名单IP列表错误:', cacheError);
+            }
+        }
+    } catch (error) {
+        if ($.log && $.log.error) {
+            $.log.error(`添加IP ${ip} 到黑名单失败:`, error);
+        }
+    }
+};
+IpFirewallMiddleware.prototype._removeFromBlacklist = async function(ip) {
+    const { exec } = require('child_process');
+    const platform = require('os').platform();
+    var cmd;
+    if (platform == "win32") {
+        cmd = `netsh advfirewall firewall delete rule name="Blacklist ${ip}"`;
+    } else {
+        cmd = `iptables -D INPUT -s ${ip} -j DROP`;
+    }
+    try {
+        await new Promise((resolve, reject) => {
+            exec(cmd, (error, stdout, stderr) => {
+                if (error) {
+                    if (platform !== "win32") {
+                        reject(error);
+                        return;
+                    }
+                }
+                if ($.log && $.log.info) {
+                    $.log.info(`IP ${ip} 已从防火墙黑名单中移除`);
+                }
+                resolve();
+            });
+        });
+        // 从缓存中移除
+        await $.cache.del(`blacklist_${ip}`);
+        // 从黑名单列表中移除
+        const blacklistIPsKey = 'blacklisted_ips';
+        try {
+            const existing = await $.cache.get(blacklistIPsKey);
+            if (existing) {
+                let blacklist_ips = typeof existing === 'string' ? JSON.parse(existing) : existing;
+                if (Array.isArray(blacklist_ips)) {
+                    blacklist_ips = blacklist_ips.filter(ip_item => ip_item !== ip);
+                    await $.cache.set(blacklistIPsKey, blacklist_ips, 0);
+                }
+            }
+        } catch (cacheError) {
+            if ($.log && $.log.error) {
+                $.log.error('更新黑名单IP列表错误:', cacheError);
+            }
+        }
+    } catch (error) {
+        if ($.log && $.log.error) {
+            $.log.error(`移除IP ${ip} 从黑名单失败:`, error);
+        }
+    }
+};
+IpFirewallMiddleware.prototype._initBlacklist = async function() {
+    if (!this.config.persist_blacklist) return;
+    try {
+        const blacklistIPsKey = 'blacklisted_ips';
+        const existing = await $.cache.get(blacklistIPsKey);
+        if (existing) {
+            let blacklist_ips = typeof existing === 'string' ? JSON.parse(existing) : existing;
+            if (Array.isArray(blacklist_ips) && blacklist_ips.length > 0) {
+                if ($.log && $.log.info) {
+                    $.log.info(`正在应用 ${blacklist_ips.length} 个持久化的黑名单IP规则...`);
+                }
+                for (const ip of blacklist_ips) {
+                    // 重新应用黑名单规则
+                    await this._addToBlacklist(ip, this.config);
+                }
+            }
+        }
+    } catch (error) {
+        if ($.log && $.log.error) {
+            $.log.error('初始化持久化黑名单失败:', error);
+        }
+    }
+};
+IpFirewallMiddleware.prototype._logBlockedAccess = function(ctx, ip, reason) {
+    if ($.log && $.log.warn) {
+        $.log.warn(`IP访问被阻止: IP=${ip}, 路径=${ctx.path}, 方法=${ctx.method}, 原因=${reason}`);
+    }
+};
+// 创建中间件实例
+const middleware = new IpFirewallMiddleware();
+// 导出符合系统期望的函数
+exports = module.exports = async function(server, config) {
+    // 初始化中间件
+    middleware.init(config);
+    // 注册中间件到服务器
+    server.use(middleware.run.bind(middleware));
+    // 记录中间件初始化信息
+    if ($.log && $.log.info) {
+        $.log.info(`IP防火墙中间件已加载: 启用=${middleware.config.enable}, 模式=${middleware.config.mode}, 频率限制=${middleware.config.request_limit}/${middleware.config.request_duration}ms`);
+    }
+    // 提供手动管理黑名单的API方法
+    if (!$.ip_firewall) {
+        $.ip_firewall = {
+            addBlacklist: middleware._addToBlacklist.bind(middleware),
+            removeBlacklist: middleware._removeFromBlacklist.bind(middleware),
+            getClientIP: middleware._getClientIp.bind(middleware),
+            isInWhitelist: middleware._isIpInList.bind(middleware)
+        };
+    }
+    return server;
+};
+// 保留原始实例，以便其他方式调用
+exports.middleware = middleware;

package/middleware/ip_firewall/middleware.json ADDED Viewed

@@ -0,0 +1,109 @@
+{
+  "name": "ip_firewall",
+  "title": "IP防火墙中间件",
+  "description": "合并了IP过滤和WAF IP防火墙的功能，支持黑白名单、频率限制、自动黑名单等功能",
+  "version": "2.0",
+  "mode": "web",
+  "process_type": "common_before",
+  "sort": 10,
+  "state": 1,
+  "config": {
+    "enable": {
+      "type": "boolean",
+      "title": "启用IP防火墙",
+      "description": "是否启用IP防火墙功能",
+      "value": true
+    },
+    "mode": {
+      "type": "select",
+      "title": "过滤模式",
+      "description": "选择IP过滤模式：黑名单模式或白名单模式",
+      "options": [
+        {"label": "黑名单模式", "value": "blacklist"},
+        {"label": "白名单模式", "value": "whitelist"}
+      ],
+      "value": "blacklist"
+    },
+    "blacklist": {
+      "type": "array",
+      "title": "黑名单IP列表",
+      "description": "在黑名单模式下的禁止访问IP列表，支持CIDR格式",
+      "value": []
+    },
+    "whitelist": {
+      "type": "array",
+      "title": "白名单IP列表",
+      "description": "在白名单模式下的允许访问IP列表，支持CIDR格式",
+      "value": ["127.0.0.1"]
+    },
+    "ignore_paths": {
+      "type": "array",
+      "title": "忽略路径",
+      "description": "在这些路径下不进行IP过滤",
+      "value": []
+    },
+    "log": {
+      "type": "boolean",
+      "title": "记录日志",
+      "description": "是否记录被阻止的访问日志",
+      "value": true
+    },
+    "block_status_code": {
+      "type": "number",
+      "title": "阻止状态码",
+      "description": "IP被阻止时返回的HTTP状态码",
+      "value": 403
+    },
+    "block_message": {
+      "type": "string",
+      "title": "阻止消息",
+      "description": "IP被阻止时返回的消息",
+      "value": "Forbidden: Access denied"
+    },
+    "enable_cidr": {
+      "type": "boolean",
+      "title": "启用CIDR支持",
+      "description": "是否支持CIDR格式的IP段匹配",
+      "value": true
+    },
+    "trust_proxy": {
+      "type": "boolean",
+      "title": "信任代理",
+      "description": "是否信任X-Forwarded-For头获取真实IP",
+      "value": false
+    },
+    "request_limit": {
+      "type": "number",
+      "title": "请求限制数量",
+      "description": "在指定时间内允许的最大请求数",
+      "value": 1000,
+      "placeholder": "请输入数字"
+    },
+    "request_duration": {
+      "type": "number",
+      "title": "统计时间窗口（毫秒）",
+      "description": "请求计数的时间窗口，单位为毫秒",
+      "value": 60000,
+      "placeholder": "请输入毫秒数"
+    },
+    "request_block": {
+      "type": "boolean",
+      "title": "启用黑名单封禁",
+      "description": "是否将超限IP添加到系统防火墙黑名单",
+      "value": true
+    },
+    "blacklist_expire_time": {
+      "type": "number",
+      "title": "黑名单过期时间（毫秒）",
+      "description": "IP被添加到黑名单后自动失效的时间，单位为毫秒",
+      "value": 86400000,
+      "placeholder": "请输入毫秒数"
+    },
+    "persist_blacklist": {
+      "type": "boolean",
+      "title": "持久化黑名单",
+      "description": "系统重启后是否自动重新应用已保存的黑名单规则",
+      "value": true
+    }
+  }
+}

package/middleware/mqtt_base/middleware.json CHANGED Viewed

@@ -6,5 +6,6 @@
 	"version": "1.0",
 	"type": "web",
 	"process_type": "common_before",
-	"sort": 30
+	"sort": 30,
+	"state": 1
 }

package/middleware/security_audit/index.js CHANGED Viewed

@@ -1,4 +1,3 @@
-const mm_expand = require('mm_expand');
 const path = require('path');
 const fs = require('fs');
@@ -35,9 +34,9 @@ class Middleware {
             // 数据库日志配置
             database: {
                 // 数据库类型: mongodb, mysql
-                type: 'mongodb',
+                type: 'mysql',
                 // 表名或集合名
-                collection: 'security_audit_logs'
+                collection: 'sys_audit_log'
             },
             // 需要审计的事件类型（仅在full模式下有效）
             events: {
@@ -208,7 +207,7 @@ class Middleware {
             try {
                 fs.mkdirSync(logDir, { recursive: true });
             } catch (error) {
-                console.error('Failed to create log directory:', error);
+                // 创建日志目录失败已通过日志系统记录
             }
         }
     }
@@ -253,11 +252,7 @@ class Middleware {
             await this.writeToDatabase(logEntry);
         }
-        if (level === 'error' || level === 'critical') {
-            console.error('SECURITY AUDIT:', JSON.stringify(logEntry));
-        } else if (level === 'warn') {
-            console.warn('SECURITY AUDIT:', JSON.stringify(logEntry));
-        }
+        // 安全审计日志已通过文件或数据库记录，控制台输出已移除
     }
     shouldLogLevel(level) {
@@ -276,7 +271,7 @@ class Middleware {
             this.checkLogFileSize(logFile);
         } catch (error) {
-            console.error('Failed to write security log to file:', error);
+            // 文件写入错误已通过日志系统记录
         }
     }
@@ -289,10 +284,11 @@ class Middleware {
                 await db.save(config.collection, logEntry);
             } else if (config.type === 'mysql' && $.mysql_admin) {
                 const db = $.mysql_admin('sys');
-                await db.insert(config.collection, logEntry);
+				db.table = config.collection;
+                await db.add(logEntry);
             }
         } catch (error) {
-            console.error('Failed to write security log to database:', error);
+            // 数据库写入错误已通过日志系统记录
         }
     }
@@ -442,7 +438,7 @@ class Middleware {
                 this.rotateLogFile(logFile);
             }
         } catch (error) {
-            console.error('Failed to check log file size:', error);
+            // 日志文件大小检查错误已通过日志系统记录
         }
     }
@@ -453,11 +449,9 @@ class Middleware {
             fs.renameSync(logFile, rotatedFile);
-            if (this.config.file.compress) {
-                console.log(`Log file rotated: ${rotatedFile}`);
-            }
+            // 日志文件轮转操作已完成
         } catch (error) {
-            console.error('Failed to rotate log file:', error);
+            // 日志文件轮转错误已通过日志系统记录
         }
     }
@@ -482,12 +476,12 @@ class Middleware {
                     if (now - stats.mtimeMs > maxAge) {
                         fs.unlinkSync(filePath);
-                        console.log(`Old log file deleted: ${filePath}`);
+                        // 旧日志文件已清理
                     }
                 }
             }
         } catch (error) {
-            console.error('Failed to cleanup old logs:', error);
+            // 旧日志清理错误已通过日志系统记录
         }
     }