UNPKG

database-proxy

Version:

Through a set of access control rules configuration database access to realize the client directly access the database via HTTP.

github.com/labring/laf

labring/laf

185 lines (184 loc) 5.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.SecurityUtil = void 0; const types_1 = require("../types"); /** * 安全工具 */ class SecurityUtil { // 检查字段名是否合法:data field, query field static checkField(name) { if (this.isQueryOrLogicOperator(name)) { return true; } const black_list = [ ' ', '#', // ' or ', ';', `'`, `"`, '`', '-', '/', '*', '\\', '+', '%', ]; if (this.containChars(name, black_list)) { return false; } return true; } // 检查字段名是否合法:data field, query field static checkProjection(name) { const black_list = [ '#', ' or ', ';', `'`, `"`, '`', '+', '-', '/', '\\', '%', ]; if (this.containChars(name, black_list)) { return false; } return true; } /** * 递归收集 query 中的字段列表,去除操作符(逻辑、查询操作符) * @param query 请求 query 对象 * @returns */ static resolveFieldFromQuery(query) { const sets = []; for (const key in query) { if (this.isQueryOrLogicOperator(key)) { const ret = this.resolveFieldFromQuery(query[key]); sets.push(...ret); } else { sets.push(key); } } return sets; } /** * 递归收集 data 中的字段列表,去除更新操作符 * @param data */ static resolveFieldFromData(data) { const sets = []; for (const key in data) { if (this.isUpdateOperator(key)) { const ret = this.resolveFieldFromData(data[key]); sets.push(...ret); } else { sets.push(key); } } return sets; } /** * 判断字段列是否都在白名单内 * @param input_fields [string] 输入字段列表 * @param allow_fields [string] 允许的字段列表 */ static isAllowedFields(input_fields, allow_fields) { for (const fd of input_fields) { if (!allow_fields.includes(fd)) return `the field '${fd}' is NOT allowed]`; } return null; } /** * 检查给定字符串中是否包含指定字符 * @param source 字符串 * @param str_list 字符白名单或黑名单 * @returns */ static containChars(source, str_list) { for (const ch of str_list) { if (source.indexOf(ch) >= 0) return true; } return false; } // 是否为逻辑操作符 static isLogicOperator(key) { const keys = Object.keys(types_1.LOGIC_COMMANDS).map((k) => types_1.LOGIC_COMMANDS[k]); return keys.includes(key); } // 是否为查询操作符(QUERY_COMMANDS) static isQueryOperator(key) { const keys = Object.keys(types_1.QUERY_COMMANDS).map((k) => types_1.QUERY_COMMANDS[k]); return keys.includes(key); } // 是否为查询或逻辑操作符 static isQueryOrLogicOperator(key) { return this.isLogicOperator(key) || this.isQueryOperator(key); } // 是否存在更新操作符 static hasUpdateOperator(data) { const OPTRS = Object.values(types_1.UPDATE_COMMANDS); let has = false; const checkMixed = (objs) => { if (typeof objs !== 'object') return; for (const key in objs) { if (OPTRS.includes(key)) { has = true; } else if (typeof objs[key] === 'object') { checkMixed(objs[key]); } } }; checkMixed(data); return has; } // 是否为更新操作符 static isUpdateOperator(key) { const keys = Object.keys(types_1.UPDATE_COMMANDS).map((k) => types_1.UPDATE_COMMANDS[k]); return keys.includes(key); } /** * 将带操作符的 data 对象平铺 * data: { title: '', $set: { content: '', author: 123 }, $inc: { age: 1 }, $push: { grades: 99, }, } */ static flattenData(data = {}) { const result = {}; for (const key in data) { if (!this.isUpdateOperator(key)) { result[key] = data[key]; continue; } const obj = data[key]; for (const k in obj) { result[k] = obj[k]; } } return result; } } exports.SecurityUtil = SecurityUtil;