zet-lib 3.2.4 → 3.3.1

package/lib/Form.js

@@ -4,6 +4,7 @@
  */
 
 const Util = require("./Util");
+const path = require('path');
 
 const Form = {};
 // Menghitung jumlah tanda "[" dalam str
@@ -550,7 +551,12 @@ Form.field = (obj) => {
       break;
 
     case "html":
-      displayForm = obj.code;
+      let obj_code = typeof obj.code === 'string' ? obj.code : '';
+      if (!obj_code && obj.code) {
+        const dir = path.join(dirRoot,'public','runtime','html',obj.routeName,obj.id+'.txt')
+        obj_code = Util.readFile(dir);
+      }
+      displayForm = obj_code;
       break;
 
     case "location":
@@ -1038,7 +1044,7 @@ Form.build = (obj) => {
   }
 
   if(obj.type == "html") {
-    html = obj.code;
+    html = Form.field(obj)
   }
   return html;
 };

package/lib/Mail.js

@@ -1,4 +1,5 @@
 require("dotenv").config();
+const path = require('path');
 const nodemailer = require('nodemailer')
 const ejs = require('ejs')
 const Util = require('./Util')
@@ -47,7 +48,7 @@ MAIL.send = function (options = {}, transporter = null) {
 }
 
 MAIL.forgotPassword = (datas = {}, options = {}) => {
-  ejs.renderFile(`${dirRoot}/views/layouts/email/forgot_password.ejs`, { data: datas, Util: Util }, function (err, data) {
+  ejs.renderFile(path.join(dirRoot, 'views', 'layouts', 'email', 'forgot_password.ejs'), { data: datas, Util: Util }, function (err, data) {
     let option = Object.assign(mailOptions, options)
     option.html = data
     if (err) {
@@ -59,7 +60,7 @@ MAIL.forgotPassword = (datas = {}, options = {}) => {
 }
 
 MAIL.register = (datas = {}, options = {}) => {
-  ejs.renderFile(`${dirRoot}/views/layouts/email/register.ejs`, { data: datas, Util: Util }, function (err, data) {
+  ejs.renderFile(path.join(dirRoot, 'views', 'layouts', 'email', 'register.ejs'), { data: datas, Util: Util }, function (err, data) {
     let option = Object.assign(mailOptions, options)
     option.html = data
     if (err) {
@@ -88,7 +89,7 @@ MAIL.approval = (req, res, data, email) => {
   });
 
   ejs.renderFile(
-      dirRoot + "/views/layouts/email/approval.ejs",
+      path.join(dirRoot, 'views', 'layouts', 'email', 'approval.ejs'),
       { data: data, Util: Util },
       function (err, html) {
         if (err) {

package/lib/Model.js

@@ -2394,7 +2394,8 @@ Model.relation = {
         "isSearch",
         "order_by",
         "import_field",
-        "relation_info"
+        "relation_info",
+        "isAttributes",
     ],
     labels: {
         required: "Required",
@@ -2413,7 +2414,8 @@ Model.relation = {
         isSearch:"Auto complete Search",
         order_by : "Order By",
         import_field :"Default Import Field (id)",
-        relation_info : "Relation Data"
+        relation_info : "Relation Data",
+        isAttributes:"Show all attributes data",
     },
     defaultValues: {
         required: false,
@@ -2423,6 +2425,7 @@ Model.relation = {
         name: "username",
         concat: "CONCAT(fullname, ' ',email)",
         where:"",
+        isAttributes:false,
         isChain: false,
         onChange: "",
         information: "",
@@ -2463,6 +2466,10 @@ Model.relation = {
             tag: "input",
             type: "text",
         },
+        isAttributes: {
+            tag: "input",
+            type: "checkbox",
+        },
         isChain: {
             tag: "input",
             type: "checkbox",

package/lib/connection.js

@@ -21,6 +21,77 @@ pool.on('error', (err) => {
   console.error('Unexpected error on idle client', err)
 })
 
+// Validasi identifier (nama tabel) untuk mencegah SQL injection
+const SAFE_IDENTIFIER = /^[a-zA-Z_][a-zA-Z0-9_]*(?:\.[a-zA-Z_][a-zA-Z0-9_]*)?$/
+const sanitizeTableName = (table) => {
+  if (typeof table !== 'string' || !table.trim()) return ''
+  const t = table.trim()
+  if (!SAFE_IDENTIFIER.test(t)) {
+    throw new Error(`Invalid table name: ${t}`)
+  }
+  return t
+}
+
+// Validasi limit/offset sebagai integer non-negatif
+const toSafeNonNegativeInt = (val, fallback) => {
+  if (val === undefined || val === null) return fallback
+  const n = parseInt(val, 10)
+  if (!Number.isInteger(n) || n < 0) return fallback
+  return n
+}
+
+// Validasi satu segmen ORDER BY (identifier + optional ASC/DESC) untuk mencegah SQL injection
+const SAFE_IDENTIFIER_PART = /^[a-zA-Z_][a-zA-Z0-9_]*$/
+const sanitizeOrderBySegment = (segment) => {
+  if (typeof segment !== 'string' || !segment.trim()) return ''
+  const parts = segment.trim().split(/\s+/)
+  const ident = parts[0]
+  const dir = parts[1] ? parts[1].toUpperCase() : ''
+  if (dir && dir !== 'ASC' && dir !== 'DESC') return ''
+  const identParts = ident.split('.')
+  const valid = identParts.length > 0 && identParts.every(p => SAFE_IDENTIFIER_PART.test(p))
+  if (!valid) return ''
+  const quotedIdent = identParts.map(p => `"${p}"`).join('.')
+  return dir ? `${quotedIdent} ${dir}` : quotedIdent
+}
+
+// Validasi nama kolom (identifier tunggal) untuk INSERT/UPDATE
+const sanitizeColumnName = (key) => SAFE_IDENTIFIER_PART.test(String(key).trim()) ? String(key).trim() : null
+
+// Validasi klausa RETURNING: hanya RETURNING * atau RETURNING col1, col2, ...
+const SAFE_RETURNING = /^RETURNING \*$/i
+const SAFE_RETURNING_COLS = /^RETURNING ([a-zA-Z_][a-zA-Z0-9_]*)(,\s*[a-zA-Z_][a-zA-Z0-9_]*)*$/i
+const sanitizeReturning = (clause) => {
+  if (typeof clause !== 'string' || !clause.trim()) return 'RETURNING *'
+  const s = clause.trim()
+  if (SAFE_RETURNING.test(s)) return s
+  if (SAFE_RETURNING_COLS.test(s)) return s
+  return 'RETURNING *'
+}
+
+// Validasi field di WHERE (identifier atau schema.table)
+const sanitizeWhereField = (field) => {
+  if (field == null || typeof field !== 'string' || !field.trim()) return ''
+  const identParts = String(field).trim().split('.')
+  const valid = identParts.length > 0 && identParts.every(p => SAFE_IDENTIFIER_PART.test(p))
+  if (!valid) return ''
+  return identParts.map(p => `"${p}"`).join('.')
+}
+
+// Whitelist operator perbandingan untuk WHERE
+const SAFE_WHERE_OPERATORS = new Set(['=', '!=', '<>', '<', '>', '<=', '>=', 'LIKE', 'ILIKE', 'IS NOT', 'IS'])
+const sanitizeWhereOption = (option) => {
+  if (option == null || typeof option !== 'string') return ''
+  const s = String(option).trim().toUpperCase()
+  return SAFE_WHERE_OPERATORS.has(s) ? s : ''
+}
+
+const sanitizeWhereConnector = (op) => {
+  if (op == null || typeof op !== 'string') return ' AND '
+  const s = String(op).trim().toUpperCase()
+  return (s === 'OR' ? ' OR ' : ' AND ')
+}
+
 const connection = {}
 
 connection.query = async (string, arr) => {
@@ -53,9 +124,11 @@ const orderByFn = (obj) => {
       }
     }
   }
-  if (obj.hasOwnProperty('order_by')) {
-    orderBy = ` ORDER BY  `
-    orderBy += obj.order_by.join(',')
+  if (obj.hasOwnProperty('order_by') && Array.isArray(obj.order_by) && obj.order_by.length) {
+    const segments = obj.order_by.map(sanitizeOrderBySegment).filter(Boolean)
+    if (segments.length) {
+      orderBy = ` ORDER BY ${segments.join(', ')} `
+    }
   }
 
   return orderBy
@@ -67,7 +140,7 @@ const whereFn = (obj) => {
   const whereArray = obj.whereArray || []
   let increment = 1
   let arr = [],
-    wherequery = []
+      wherequery = []
   for (const key in where) {
     wherequery.push(key.indexOf('.') > -1 ? ` ${key} = $${increment} ` : ` "${key}" = $${increment}`)
     arr.push(where[key])
@@ -93,14 +166,17 @@ const whereFn = (obj) => {
       } else {
         field = item.field.indexOf('.') > -1 ? item.field : item.field ? ` "${item.field}" ` : ''
       }
-      //is JSON is field is JSON
-      //JSON_CONTAINS(color, '"Red"' ,'$')
+      // PostgreSQL: jsonb containment (@>) dengan parameter untuk keamanan
       if (item.isJSON) {
-        wherequery += andOr + ` JSON_CONTAINS(${field}, '"${item.value}"' ,'$')  ${operator}`
+        wherequery += andOr + ` (${String(field).trim()})::jsonb @> $${increment}::jsonb ${operator}`
+        arr.push(JSON.stringify(item.value))
+        increment++
         hasWhere = true
       } else {
         if (type == 'json') {
-          wherequery += andOr + ` JSON_CONTAINS(${field}, '"${item.value}"' ,'$')  ${operator}`
+          wherequery += andOr + ` (${String(field).trim()})::jsonb @> $${increment}::jsonb ${operator}`
+          arr.push(JSON.stringify(item.value))
+          increment++
           hasWhere = true
         } else if (type == 'inline') {
           //select * from attendance where employee_id = 4803 and date IN ('2023-12-21','2023-12-22')
@@ -150,11 +226,13 @@ const whereFn = (obj) => {
 }
 
 connection.results = async (obj) => {
+  const table = sanitizeTableName(obj.table || '')
   const select = obj.select || '*'
-  const table = obj.table || ''
   const statement = obj.statement || ''
-  const limit = obj.limit ? ` LIMIT ${obj.limit} ` : ''
-  const offset = obj.hasOwnProperty('offset') ? ` OFFSET ${obj.offset} ` : obj.limit ? 'OFFSET 0' : ''
+  const limitVal = toSafeNonNegativeInt(obj.limit, null)
+  const offsetVal = obj.hasOwnProperty('offset') ? toSafeNonNegativeInt(obj.offset, 0) : (obj.limit ? 0 : null)
+  const limit = limitVal !== null ? ` LIMIT ${limitVal} ` : ''
+  const offset = offsetVal !== null ? ` OFFSET ${offsetVal} ` : ''
   const orderBy = orderByFn(obj)
   const values = obj.values || []
   const objJoin = obj.joins || []
@@ -166,35 +244,16 @@ connection.results = async (obj) => {
   const wheres = whereObj.where
   const arr = whereObj.arr
 
-  // --- OPTIMIZATION: Fast count for count(id) as count ---
-  if (select.trim().toLowerCase() === 'count(id) as count' && !wheres) {
-    // No filter, use fast count from pg_class
-    const sql = `SELECT reltuples::bigint AS count FROM pg_class WHERE relname = '${table}'`;
-    try {
-      const start = Date.now();
-      const result = await pool.query(sql);
-      const elapsed = Date.now() - start;
-      console.log(`[zet-lib] Fast count for ${table}: ${elapsed}ms`);
-      return result.rows;
-    } catch (e) {
-      console.log(sql)
-      console.log(e.toString())
-    }
-  }
-
-  const sql = `SELECT ${select} FROM  "${table}" ${join} ${wheres} ${statement} ${orderBy} ${limit}  ${offset}`
+  const sql = `SELECT ${select} FROM "${table}" ${join} ${wheres} ${statement} ${orderBy} ${limit} ${offset}`.replace(/\s+/g, ' ').trim()
   try {
-    const start = Date.now();
+    const start = Date.now()
     const result = await pool.query(sql, arr.length ? arr : values.length ? values : null)
-    const elapsed = Date.now() - start;
-    /*if (select.trim().toLowerCase() === 'count(id) as count') {
-      console.log(`[zet-lib] Count query for ${table}: ${elapsed}ms`);
-    }*/
     return !result.rows ? [] : result.rows
   } catch (e) {
     console.log(sql)
     console.log(arr)
     console.log(e.toString())
+    throw e
   }
 }
 
@@ -229,25 +288,26 @@ connection.result = async (obj) => {
 }
 
 connection.insert = async (obj) => {
-  let result
-  const table = obj.table
-  const data = obj.data
+  const table = sanitizeTableName(obj.table || '')
+  if (!table) throw new Error('Table name is required for insert')
+  const data = { ...obj.data }
+  const returning = sanitizeReturning(data.returning || 'RETURNING *')
+  delete data.returning
   let increment = 1
   const datas = []
   const values = []
   const arr = []
-  const returning = data.returning || 'RETURNING *'
-  delete data.returning
   for (const key in data) {
-    datas.push(key)
-    values.push(`$${increment}`)
-    arr.push(data[key])
-    increment++
+    const col = sanitizeColumnName(key)
+    if (col) {
+      datas.push(col)
+      values.push(`$${increment}`)
+      arr.push(data[key])
+      increment++
+    }
   }
-  const sql = `INSERT INTO "${table}" ("${datas.join('","')}")  VALUES (${values.join(',')})  ${returning}`
-  /* console.log("ON INSERT " + sql)
-     console.log(arr)
- */
+  if (datas.length === 0) throw new Error('At least one valid column is required for insert')
+  const sql = `INSERT INTO "${table}" ("${datas.join('","')}") VALUES (${values.join(',')}) ${returning}`
 
   try {
     const results = await pool.query(sql, arr)
@@ -261,45 +321,59 @@ connection.insert = async (obj) => {
 }
 
 connection.update = async (obj) => {
-  const table = obj.table
-  const data = obj.data
-  const returning = data.returning || 'RETURNING *'
+  const table = sanitizeTableName(obj.table || '')
+  if (!table) throw new Error('Table name is required for update')
+  const data = { ...obj.data }
+  const returning = sanitizeReturning(data.returning || 'RETURNING *')
   delete data.returning
 
   const where = obj.where || {}
-  //[{field:"your_field",option:"=>",value:"12",operator:"AND"}]
-  let whereArray = obj.whereArray || []
-  const arr = [],
-    dataArr = []
+  const whereArray = obj.whereArray || []
+  const arr = []
+  const dataArr = []
   let wherequery = []
   let increment = 1
-  for (let key in data) {
-    dataArr.push(` "${key}" = $${increment}`)
-    arr.push(data[key])
-    increment++
+
+  for (const key in data) {
+    const col = sanitizeColumnName(key)
+    if (col) {
+      dataArr.push(`"${col}" = $${increment}`)
+      arr.push(data[key])
+      increment++
+    }
   }
-  for (var key in where) {
-    wherequery.push(` "${key}" =  $${increment}`)
-    arr.push(where[key])
-    increment++
+  if (dataArr.length === 0) throw new Error('At least one valid column is required for update')
+
+  for (const key in where) {
+    const col = sanitizeColumnName(key)
+    if (col) {
+      wherequery.push(`"${col}" = $${increment}`)
+      arr.push(where[key])
+      increment++
+    }
   }
-  wherequery = arr.length ? wherequery.join(' AND ') : ''
+  wherequery = wherequery.length ? wherequery.join(' AND ') : ''
+
   if (whereArray.length) {
     let andOr = wherequery ? ' AND ' : ''
     whereArray.forEach((item, index) => {
       if (index > 0) andOr = ''
-      const operator = !item.operator ? ' AND ' : item.operator
-      const field = item.field.indexOf('.') > -1 ? item.field : `"${item.field}"`
-      wherequery += `${andOr} ${field} ${item.option} $${increment} ${operator}`
-      arr.push(item.value)
-      increment++
+      const field = sanitizeWhereField(item.field)
+      const option = sanitizeWhereOption(item.option)
+      const connector = sanitizeWhereConnector(item.operator)
+      if (field && option) {
+        wherequery += `${andOr} ${field} ${option} $${increment} ${connector}`
+        arr.push(item.value)
+        increment++
+      }
     })
-    wherequery = wherequery.slice(0, -5)
+    if (wherequery.endsWith(' AND ')) wherequery = wherequery.slice(0, -5)
+    else if (wherequery.endsWith(' OR ')) wherequery = wherequery.slice(0, -4)
   }
-  const wheres = arr.length ? ' WHERE ' + wherequery : ''
-  const sql = `UPDATE "${table}" SET ${dataArr.join(', ')} ${wheres} ${returning}`
-  /* console.log(sql);
-      console.log(arr);*/
+
+  const wheres = wherequery ? ' WHERE ' + wherequery : ''
+  const sql = `UPDATE "${table}" SET ${dataArr.join(', ')}${wheres} ${returning}`
+
   try {
     const result = await pool.query(sql, arr)
     return result.rows[0]
@@ -312,21 +386,23 @@ connection.update = async (obj) => {
 }
 
 connection.delete = async (obj) => {
-  const table = obj.table
+  const table = sanitizeTableName(obj.table || '')
+  if (!table) throw new Error('Table name is required for delete')
   const where = obj.where || {}
-  let arr = [],
-    wherequery = []
+  const arr = []
+  const wherequery = []
   let increment = 1
   for (const key in where) {
-    wherequery.push(` "${key}" = $${increment}`)
-    arr.push(where[key])
-    increment++
+    const col = sanitizeColumnName(key)
+    if (col) {
+      wherequery.push(`"${col}" = $${increment}`)
+      arr.push(where[key])
+      increment++
+    }
   }
-  wherequery = arr.length ? wherequery.join(' AND ') : ''
-  const wheres = arr.length ? ' WHERE ' + wherequery : ''
-  const sql = `DELETE FROM "${table}" ${wheres} RETURNING *`
-  /*console.log(sql);
-    console.log(arr)*/
+  const whereClause = wherequery.length ? wherequery.join(' AND ') : ''
+  const wheres = whereClause ? ' WHERE ' + whereClause : ''
+  const sql = `DELETE FROM "${table}"${wheres} RETURNING *`
   try {
     return await pool.query(sql, arr)
   } catch (e) {
@@ -346,7 +422,7 @@ connection.insertData = async(tableName, data) => {
     }
 
     pgPool = new Pool(configPG);
-    
+
     const columns = Object.keys(data);
     if (columns.length === 0) {
       throw new Error('No columns found in the data object');
@@ -381,7 +457,7 @@ connection.deleteData = async(tableName, where) => {
     }
 
     pgPool = new Pool(configPG);
-    
+
     const whereColumns = Object.keys(where);
     if (whereColumns.length === 0) {
       throw new Error('No where conditions provided for delete');
@@ -417,13 +493,13 @@ connection.insertMultipleRecords = async(tableName,records) => {
     }
 
     pgPool = new Pool(configPG);
-    
+
     // Validasi bahwa semua records memiliki struktur yang sama
     const firstRecord = records[0];
     if (!firstRecord || typeof firstRecord !== 'object') {
       throw new Error('First record is invalid or empty');
     }
-    
+
     const columns = Object.keys(firstRecord);
     if (columns.length === 0) {
       throw new Error('No columns found in the first record');
@@ -444,7 +520,7 @@ connection.insertMultipleRecords = async(tableName,records) => {
     const placeholders = records.map((_, rowIndex) =>
         `(${columns.map((_, colIndex) => `$${rowIndex * columns.length + colIndex + 1}`).join(',')})`
     ).join(',');
-    
+
     // Create the INSERT query
     const insertQuery = `
             INSERT INTO "${tableName}" (${columns.map(col => `"${col}"`).join(',')})

package/lib/generatorApp.js

@@ -34,7 +34,7 @@ generatorApp.CREATE_MODEL_API = async (columns, constraintList, MYMODEL) => {
 generatorApp.CREATE_ROUTER = async (MYMODEL, zFields) => {
     let CONTENT =
         zFields.router ||
-        fs.readFileSync(generatorApp.DIRECTORY + "/routerApp.ejs", "utf-8");
+        fs.readFileSync(path.join(generatorApp.DIRECTORY, "routerApp.ejs"), "utf-8");
     const zfields = await connection.result({
         table: "zfields",
         where: { table: MYMODEL.table },
@@ -58,7 +58,7 @@ generatorApp.CREATE_ROUTER = async (MYMODEL, zFields) => {
     }
 
     fs.writeFileSync(
-        generatorApp.DIRECTORY_ROUTES + "/" + MYMODEL.table + ".js",
+        path.join(generatorApp.DIRECTORY_ROUTES, MYMODEL.table + ".js"),
         CONTENT,
         "utf-8"
     );
@@ -67,7 +67,7 @@ generatorApp.CREATE_ROUTER = async (MYMODEL, zFields) => {
 generatorApp.CREATE_ROUTER_API = (MYMODEL, zfields) => {
     let CONTENT =
         zfields.router ||
-        fs.readFileSync(generatorApp.DIRECTORY + "/routerApp.ejs", "utf-8");
+        fs.readFileSync(path.join(generatorApp.DIRECTORY, "routerApp.ejs"), "utf-8");
     //var zfields = await connection.result({table: "zfields", where: {table: MYMODEL.table}});
     const ADDITIONAL_FIELDS = generatorApp.ADDITIONAL_FIELDS(MYMODEL);
     const OBJ = {
@@ -86,7 +86,7 @@ generatorApp.CREATE_ROUTER_API = (MYMODEL, zfields) => {
     for (let KEY in OBJ) {
         CONTENT = Util.replaceAll(CONTENT, "[[[" + KEY + "]]]", OBJ[KEY]);
     }
-    //fs.writeFileSync(generatorApp.DIRECTORY_ROUTES + "/" + MYMODEL.table + ".js", CONTENT, 'utf-8');
+    //fs.writeFileSync(path.join(generatorApp.DIRECTORY_ROUTES, MYMODEL.table + ".js"), CONTENT, 'utf-8');
     return {
         filename: MYMODEL.table + ".js",
         content: CONTENT,
@@ -123,7 +123,7 @@ generatorApp.CREATE_VIEWS = async (MYMODEL, zFields) => {
         "[[[GENERATE_VIEW]]]": GENERATE_VIEW,
     };
 
-    const DIR_VIEW = generatorApp.DIRECTORY_VIEWS + "/" + MYMODEL.table;
+    const DIR_VIEW = path.join(generatorApp.DIRECTORY_VIEWS, MYMODEL.table);
     if (!fs.existsSync(DIR_VIEW)) {
         fs.mkdirSync(DIR_VIEW);
     }
@@ -133,16 +133,16 @@ generatorApp.CREATE_VIEWS = async (MYMODEL, zFields) => {
         name = name.replace(".", "_");
         let source = zFields[name];
         if (source) {
-            fs.writeFileSync(DIR_VIEW + "/" + item, source);
+            fs.writeFileSync(path.join(DIR_VIEW, item), source);
         } else {
-            source = generatorApp.DIRECTORY_GENERATOR_VIEWS + "/" + item;
-            fs.copySync(source, DIR_VIEW + "/" + item);
+            source = path.join(generatorApp.DIRECTORY_GENERATOR_VIEWS, item);
+            fs.copySync(source, path.join(DIR_VIEW, item));
         }
-        console.log(DIR_VIEW + "/" + item);
+        console.log(path.join(DIR_VIEW, item));
         for (let KEY in OBJ) {
             generatorApp.MODIFIY(
-                DIR_VIEW + "/" + item,
-                DIR_VIEW + "/" + item,
+                path.join(DIR_VIEW, item),
+                path.join(DIR_VIEW, item),
                 KEY,
                 OBJ[KEY]
             );
@@ -183,7 +183,7 @@ generatorApp.CREATE_VIEWS_API = (MYMODEL, zFields) => {
         "[[[GENERATE_VIEW]]]": GENERATE_VIEW,
     };
 
-    const DIR_VIEW = `${dirRoot}/public/temp/${token}`;
+    const DIR_VIEW = path.join(dirRoot, "public", "temp", token);
     if (!fs.existsSync(DIR_VIEW)) {
         fs.mkdirSync(DIR_VIEW);
     }
@@ -194,23 +194,23 @@ generatorApp.CREATE_VIEWS_API = (MYMODEL, zFields) => {
         name = name.replace(".", "_");
         let source = zFields.hasOwnProperty(name)
             ? zFields[name]
-            : fs.readFileSync(generatorApp.DIRECTORY_GENERATOR_VIEWS + "/" + item, {
+            : fs.readFileSync(path.join(generatorApp.DIRECTORY_GENERATOR_VIEWS, item), {
                 encoding: "utf8",
                 flag: "r",
             });
         if (source) {
-            fs.writeFileSync(DIR_VIEW + "/" + item, source);
+            fs.writeFileSync(path.join(DIR_VIEW, item), source);
         } else {
             source = fs.readFileSync(
-                generatorApp.DIRECTORY_GENERATOR_VIEWS + "/" + item,
+                path.join(generatorApp.DIRECTORY_GENERATOR_VIEWS, item),
                 { encoding: "utf8", flag: "r" }
             );
-            fs.copySync(source, DIR_VIEW + "/" + item);
+            fs.copySync(source, path.join(DIR_VIEW, item));
         }
         for (let KEY in OBJ) {
             generatorApp.MODIFIY(
-                DIR_VIEW + "/" + item,
-                DIR_VIEW + "/" + item,
+                path.join(DIR_VIEW, item),
+                path.join(DIR_VIEW, item),
                 KEY,
                 OBJ[KEY]
             );
@@ -218,7 +218,7 @@ generatorApp.CREATE_VIEWS_API = (MYMODEL, zFields) => {
     }
     for (let i = 0; i < views.length; i++) {
         const item = views[i];
-        datas[item] = fs.readFileSync(`${DIR_VIEW}/${item}`, {
+        datas[item] = fs.readFileSync(path.join(DIR_VIEW, item), {
             encoding: "utf8",
             flag: "r",
         });