From 20d283a270f456bd7eeb506cd3d5f2264d4080dc Mon Sep 17 00:00:00 2001
From: Star <star3s@126.com>
Date: Sun, 30 Nov 2025 23:03:03 +0800
Subject: [PATCH] update gojs

---
 db.go  | 44 +++++++++++++++++++++++++++++++++++++-------
 go.mod | 33 ++++++++++++++++++++-------------
 2 files changed, 57 insertions(+), 20 deletions(-)

diff --git a/db.go b/db.go
index 8da8c29..4d46c3a 100644
--- a/db.go
+++ b/db.go
@@ -2,9 +2,12 @@ package db
 
 import (
 	_ "embed"
+	"strings"
 
 	"apigo.cc/gojs"
 	"apigo.cc/gojs/goja"
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/jackc/pgx/v5/stdlib"
 	"github.com/ssgo/dao/dao"
 	"github.com/ssgo/db"
 	"github.com/ssgo/log"
@@ -16,19 +19,32 @@ var dbTS string
 
 //go:embed README.md
 var dbMD string
-var defaultDB = "default"
+
+// var defaultDB = "default"
+// var defaultDBLock = sync.RWMutex{}
 
 func init() {
 	obj := map[string]any{
 		"get": func(argsIn goja.FunctionCall, vm *goja.Runtime) goja.Value {
 			args := gojs.MakeArgs(&argsIn, vm).Check(1)
-			conn := db.GetDB(args.Str(0), args.Logger)
+
+			// 检查sqlite文件访问是否超出沙盒 userPath
+			dsn := fixDsn(vm, args.Str(0))
+
+			conn := db.GetDB(dsn, args.Logger)
 			return vm.ToValue(makeDBObject(conn, nil))
 		},
 		"setDefault": func(argsIn goja.FunctionCall, vm *goja.Runtime) goja.Value {
 			args := gojs.MakeArgs(&argsIn, vm).Check(1)
-			defaultDB = args.Str(0)
-			conn := db.GetDB(defaultDB, args.Logger)
+
+			// 检查sqlite文件访问是否超出沙盒 userPath
+			dsn := fixDsn(vm, args.Str(0))
+
+			// defaultDBLock.Lock()
+			// defaultDB = dsn
+			// defaultDBLock.Unlock()
+
+			conn := db.GetDB(dsn, args.Logger)
 			args.This.ToObject(vm).Set("conn", conn)
 			return nil
 		},
@@ -36,7 +52,7 @@ func init() {
 
 	gojs.Register("apigo.cc/gojs/db", gojs.Module{
 		ObjectMaker: func(vm *goja.Runtime) gojs.Map {
-			conn := db.GetDB(defaultDB, gojs.GetLogger(vm))
+			conn := db.GetDB("default", gojs.GetLogger(vm))
 			dbObj := makeDBObject(conn, nil)
 			for k, v := range obj {
 				dbObj[k] = v
@@ -52,6 +68,20 @@ func init() {
 	})
 }
 
+func fixDsn(vm *goja.Runtime, dsn string) string {
+	// 检查sqlite文件访问是否超出沙盒 userPath
+	rootPath := u.String(vm.GetData("userPath"))
+	if rootPath != "" && strings.HasPrefix(dsn, "sqlite") && strings.Contains(dsn, "://") {
+		filename := strings.SplitN(dsn, "://", 2)[1]
+		filename = strings.SplitN(dsn, "?", 2)[0]
+		fixedFilename := gojs.FixPath(vm, filename)
+		if fixedFilename != filename {
+			dsn = strings.Replace(dsn, filename, fixedFilename, 1)
+		}
+	}
+	return dsn
+}
+
 func makeDBObject(conn *db.DB, tx *db.Tx) map[string]any {
 	obj := map[string]any{
 		"conn": conn,
@@ -218,7 +248,7 @@ func makeDBObject(conn *db.DB, tx *db.Tx) map[string]any {
 		obj["make"] = func(argsIn goja.FunctionCall, vm *goja.Runtime) goja.Value {
 			args, conn, _, logger := initDBArgs(argsIn, vm, 1)
 			erDesc := args.Str(0)
-			tryFile := gojs.FindPath(vm, erDesc)
+			tryFile := gojs.FixPath(vm, erDesc)
 			if u.FileExists(tryFile) {
 				erDesc = u.ReadFileN(tryFile)
 			}
@@ -245,7 +275,7 @@ data t
 			if dbType == "" {
 				dbType = "mysql"
 			}
-			tryFile := gojs.FindPath(vm, erDesc)
+			tryFile := gojs.FixPath(vm, erDesc)
 			if u.FileExists(tryFile) {
 				erDesc = u.ReadFileN(tryFile)
 			}
diff --git a/go.mod b/go.mod
index 51c0d4c..0da49e3 100644
--- a/go.mod
+++ b/go.mod
@@ -1,15 +1,17 @@
 module apigo.cc/gojs/db
 
-go 1.23.0
+go 1.24.0
 
 require (
-	apigo.cc/gojs v0.0.17
-	apigo.cc/gojs/console v0.0.2
-	github.com/ssgo/dao v0.1.12
+	apigo.cc/gojs v0.0.28
+	apigo.cc/gojs/console v0.0.3
+	github.com/go-sql-driver/mysql v1.9.3
+	github.com/jackc/pgx/v5 v5.7.6
+	github.com/ssgo/dao v0.1.13
 	github.com/ssgo/db v1.7.13
-	github.com/ssgo/log v1.7.7
-	github.com/ssgo/u v1.7.20
-	modernc.org/sqlite v1.38.0
+	github.com/ssgo/log v1.7.9
+	github.com/ssgo/u v1.7.23
+	modernc.org/sqlite v1.40.1
 )
 
 require (
@@ -18,21 +20,26 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.4+incompatible // indirect
-	github.com/go-sql-driver/mysql v1.9.3 // indirect
-	github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5 // indirect
+	github.com/google/pprof v0.0.0-20250903194437-c28834ac2320 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/ssgo/config v1.7.9 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/ssgo/config v1.7.10 // indirect
 	github.com/ssgo/standard v1.7.7 // indirect
 	github.com/ssgo/tool v0.4.29 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.66.3 // indirect
+	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )