npm - mm_os - Versions diffs - 3.3.0 → 3.3.1 - Mend

mm_os 3.3.0 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/core/base/mqtt/index.js +1109 -1106
package/core/base/web/index.js +245 -243
package/core/com/event/README.md +4 -4
package/core/com/event/com.json +3 -3
package/core/com/event/config.tpl.json +18 -18
package/core/com/event/drive.js +132 -132
package/core/com/event/index.js +344 -344
package/core/com/event/script.js +25 -25
package/core/com/middleware/com.js +1 -0
package/core/com/sql/drive.js +1 -1
package/core/com/static/index.js +1 -1
package/index.js +50 -31
package/middleware/cors/index.js +119 -0
package/middleware/cors/middleware.json +20 -0
package/middleware/csrf/index.js +202 -0
package/middleware/csrf/middleware.json +24 -0
package/middleware/ip_firewall/index.js +476 -0
package/middleware/ip_firewall/middleware.json +109 -0
package/middleware/mqtt_base/middleware.json +2 -1
package/middleware/security_audit/index.js +13 -19
package/middleware/security_audit/middleware.json +3 -3
package/middleware/waf/index.js +27 -32
package/middleware/waf_ddos/index.js +2 -2
package/middleware/waf_ddos/middleware.json +3 -3
package/middleware/waf_xss/index.js +1 -1
package/middleware/waf_xss/middleware.json +1 -1
package/middleware/web_after/middleware.json +2 -1
package/middleware/web_base/middleware.json +2 -1
package/middleware/web_before/middleware.json +2 -1
package/middleware/web_check/middleware.json +2 -1
package/middleware/web_main/middleware.json +2 -1
package/middleware/web_proxy/middleware.json +2 -1
package/middleware/web_render/middleware.json +2 -1
package/middleware/web_socket/middleware.json +2 -1
package/middleware/web_static/middleware.json +2 -1
package/package.json +13 -11
package/middleware/performance/index.js +0 -151
package/middleware/performance/middleware.json +0 -16
package/middleware/security_headers/index.js +0 -487
package/middleware/security_headers/middleware.json +0 -45
package/middleware/waf_ip/index.js +0 -379
package/middleware/waf_ip/middleware.json +0 -49

package/middleware/waf_ip/index.js DELETED Viewed

@@ -1,379 +0,0 @@
-const {
-	exec
-} = require('child_process');
-const platform = require('os').platform();
-/**
- * 获取客户端IP
- * @param {Object} req 请求对象
- * @returns {String} 返回真实IP
- */
-function getClientIP(req) {
-	var ip = req.headers['x-forwarded-for'] || req.headers['X-Forwarded-For'] || req.headers['x-real-ip'] ||
-		req.connection.remoteAddress ||
-		req.socket.remoteAddress ||
-		req.connection.socket.remoteAddress;
-	if (ip && ip.split(',').length > 0) {
-		ip = ip.split(',')[0]; // 取第一个IP地址
-	}
-	// 处理IPv6本地地址
-	if (ip === '::1' || ip === '::ffff:127.0.0.1') {
-		ip = '127.0.0.1';
-	}
-	// 移除可能的端口号
-	if (ip && ip.includes(':')) {
-		ip = ip.split(':')[0];
-	}
-	return ip;
-};
-/**
- * 检查IP是否在白名单中
- * @param {String} ip IP地址
- * @param {Array} whitelist 白名单IP数组
- * @returns {Boolean} 是否在白名单中
- */
-function isInWhitelist(ip, whitelist) {
-	if (!whitelist || !Array.isArray(whitelist)) return false;
-	return whitelist.some(whiteIP => {
-		// 支持CIDR格式（如192.168.1.0/24）
-		if (whiteIP.includes('/')) {
-			return ipInCidr(ip, whiteIP);
-		}
-		return ip === whiteIP;
-	});
-}
-/**
- * 检查IP是否在CIDR范围内
- * @param {String} ip IP地址
- * @param {String} cidr CIDR格式字符串（如192.168.1.0/24）
- * @returns {Boolean} 是否在范围内
- */
-function ipInCidr(ip, cidr) {
-	const [network, prefixLength] = cidr.split('/');
-	const netmask = -1 << (32 - parseInt(prefixLength, 10));
-	function ipToInt(ip) {
-		return ip.split('.').reduce((acc, octet) => (acc << 8) + parseInt(octet, 10), 0) >>> 0;
-	}
-	return (ipToInt(ip) & netmask) === (ipToInt(network) & netmask);
-}
-/**
- * 设置黑名单
- * @param {String} ip IP地址
- * @param {Object} config 配置参数
- */
-async function setting_blacklist(ip, config) {
-	// 检查是否已在黑名单中
-	const blacklistKey = `blacklist_${ip}`;
-	try {
-		const isBlacklisted = await $.cache.get(blacklistKey);
-		if (isBlacklisted) {
-			$.log.info(`IP ${ip} 已在黑名单中，无需重复添加`);
-			return;
-		}
-	} catch (error) {
-		$.log.error('检查黑名单缓存错误:', error);
-	}
-	var cmd;
-	if (platform == "win32") {
-		// Windows系统
-		cmd = `netsh advfirewall firewall add rule name="Blacklist ${ip}" dir=in action=block remoteip="${ip}" protocol=any`;
-	} else {
-		// Linux系统 - 不使用sudo，让系统确保权限
-		cmd = `iptables -A INPUT -s ${ip} -j DROP`;
-	}
-	try {
-		// 使用Promise包装exec以支持异步操作
-		await new Promise((resolve, reject) => {
-			exec(cmd, (error, stdout, stderr) => {
-				if (error) {
-					console.error(`执行黑名单命令错误: ${error}`);
-					reject(error);
-					return;
-				}
-				$.log.info(`IP ${ip} 已加入防火墙黑名单`);
-				if (stderr) {
-					console.error(`黑名单命令标准错误: ${stderr}`);
-				}
-				resolve();
-			});
-		});
-		// 记录到缓存，支持黑名单过期时间
-		const expireTime = config.blacklist_expire_time || 86400000; // 默认1天
-		await $.cache.set(blacklistKey, true, expireTime);
-		// 记录黑名单IP，便于管理
-			const blacklistIPsKey = 'blacklisted_ips';
-			let blacklistIPs = [];
-			try {
-				const existing = await $.cache.get(blacklistIPsKey);
-				if (existing) {
-					blacklistIPs = typeof existing === 'string' ? JSON.parse(existing) : existing;
-				}
-				if (!Array.isArray(blacklistIPs)) {
-					blacklistIPs = [];
-				}
-				if (!blacklistIPs.includes(ip)) {
-					blacklistIPs.push(ip);
-					await $.cache.set(blacklistIPsKey, blacklistIPs, 0); // 永不过期
-				}
-			} catch (cacheError) {
-				$.log.error('保存黑名单IP列表错误:', cacheError);
-			}
-	} catch (error) {
-		$.log.error(`添加IP ${ip} 到黑名单失败:`, error);
-	}
-}
-/**
- * 从防火墙中移除黑名单IP
- * @param {String} ip IP地址
- */
-async function remove_blacklist(ip) {
-	var cmd;
-	if (platform == "win32") {
-		// Windows系统
-		cmd = `netsh advfirewall firewall delete rule name="Blacklist ${ip}"`;
-	} else {
-		// Linux系统
-		cmd = `iptables -D INPUT -s ${ip} -j DROP`;
-	}
-	try {
-		await new Promise((resolve, reject) => {
-			exec(cmd, (error, stdout, stderr) => {
-				if (error) {
-					console.error(`移除黑名单命令错误: ${error}`);
-					// 对于Windows，如果规则不存在，delete命令也会返回错误，但这不是严重问题
-					if (platform !== "win32") {
-						reject(error);
-						return;
-					}
-				}
-				$.log.info(`IP ${ip} 已从防火墙黑名单中移除`);
-				if (stderr) {
-					console.error(`移除黑名单命令标准错误: ${stderr}`);
-				}
-				resolve();
-			});
-		});
-		// 从缓存中移除
-		await $.cache.del(`blacklist_${ip}`);
-		// 从黑名单列表中移除
-		const blacklistIPsKey = 'blacklisted_ips';
-		try {
-			const existing = await $.cache.get(blacklistIPsKey);
-			if (existing) {
-				let blacklistIPs = typeof existing === 'string' ? JSON.parse(existing) : existing;
-				if (Array.isArray(blacklistIPs)) {
-					blacklistIPs = blacklistIPs.filter(ipItem => ipItem !== ip);
-					await $.cache.set(blacklistIPsKey, blacklistIPs, 0);
-				}
-			}
-		} catch (cacheError) {
-			$.log.error('更新黑名单IP列表错误:', cacheError);
-		}
-	} catch (error) {
-		$.log.error(`移除IP ${ip} 从黑名单失败:`, error);
-	}
-}
-/**
- * 初始化功能 - 加载持久化的黑名单并应用
- * @param {Object} config 配置参数
- */
-async function initBlacklist(config) {
-	if (!config.persist_blacklist) return;
-	try {
-		const blacklistIPsKey = 'blacklisted_ips';
-		const existing = await $.cache.get(blacklistIPsKey);
-		if (existing) {
-			let blacklistIPs = typeof existing === 'string' ? JSON.parse(existing) : existing;
-			if (Array.isArray(blacklistIPs) && blacklistIPs.length > 0) {
-				$.log.info(`正在应用 ${blacklistIPs.length} 个持久化的黑名单IP规则...`);
-				for (const ip of blacklistIPs) {
-					// 重新应用黑名单规则
-					await setting_blacklist(ip, config);
-				}
-			}
-		}
-	} catch (error) {
-		$.log.error('初始化持久化黑名单失败:', error);
-	}
-}
-/**
- * IP防火墙
- * @param {Object} server 服务
- * @param {Object} config 配置参数
- */
-module.exports = async function(server, config) {
-	// 从配置中获取参数，提供默认值
-	var limit = config.request_limit || 1000; // 默认每分钟1000请求
-	var duration = config.request_duration || 60000; // 默认60秒
-	var block = config.request_block || true; // 默认启用黑名单
-	var whitelist = config.ip_whitelist || []; // IP白名单
-	var blacklist_expire_time = config.blacklist_expire_time || 86400000; // 默认黑名单1天过期
-	var persist_blacklist = config.persist_blacklist !== undefined ? config.persist_blacklist : true; // 是否持久化黑名单
-	// 初始化持久化黑名单
-	if (persist_blacklist) {
-		await initBlacklist(config);
-	}
-	if (limit && duration) {
-		/* WAF（web防火墙） */
-		server.use(async (ctx, next) => {
-			try {
-				var pass = true;
-				// 获取IP
-				var ip = getClientIP(ctx.req);
-				// 检查白名单
-				if (isInWhitelist(ip, whitelist)) {
-					ctx.request.ip = ip;
-					ctx.ip = ip;
-					await next();
-					return;
-				}
-				// 检查是否已被黑名单
-				try {
-					const isBlacklisted = await $.cache.get(`blacklist_${ip}`);
-					if (isBlacklisted) {
-						ctx.status = 403;
-						ctx.body = '您的IP已被禁止访问';
-						return;
-					}
-				} catch (blacklistCheckError) {
-					$.log.error('检查黑名单状态错误:', blacklistCheckError);
-				}
-				var num = 1;
-				var now = new Date();
-				var date = now.toStr('yyyy-MM-dd');
-				var time;
-				var json;
-				try {
-					var str = await $.cache.get("ip_" + ip);
-					if (str) {
-						if (typeof(str) === "string") {
-							try {
-								json = JSON.parse(str);
-							} catch (jsonError) {
-								$.log.error('WAF IP中间件JSON解析错误:', jsonError);
-								json = null;
-							}
-						} else {
-							json = str;
-						}
-						if (json) {
-							try {
-								if (json.date !== date) {
-									num = 1;
-								} else {
-									// 判断时间间隔是否在范围外
-									// 安全地处理json.time，无论它是字符串还是对象
-									if (typeof json.time === 'string') {
-										// 如果json.time是字符串，尝试解析它
-										const savedTime = new Date(json.time);
-										if (!isNaN(savedTime.getTime()) && (now - savedTime) > duration) {
-											num = 1;
-										} else {
-											// 如果是在周期内，访问次数+1，并判断是否超出上限
-											num = json.num + 1;
-											if (num > limit) {
-												// 超出上限禁止访问，并加入黑名单
-												pass = false;
-												if (block) {
-													await setting_blacklist(ip, config);
-												}
-											}
-										}
-									} else if (json.time && json.time.toTime && typeof json.time.toTime().interval === 'function') {
-										// 原有逻辑，处理对象类型的时间
-										if (json.time.toTime().interval(now) > duration) {
-											num = 1;
-										} else {
-											// 如果是在周期内，访问次数+1，并判断是否超出上限
-											num = json.num + 1;
-											if (num > limit) {
-												// 超出上限禁止访问，并加入黑名单
-												pass = false;
-												if (block) {
-													await setting_blacklist(ip, config);
-												}
-											}
-										}
-									} else {
-										// 默认情况：如果时间格式不正确，重置计数
-										num = 1;
-									}
-								}
-							} catch (timeError) {
-								$.log.error('WAF IP中间件时间处理错误:', timeError);
-								// 出错时重置计数以保证安全
-								num = 1;
-							}
-						}
-					}
-				} catch (cacheError) {
-					$.log.error('WAF IP中间件缓存操作错误:', cacheError);
-					// 缓存出错时，默认允许请求通过
-				}
-				if (!time) {
-					time = now.toStr('yyyy-MM-dd hh:mm:ss');
-				}
-				if (pass) {
-					try {
-						await $.cache.set("ip_" + ip, JSON.stringify({
-							date,
-							time,
-							num
-						}), duration);
-					} catch (setCacheError) {
-						$.log.error('WAF IP中间件缓存设置错误:', setCacheError);
-						// 缓存设置失败不影响请求处理
-					}
-					ctx.request.ip = ip;
-					ctx.ip = ip;
-					await next();
-				} else {
-					ctx.status = 429;
-					ctx.body = '请求频率过高，请稍后再试。';
-				}
-			} catch (error) {
-				$.log.error('WAF IP中间件错误:', error);
-				// 出错时默认允许请求通过
-				ctx.ip = getClientIP(ctx.req);
-				await next();
-			}
-		});
-	}
-	// 提供手动管理黑名单的API方法
-	if (!$.waf_ip) {
-		$.waf_ip = {
-			addBlacklist: setting_blacklist,
-			removeBlacklist: remove_blacklist,
-			getClientIP: getClientIP,
-			isInWhitelist: isInWhitelist
-		};
-	}
-	return server;
-};

package/middleware/waf_ip/middleware.json DELETED Viewed

@@ -1,49 +0,0 @@
-{
-	"name": "web_waf_ip",
-	"title": "IP防火墙增强版",
-	"description": "增强版IP防火墙，支持IP白名单、黑名单持久化、自动过期等功能，有效防止DOS攻击",
-	"version": "2.0",
-	"type": "web",
-	"process_type": "common_before",
-	"sort": 10,
-	"state": 1,
-	"config": {
-		"request_limit": {
-			"type": "number",
-			"title": "请求限制数量",
-			"description": "在指定时间内允许的最大请求数",
-			"value": 1000,
-			"placeholder": "请输入数字"
-		},
-		"request_duration": {
-			"type": "number",
-			"title": "统计时间窗口（毫秒）",
-			"description": "请求计数的时间窗口，单位为毫秒",
-			"value": 60000,
-			"placeholder": "请输入毫秒数"
-		},
-		"request_block": {
-			"type": "boolean",
-			"title": "启用黑名单封禁",
-			"description": "是否将超限IP添加到系统防火墙黑名单",
-			"value": true
-		},
-		"ip_whitelist": [
-			"192.168.31.5",
-			"127.0.0.1"
-		],
-		"blacklist_expire_time": {
-			"type": "number",
-			"title": "黑名单过期时间（毫秒）",
-			"description": "IP被添加到黑名单后自动失效的时间，单位为毫秒",
-			"value": 86400000,
-			"placeholder": "请输入毫秒数"
-		},
-		"persist_blacklist": {
-			"type": "boolean",
-			"title": "持久化黑名单",
-			"description": "系统重启后是否自动重新应用已保存的黑名单规则",
-			"value": true
-		}
-	}
-}