356 lines
8.0 KiB
Go
356 lines
8.0 KiB
Go
package filesystem
|
||
|
||
import "path/filepath"
|
||
|
||
// Config 文件系统配置
|
||
// 所有安全策略和性能参数都通过配置管理,避免硬编码
|
||
type Config struct {
|
||
// Security 安全策略配置
|
||
Security SecurityConfig
|
||
|
||
// Performance 性能配置
|
||
Performance PerformanceConfig
|
||
|
||
// Features 功能开关
|
||
Features FeatureConfig
|
||
}
|
||
|
||
// SecurityConfig 安全策略配置
|
||
type SecurityConfig struct {
|
||
// PathValidation 路径验证配置
|
||
PathValidation PathValidationConfig
|
||
|
||
// DeleteRestrictions 删除限制配置
|
||
DeleteRestrictions DeleteRestrictionsConfig
|
||
|
||
// FileTypes 文件类型配置
|
||
FileTypes FileTypeConfig
|
||
}
|
||
|
||
// PathValidationConfig 路径验证配置
|
||
type PathValidationConfig struct {
|
||
// AllowSymlinks 是否允许符号链接(默认false)
|
||
AllowSymlinks bool
|
||
|
||
// AllowUNCPaths 是否允许UNC网络路径(默认false)
|
||
AllowUNCPaths bool
|
||
|
||
// CheckWindowsSystemPaths 是否检查Windows系统路径(默认true)
|
||
CheckWindowsSystemPaths bool
|
||
|
||
// ForbiddenPaths 禁止访问的路径列表
|
||
ForbiddenPaths []string
|
||
|
||
// SensitivePaths 敏感路径列表(需要额外确认)
|
||
SensitivePaths []string
|
||
|
||
// MaxDepth 最大路径深度(0=不限制)
|
||
MaxDepth int
|
||
}
|
||
|
||
// DeleteRestrictionsConfig 删除限制配置
|
||
type DeleteRestrictionsConfig struct {
|
||
// Enabled 是否启用删除限制
|
||
Enabled bool
|
||
|
||
// MaxFileSizeGB 单个文件最大大小(GB),0=不限制
|
||
MaxFileSizeGB float64
|
||
|
||
// MaxDirSizeGB 目录最大大小(GB),0=不限制
|
||
MaxDirSizeGB float64
|
||
|
||
// MaxDepth 最大目录深度,0=不限制
|
||
MaxDepth int
|
||
|
||
// MaxFileCount 最大文件数量,0=不限制
|
||
MaxFileCount int
|
||
|
||
// RequireConfirm 超过限制是否需要用户确认而非直接拒绝
|
||
RequireConfirm bool
|
||
|
||
// ForbiddenPaths 禁止删除的路径(系统关键目录)
|
||
ForbiddenPaths []string
|
||
}
|
||
|
||
// FileTypeConfig 文件类型配置
|
||
type FileTypeConfig struct {
|
||
// AllowedExtensions 允许的文件扩展名白名单
|
||
AllowedExtensions map[string]bool
|
||
|
||
// ForbiddenExtensions 禁止的文件扩展名黑名单
|
||
ForbiddenExtensions map[string]bool
|
||
|
||
// MIMETypeMapping 扩展名到MIME类型的映射
|
||
MIMETypeMapping map[string]string
|
||
|
||
// MaxFileSizeMap 各文件类型的最大文件大小(字节)
|
||
MaxFileSizeMap map[string]int64
|
||
}
|
||
|
||
// PerformanceConfig 性能配置
|
||
type PerformanceConfig struct {
|
||
// BufferSizes 缓冲区大小配置
|
||
BufferSizes BufferSizeConfig
|
||
|
||
// Timeouts 超时配置
|
||
Timeouts TimeoutConfig
|
||
}
|
||
|
||
// BufferSizeConfig 缓冲区大小配置
|
||
type BufferSizeConfig struct {
|
||
// AuditLog 审计日志缓冲区大小
|
||
AuditLog int
|
||
|
||
// FileIO 文件读写缓冲区大小
|
||
FileIO int
|
||
|
||
// Zip ZIP操作缓冲区大小
|
||
Zip int
|
||
}
|
||
|
||
// TimeoutConfig 超时配置
|
||
type TimeoutConfig struct {
|
||
// AuditFlush 审计日志刷新间隔
|
||
AuditFlush string // duration string
|
||
|
||
// LockCheckRetry 文件锁检查重试间隔
|
||
LockCheckRetry string // duration string
|
||
|
||
// TempFileCleanup 临时文件清理周期
|
||
TempFileCleanup string // duration string
|
||
}
|
||
|
||
// FeatureConfig 功能开关配置
|
||
type FeatureConfig struct {
|
||
// AuditLog 是否启用审计日志
|
||
AuditLog bool
|
||
|
||
// RecycleBin 是否启用回收站
|
||
RecycleBin bool
|
||
|
||
// FileLockCheck 是否启用文件锁检查
|
||
FileLockCheck bool
|
||
|
||
// HTTPFileServer 是否启用HTTP文件服务
|
||
HTTPFileServer bool
|
||
|
||
// ZipExtraction 是否启用ZIP文件提取
|
||
ZipExtraction bool
|
||
}
|
||
|
||
// DefaultConfig 返回默认配置
|
||
// 所有默认值都在这里定义,方便调整
|
||
func DefaultConfig() *Config {
|
||
return &Config{
|
||
Security: SecurityConfig{
|
||
PathValidation: PathValidationConfig{
|
||
AllowSymlinks: false,
|
||
AllowUNCPaths: false,
|
||
CheckWindowsSystemPaths: true,
|
||
ForbiddenPaths: getDefaultForbiddenPaths(),
|
||
SensitivePaths: getDefaultSensitivePaths(),
|
||
MaxDepth: 0, // 不限制
|
||
},
|
||
DeleteRestrictions: DeleteRestrictionsConfig{
|
||
Enabled: false, // 默认不启用(避免过度限制)
|
||
MaxFileSizeGB: 1.0,
|
||
MaxDirSizeGB: 1.0,
|
||
MaxDepth: 15,
|
||
MaxFileCount: 1000,
|
||
RequireConfirm: true, // 超过限制时要求确认而非直接拒绝
|
||
ForbiddenPaths: getDeleteForbiddenPaths(),
|
||
},
|
||
FileTypes: FileTypeConfig{
|
||
AllowedExtensions: getAllowedExtensions(),
|
||
ForbiddenExtensions: getForbiddenExtensions(),
|
||
MIMETypeMapping: getMIMETypeMapping(),
|
||
MaxFileSizeMap: make(map[string]int64),
|
||
},
|
||
},
|
||
Performance: PerformanceConfig{
|
||
BufferSizes: BufferSizeConfig{
|
||
AuditLog: AuditLogBufferSize,
|
||
FileIO: 32 * 1024, // 32KB
|
||
Zip: 64 * 1024, // 64KB
|
||
},
|
||
Timeouts: TimeoutConfig{
|
||
AuditFlush: "5s",
|
||
LockCheckRetry: "100ms",
|
||
TempFileCleanup: "24h",
|
||
},
|
||
},
|
||
Features: FeatureConfig{
|
||
AuditLog: true,
|
||
RecycleBin: true,
|
||
FileLockCheck: false, // 默认关闭(性能考虑)
|
||
HTTPFileServer: true,
|
||
ZipExtraction: true,
|
||
},
|
||
}
|
||
}
|
||
|
||
// getDefaultForbiddenPaths 获取默认禁止访问的路径
|
||
func getDefaultForbiddenPaths() []string {
|
||
if filepath.Separator == '\\' {
|
||
// Windows
|
||
return []string{
|
||
`C:\Windows`,
|
||
`C:\Program Files`,
|
||
`C:\Program Files (x86)`,
|
||
`C:\ProgramData`,
|
||
`C:\System Volume Information`,
|
||
`C:\Recovery`,
|
||
`C:\Boot`,
|
||
}
|
||
}
|
||
// Unix-like
|
||
return []string{
|
||
"/bin",
|
||
"/sbin",
|
||
"/usr/bin",
|
||
"/usr/sbin",
|
||
"/etc",
|
||
"/boot",
|
||
"/sys",
|
||
"/proc",
|
||
}
|
||
}
|
||
|
||
// getDefaultSensitivePaths 获取默认敏感路径列表
|
||
func getDefaultSensitivePaths() []string {
|
||
return []string{
|
||
filepath.Join(".ssh"),
|
||
filepath.Join(".gnupg"),
|
||
filepath.Join(".config"),
|
||
filepath.Join("node_modules"),
|
||
filepath.Join(".git"),
|
||
filepath.Join(".github"),
|
||
filepath.Join(".vscode"),
|
||
filepath.Join(".idea"),
|
||
}
|
||
}
|
||
|
||
// getDeleteForbiddenPaths 获取删除操作的禁止路径
|
||
func getDeleteForbiddenPaths() []string {
|
||
paths := []string{
|
||
"node_modules",
|
||
".git",
|
||
".github",
|
||
".vscode",
|
||
".idea",
|
||
"src",
|
||
"dist",
|
||
"build",
|
||
"target",
|
||
"bin",
|
||
"obj",
|
||
"database",
|
||
"db",
|
||
"data",
|
||
"backup",
|
||
"backups",
|
||
}
|
||
return paths
|
||
}
|
||
|
||
// getAllowedExtensions 获取允许的文件扩展名白名单
|
||
func getAllowedExtensions() map[string]bool {
|
||
return map[string]bool{
|
||
// 图片
|
||
".jpg": true,
|
||
".jpeg": true,
|
||
".png": true,
|
||
".gif": true,
|
||
".bmp": true,
|
||
".svg": true,
|
||
".webp": true,
|
||
".ico": true,
|
||
// 视频
|
||
".mp4": true,
|
||
".webm": true,
|
||
".mov": true,
|
||
".avi": true,
|
||
".mkv": true,
|
||
// 音频
|
||
".mp3": true,
|
||
".wav": true,
|
||
".ogg": true,
|
||
// 文档
|
||
".pdf": true,
|
||
// 文本
|
||
".txt": true,
|
||
".md": true,
|
||
".json": true,
|
||
".xml": true,
|
||
".html": true,
|
||
".css": true,
|
||
".js": true,
|
||
}
|
||
}
|
||
|
||
// getForbiddenExtensions 获取禁止的文件扩展名黑名单
|
||
func getForbiddenExtensions() map[string]bool {
|
||
return map[string]bool{
|
||
".env": true,
|
||
".key": true,
|
||
".pem": true,
|
||
".p12": true,
|
||
".pfx": true,
|
||
".der": true,
|
||
".csr": true,
|
||
".crt": true,
|
||
".cert": true,
|
||
".ssh": true,
|
||
".rsa": true,
|
||
".gpg": true,
|
||
".asc": true,
|
||
".config": true,
|
||
".conf": true,
|
||
".ini": true,
|
||
".cfg": true,
|
||
".yaml": true,
|
||
".yml": true,
|
||
".toml": true,
|
||
".bak": true,
|
||
".old": true,
|
||
".tmp": true,
|
||
".swp": true,
|
||
".swo": true,
|
||
".log": true,
|
||
".sql": true,
|
||
".db": true,
|
||
".sqlite": true,
|
||
".sqlite3": true,
|
||
".mdb": true,
|
||
".accdb": true,
|
||
}
|
||
}
|
||
|
||
// getMIMETypeMapping 获取MIME类型映射
|
||
func getMIMETypeMapping() map[string]string {
|
||
return map[string]string{
|
||
".jpg": "image/jpeg",
|
||
".jpeg": "image/jpeg",
|
||
".png": "image/png",
|
||
".gif": "image/gif",
|
||
".bmp": "image/bmp",
|
||
".svg": "image/svg+xml",
|
||
".webp": "image/webp",
|
||
".ico": "image/x-icon",
|
||
".mp4": "video/mp4",
|
||
".webm": "video/webm",
|
||
".mov": "video/quicktime",
|
||
".avi": "video/x-msvideo",
|
||
".mkv": "video/x-matroska",
|
||
".mp3": "audio/mpeg",
|
||
".wav": "audio/wav",
|
||
".ogg": "audio/ogg",
|
||
".pdf": "application/pdf",
|
||
".txt": "text/plain; charset=utf-8",
|
||
".html": "text/html; charset=utf-8",
|
||
".css": "text/css",
|
||
".js": "application/javascript",
|
||
".json": "application/json",
|
||
}
|
||
}
|