⚡ 修复mybatis-plus排序字段的sql注入问题，优化saber代码生成模板

2019-06-26 09:45:14 +08:00 · 2019-06-26 09:45:14 +08:00 · eb9ddd1b7e
parent 1d6f118774
commit eb9ddd1b7e
3 changed files with 133 additions and 27 deletions
--- a/blade-core-develop/src/main/resources/templates/saber/crud.vue.vm
+++ b/blade-core-develop/src/main/resources/templates/saber/crud.vue.vm
@ -3,12 +3,12 @@
    <avue-crud :option="option"
               :data="data"
               :page="page"
-               @row-del="rowDel"
-               v-model="form"
               :permission="permissionList"
+               :before-open="beforeOpen"
+               v-model="form"
               @row-update="rowUpdate"
               @row-save="rowSave"
-               :before-open="beforeOpen"
+               @row-del="rowDel"
               @search-change="searchChange"
               @search-reset="searchReset"
               @selection-change="selectionChange"
@ -36,6 +36,7 @@
    data() {
      return {
        form: {},
+        query: {},
        page: {
          pageSize: 10,
          currentPage: 1,
@ -71,10 +72,10 @@
      ...mapGetters(["permission"]),
      permissionList() {
        return {
-          addBtn: this.vaildData(this.permission.$!{cfg.entityKey}_add),
-          viewBtn: this.vaildData(this.permission.$!{cfg.entityKey}_view),
-          delBtn: this.vaildData(this.permission.$!{cfg.entityKey}_delete),
-          editBtn: this.vaildData(this.permission.$!{cfg.entityKey}_edit)
+          addBtn: this.vaildData(this.permission.$!{cfg.entityKey}_add, false),
+          viewBtn: this.vaildData(this.permission.$!{cfg.entityKey}_view, false),
+          delBtn: this.vaildData(this.permission.$!{cfg.entityKey}_delete, false),
+          editBtn: this.vaildData(this.permission.$!{cfg.entityKey}_edit, false)
        };
      },
      ids() {
@ -129,15 +130,6 @@
            });
          });
      },
-      searchReset() {
-        this.onLoad(this.page);
-      },
-      searchChange(params) {
-        this.onLoad(this.page, params);
-      },
-      selectionChange(list) {
-        this.selectionList = list;
-      },
      handleDelete() {
        if (this.selectionList.length === 0) {
          this.$message.warning("请选择至少一条数据");
@ -168,6 +160,17 @@
        }
        done();
      },
+      searchReset() {
+        this.query = {};
+        this.onLoad(this.page);
+      },
+      searchChange(params) {
+        this.query = params;
+        this.onLoad(this.page, params);
+      },
+      selectionChange(list) {
+        this.selectionList = list;
+      },
      currentChange(currentPage){
        this.page.currentPage = currentPage;
      },
@ -175,7 +178,7 @@
        this.page.pageSize = pageSize;
      },
      onLoad(page, params = {}) {
-        getList(page.currentPage, page.pageSize, params).then(res => {
+        getList(page.currentPage, page.pageSize, Object.assign(params, this.query)).then(res => {
          const data = res.data.data;
          this.page.total = data.total;
          this.data = data.records;
--- a/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/Condition.java
+++ b/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/Condition.java
@ -20,7 +20,6 @@ import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import org.springblade.core.tool.utils.BeanUtil;
 import org.springblade.core.tool.utils.Func;
-import org.springblade.core.tool.utils.StringUtil;

 import java.util.Map;

@ -39,8 +38,8 @@ public class Condition {
 	 */
 	public static <T> IPage<T> getPage(Query query) {
 		Page<T> page = new Page<>(Func.toInt(query.getCurrent(), 1), Func.toInt(query.getSize(), 10));
-		page.setAsc(Func.toStrArray(query.getAscs()));
-		page.setDesc(Func.toStrArray(query.getDescs()));
+		page.setAsc(Func.toStrArray(SqlKeyword.filter(query.getAscs())));
+		page.setDesc(Func.toStrArray(SqlKeyword.filter(query.getDescs())));
 		return page;
 	}

@ -68,13 +67,7 @@ public class Condition {
 		query.remove("size");
 		QueryWrapper<T> qw = new QueryWrapper<>();
 		qw.setEntity(BeanUtil.newInstance(clazz));
-		if (Func.isNotEmpty(query)) {
-			query.forEach((k, v) -> {
-				if (Func.isNotEmpty(v)) {
-					qw.like(StringUtil.humpToUnderline(k), v);
-				}
-			});
-		}
+		SqlKeyword.buildCondition(query, qw);
 		return qw;
 	}

--- a/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java
+++ b/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java
@ -0,0 +1,110 @@
+/**
+ * Copyright (c) 2018-2028, Chill Zhuang 庄骞 (smallchill@163.com).
+ * <p>
+ * Licensed under the GNU LESSER GENERAL PUBLIC LICENSE 3.0;
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.gnu.org/licenses/lgpl.html
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springblade.core.mp.support;
+
+import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
+import org.springblade.core.tool.utils.Func;
+import org.springblade.core.tool.utils.StringPool;
+import org.springblade.core.tool.utils.StringUtil;
+
+import java.util.Map;
+
+/**
+ * 定义常用的 sql关键字
+ *
+ * @author Chill
+ */
+public class SqlKeyword {
+	private final static String SQL_REGEX = "'|%|--|insert|delete|update|select|count|group|union|create|drop|truncate|alter|grant|execute|exec|xp_cmdshell|call|declare|sql";
+
+	private static final String EQUAL = "_equal";
+	private static final String NOT_EQUAL = "_notequal";
+	private static final String LIKE = "_like";
+	private static final String NOT_LIKE = "_notlike";
+	private static final String GT = "_gt";
+	private static final String LT = "_lt";
+	private static final String DATE_GT = "_dategt";
+	private static final String DATE_EQUAL = "_dateequal";
+	private static final String DATE_LT = "_datelt";
+	private static final String IS_NULL = "_null";
+	private static final String NOT_NULL = "_notnull";
+	private static final String IGNORE = "_ignore";
+
+	/**
+	 * 条件构造器
+	 *
+	 * @param query 查询字段
+	 * @param qw    查询包装类
+	 */
+	public static void buildCondition(Map<String, Object> query, QueryWrapper<?> qw) {
+		if (Func.isEmpty(query)) {
+			return;
+		}
+		query.forEach((k, v) -> {
+			if (Func.hasEmpty(k, v) || k.endsWith(IGNORE)) {
+				return;
+			}
+			if (k.endsWith(EQUAL)) {
+				qw.eq(getColumn(k, EQUAL), v);
+			} else if (k.endsWith(NOT_EQUAL)) {
+				qw.ne(getColumn(k, NOT_EQUAL), v);
+			} else if (k.endsWith(NOT_LIKE)) {
+				qw.notLike(getColumn(k, NOT_LIKE), v);
+			} else if (k.endsWith(GT)) {
+				qw.gt(getColumn(k, GT), v);
+			} else if (k.endsWith(LT)) {
+				qw.lt(getColumn(k, LT), v);
+			} else if (k.endsWith(DATE_GT)) {
+				qw.gt(getColumn(k, DATE_GT), v);
+			} else if (k.endsWith(DATE_EQUAL)) {
+				qw.eq(getColumn(k, DATE_EQUAL), v);
+			} else if (k.endsWith(DATE_LT)) {
+				qw.lt(getColumn(k, DATE_LT), v);
+			} else if (k.endsWith(IS_NULL)) {
+				qw.isNull(getColumn(k, IS_NULL));
+			} else if (k.endsWith(NOT_NULL)) {
+				qw.isNotNull(getColumn(k, NOT_NULL));
+			} else {
+				qw.like(getColumn(k, LIKE), v);
+			}
+		});
+	}
+
+	/**
+	 * 获取数据库字段
+	 *
+	 * @param column  字段名
+	 * @param keyword 关键字
+	 * @return
+	 */
+	private static String getColumn(String column, String keyword) {
+		return StringUtil.humpToUnderline(StringUtil.removeSuffix(column, keyword));
+	}
+
+	/**
+	 * 把SQL关键字替换为空字符串
+	 *
+	 * @param param 关键字
+	 * @return string
+	 */
+	public static String filter(String param) {
+		if (param == null) {
+			return null;
+		}
+		return param.replaceAll("(?i)" + SQL_REGEX, StringPool.EMPTY);
+	}
+
+}