From 4da7495f91614cdffdb6927fb17c59752d51b51a Mon Sep 17 00:00:00 2001
From: fit2cloud-chenyw <yawen.chen@fit2cloud.com>
Date: Mon, 11 Sep 2023 10:03:22 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E6=8F=92=E4=BB=B6=E5=88=97=E8=A1=A8?=
 =?UTF-8?q?=E6=8E=A5=E5=8F=A3sql-inject?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../io/dataease/auth/aop/SqlInjectAop.java    |  8 +++---
 .../controller/sys/SysPluginController.java   |  3 ++-
 .../controller/sys/SysUserController.java     | 17 ++++++------
 .../io/dataease/ext/ExtSysPluginMapper.java   |  4 +--
 .../io/dataease/ext/ExtSysPluginMapper.xml    | 13 +++-------
 .../io/dataease/ext/ExtSysRoleMapper.java     |  4 +--
 .../java/io/dataease/ext/ExtSysRoleMapper.xml | 26 +++++++++++--------
 .../dataease/plugins/config/PluginRunner.java |  5 ++--
 .../dataease/service/sys/PluginService.java   | 22 +++++++---------
 .../dataease/service/sys/SysRoleService.java  |  9 +++----
 .../src/views/panel/grantAuth/role/index.vue  |  6 ++---
 .../src/views/system/plugin/index.vue         |  8 +-----
 12 files changed, 56 insertions(+), 69 deletions(-)

diff --git a/core/backend/src/main/java/io/dataease/auth/aop/SqlInjectAop.java b/core/backend/src/main/java/io/dataease/auth/aop/SqlInjectAop.java
index a7737c4c3b..b675890c66 100644
--- a/core/backend/src/main/java/io/dataease/auth/aop/SqlInjectAop.java
+++ b/core/backend/src/main/java/io/dataease/auth/aop/SqlInjectAop.java
@@ -3,7 +3,7 @@ package io.dataease.auth.aop;
 import cn.hutool.core.util.ArrayUtil;
 import io.dataease.auth.annotation.SqlInjectValidator;
 import io.dataease.commons.exception.DEException;
-import io.dataease.controller.sys.base.BaseGridRequest;
+import io.dataease.plugins.common.request.KeywordRequest;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.aspectj.lang.ProceedingJoinPoint;
@@ -35,10 +35,10 @@ public class SqlInjectAop {
             if (args == null || args.length == 0) {
                 return point.proceed();
             }
-            BaseGridRequest request = null;
+            KeywordRequest request = null;
             for (int i = 0; i < args.length; i++) {
-                if (args[i] instanceof BaseGridRequest) {
-                    request = (BaseGridRequest) args[i];
+                if (args[i] instanceof KeywordRequest) {
+                    request = (KeywordRequest) args[i];
                     break;
                 }
             }
diff --git a/core/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java b/core/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java
index d8e32122c4..618a8a2872 100644
--- a/core/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java
+++ b/core/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java
@@ -8,6 +8,7 @@ import io.dataease.commons.utils.PageUtils;
 import io.dataease.commons.utils.Pager;
 import io.dataease.controller.sys.base.BaseGridRequest;
 import io.dataease.plugins.common.base.domain.MyPlugin;
+import io.dataease.plugins.common.request.KeywordRequest;
 import io.dataease.service.sys.PluginService;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
@@ -33,7 +34,7 @@ public class SysPluginController {
     @PostMapping("/pluginGrid/{goPage}/{pageSize}")
     @RequiresPermissions("plugin:read")
     @SqlInjectValidator(value = {"install_time"})
-    public Pager<List<MyPlugin>> pluginGrid(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody BaseGridRequest request) {
+    public Pager<List<MyPlugin>> pluginGrid(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody KeywordRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, pluginService.query(request));
     }
diff --git a/core/backend/src/main/java/io/dataease/controller/sys/SysUserController.java b/core/backend/src/main/java/io/dataease/controller/sys/SysUserController.java
index 980a916ce0..c78623cece 100644
--- a/core/backend/src/main/java/io/dataease/controller/sys/SysUserController.java
+++ b/core/backend/src/main/java/io/dataease/controller/sys/SysUserController.java
@@ -14,12 +14,13 @@ import io.dataease.commons.constants.ResourceAuthLevel;
 import io.dataease.commons.constants.SysLogConstants;
 import io.dataease.commons.exception.DEException;
 import io.dataease.commons.utils.AuthUtils;
-import io.dataease.commons.utils.BeanUtils;
 import io.dataease.commons.utils.PageUtils;
 import io.dataease.commons.utils.Pager;
 import io.dataease.controller.response.ExistLdapUser;
-import io.dataease.controller.sys.base.BaseGridRequest;
-import io.dataease.controller.sys.request.*;
+import io.dataease.controller.sys.request.SysUserCreateRequest;
+import io.dataease.controller.sys.request.SysUserPwdRequest;
+import io.dataease.controller.sys.request.SysUserStateRequest;
+import io.dataease.controller.sys.request.UserGridRequest;
 import io.dataease.controller.sys.response.AuthBindDTO;
 import io.dataease.controller.sys.response.RoleUserItem;
 import io.dataease.controller.sys.response.SysUserGridResponse;
@@ -28,6 +29,7 @@ import io.dataease.i18n.Translator;
 import io.dataease.plugins.common.base.domain.SysRole;
 import io.dataease.plugins.common.base.domain.SysUser;
 import io.dataease.plugins.common.base.domain.SysUserAssist;
+import io.dataease.plugins.common.request.KeywordRequest;
 import io.dataease.service.sys.SysRoleService;
 import io.dataease.service.sys.SysUserService;
 import io.swagger.annotations.Api;
@@ -230,12 +232,11 @@ public class SysUserController {
             @ApiImplicitParam(paramType = "path", name = "pageSize", value = "页容量", required = true, dataType = "Integer"),
             @ApiImplicitParam(name = "request", value = "查询条件", required = true)
     })
-    @SqlInjectValidator({"create_time", "update_time"})
-    public Pager<List<SysRole>> roleGrid(@PathVariable int goPage, @PathVariable int pageSize,
-                                         @RequestBody BaseGridRequest request) {
+    @SqlInjectValidator({"create_time"})
+    public Pager<List<SysRole>> roleGrid(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody KeywordRequest request) {
+
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
-        Pager<List<SysRole>> listPager = PageUtils.setPageInfo(page, sysRoleService.query(request));
-        return listPager;
+        return PageUtils.setPageInfo(page, sysRoleService.query(request));
     }
 
     @ApiOperation("已同步用户")
diff --git a/core/backend/src/main/java/io/dataease/ext/ExtSysPluginMapper.java b/core/backend/src/main/java/io/dataease/ext/ExtSysPluginMapper.java
index 75dfd1f742..b1f988e2cb 100644
--- a/core/backend/src/main/java/io/dataease/ext/ExtSysPluginMapper.java
+++ b/core/backend/src/main/java/io/dataease/ext/ExtSysPluginMapper.java
@@ -1,11 +1,11 @@
 package io.dataease.ext;
 
-import io.dataease.ext.query.GridExample;
 import io.dataease.plugins.common.base.domain.MyPlugin;
+import io.dataease.plugins.common.request.KeywordRequest;
 
 import java.util.List;
 
 public interface ExtSysPluginMapper {
 
-    List<MyPlugin> query(GridExample example);
+    List<MyPlugin> query(KeywordRequest request);
 }
diff --git a/core/backend/src/main/java/io/dataease/ext/ExtSysPluginMapper.xml b/core/backend/src/main/java/io/dataease/ext/ExtSysPluginMapper.xml
index ded4d50e65..b1a64c027e 100644
--- a/core/backend/src/main/java/io/dataease/ext/ExtSysPluginMapper.xml
+++ b/core/backend/src/main/java/io/dataease/ext/ExtSysPluginMapper.xml
@@ -3,18 +3,13 @@
 <mapper namespace="io.dataease.ext.ExtSysPluginMapper">
 
 
-    <select id="query" parameterType="io.dataease.ext.query.GridExample" resultMap="io.dataease.plugins.common.base.mapper.MyPluginMapper.BaseResultMap">
+    <select id="query" parameterType="io.dataease.plugins.common.request.KeywordRequest" resultMap="io.dataease.plugins.common.base.mapper.MyPluginMapper.BaseResultMap">
         select *
         from my_plugin
-        <if test="_parameter != null">
-            <include refid="io.dataease.ext.query.GridSql.gridCondition" />
-        </if>
-        <if test="orderByClause != null">
-            order by ${orderByClause}
-        </if>
-        <if test="orderByClause == null">
-            order by install_time desc
+        <if test="keyword != null">
+            where name like concat('%', #{keyword} , '%')
         </if>
+        order by install_time desc
 
     </select>
 
diff --git a/core/backend/src/main/java/io/dataease/ext/ExtSysRoleMapper.java b/core/backend/src/main/java/io/dataease/ext/ExtSysRoleMapper.java
index d5c88606e1..13d0af5798 100644
--- a/core/backend/src/main/java/io/dataease/ext/ExtSysRoleMapper.java
+++ b/core/backend/src/main/java/io/dataease/ext/ExtSysRoleMapper.java
@@ -1,8 +1,8 @@
 package io.dataease.ext;
 
-import io.dataease.ext.query.GridExample;
 import io.dataease.controller.sys.response.RoleUserItem;
 import io.dataease.plugins.common.base.domain.SysRole;
+import io.dataease.plugins.common.request.KeywordRequest;
 import org.apache.ibatis.annotations.Param;
 
 import java.util.List;
@@ -12,7 +12,7 @@ import java.util.Map;
 public interface ExtSysRoleMapper {
 
 
-    List<SysRole> query(GridExample example);
+    List<SysRole> query(KeywordRequest request);
 
     int deleteRoleMenu(@Param("roleId") Long roleId);
 
diff --git a/core/backend/src/main/java/io/dataease/ext/ExtSysRoleMapper.xml b/core/backend/src/main/java/io/dataease/ext/ExtSysRoleMapper.xml
index 2cf7a2040f..e46d2d57b5 100644
--- a/core/backend/src/main/java/io/dataease/ext/ExtSysRoleMapper.xml
+++ b/core/backend/src/main/java/io/dataease/ext/ExtSysRoleMapper.xml
@@ -9,18 +9,22 @@
         <result property="name" column="name"/>
     </resultMap>
 
-    <select id="query" parameterType="io.dataease.ext.query.GridExample" resultMap="io.dataease.plugins.common.base.mapper.SysRoleMapper.BaseResultMap">
-        select r.*
-        from sys_role r
-        <if test="_parameter != null">
-            <include refid="io.dataease.ext.query.GridSql.gridCondition" />
-        </if>
-        <if test="orderByClause != null">
-            order by ${orderByClause}
-        </if>
-        <if test="orderByClause == null">
-            order by r.update_time desc
+    <select id="query" parameterType="io.dataease.plugins.common.request.KeywordRequest" resultMap="io.dataease.plugins.common.base.mapper.SysRoleMapper.BaseResultMap">
+        select r.* from sys_role r
+        <if test="keyword != null">
+            where name like concat('%', #{keyword} , '%')
         </if>
+        <choose>
+            <when test="orders!=null and orders.size > 0">
+                order by
+                <foreach collection="orders" item="item" open='' separator=',' close=''>
+                    ${item}
+                </foreach>
+            </when>
+            <otherwise>
+                order by create_time desc
+            </otherwise>
+        </choose>
 
     </select>
 
diff --git a/core/backend/src/main/java/io/dataease/plugins/config/PluginRunner.java b/core/backend/src/main/java/io/dataease/plugins/config/PluginRunner.java
index 6fa4b9267c..55eec47740 100644
--- a/core/backend/src/main/java/io/dataease/plugins/config/PluginRunner.java
+++ b/core/backend/src/main/java/io/dataease/plugins/config/PluginRunner.java
@@ -1,8 +1,8 @@
 package io.dataease.plugins.config;
 
 import io.dataease.commons.utils.LogUtil;
-import io.dataease.controller.sys.base.BaseGridRequest;
 import io.dataease.plugins.common.base.domain.MyPlugin;
+import io.dataease.plugins.common.request.KeywordRequest;
 import io.dataease.service.sys.PluginService;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.ObjectUtils;
@@ -37,11 +37,10 @@ public class PluginRunner implements ApplicationRunner {
     }
 
 
-
     @Override
     public void run(ApplicationArguments args) {
         // 执行加载插件逻辑
-        BaseGridRequest request = new BaseGridRequest();
+        KeywordRequest request = new KeywordRequest();
         List<MyPlugin> plugins = pluginService.query(request);
         if (CollectionUtils.isEmpty(plugins)) return;
         Map<Boolean, List<MyPlugin>> groupMap = plugins.stream().collect(Collectors.groupingBy(this::isDiscard));
diff --git a/core/backend/src/main/java/io/dataease/service/sys/PluginService.java b/core/backend/src/main/java/io/dataease/service/sys/PluginService.java
index 2f22d0d619..a27d41eef5 100644
--- a/core/backend/src/main/java/io/dataease/service/sys/PluginService.java
+++ b/core/backend/src/main/java/io/dataease/service/sys/PluginService.java
@@ -3,20 +3,19 @@ package io.dataease.service.sys;
 import cn.hutool.core.io.FileUtil;
 import cn.hutool.core.util.ZipUtil;
 import com.google.gson.Gson;
-import io.dataease.commons.utils.IPUtils;
-import io.dataease.dto.MyPluginDTO;
-import io.dataease.ext.ExtSysPluginMapper;
-import io.dataease.ext.query.GridExample;
 import io.dataease.commons.constants.AuthConstants;
 import io.dataease.commons.exception.DEException;
 import io.dataease.commons.utils.CodingUtil;
 import io.dataease.commons.utils.DeFileUtils;
+import io.dataease.commons.utils.IPUtils;
 import io.dataease.commons.utils.LogUtil;
-import io.dataease.controller.sys.base.BaseGridRequest;
+import io.dataease.dto.MyPluginDTO;
+import io.dataease.ext.ExtSysPluginMapper;
 import io.dataease.i18n.Translator;
 import io.dataease.listener.util.CacheUtils;
 import io.dataease.plugins.common.base.domain.MyPlugin;
 import io.dataease.plugins.common.base.mapper.MyPluginMapper;
+import io.dataease.plugins.common.request.KeywordRequest;
 import io.dataease.plugins.config.LoadjarUtil;
 import io.dataease.plugins.entity.PluginOperate;
 import io.dataease.service.datasource.DatasourceService;
@@ -65,9 +64,8 @@ public class PluginService {
     private String version;
 
 
-    public List<MyPlugin> query(BaseGridRequest request) {
-        GridExample gridExample = request.convertExample();
-        return extSysPluginMapper.query(gridExample);
+    public List<MyPlugin> query(KeywordRequest request) {
+        return extSysPluginMapper.query(request);
     }
 
     /**
@@ -207,11 +205,9 @@ public class PluginService {
      * @return
      */
     public boolean pluginExist(MyPlugin myPlugin) {
-        GridExample gridExample = new GridExample();
-        List<MyPlugin> plugins = extSysPluginMapper.query(gridExample);
-        return plugins.stream().anyMatch(plugin -> {
-            return StringUtils.equals(myPlugin.getName(), plugin.getName()) || StringUtils.equals(myPlugin.getModuleName(), plugin.getModuleName());
-        });
+        KeywordRequest request = new KeywordRequest();
+        List<MyPlugin> plugins = extSysPluginMapper.query(request);
+        return plugins.stream().anyMatch(plugin -> StringUtils.equals(myPlugin.getName(), plugin.getName()) || StringUtils.equals(myPlugin.getModuleName(), plugin.getModuleName()));
     }
 
     /**
diff --git a/core/backend/src/main/java/io/dataease/service/sys/SysRoleService.java b/core/backend/src/main/java/io/dataease/service/sys/SysRoleService.java
index b7bc06cd69..a2db9a370d 100644
--- a/core/backend/src/main/java/io/dataease/service/sys/SysRoleService.java
+++ b/core/backend/src/main/java/io/dataease/service/sys/SysRoleService.java
@@ -1,10 +1,10 @@
 package io.dataease.service.sys;
 
 
-import io.dataease.ext.ExtSysRoleMapper;
-import io.dataease.controller.sys.base.BaseGridRequest;
 import io.dataease.controller.sys.response.RoleUserItem;
+import io.dataease.ext.ExtSysRoleMapper;
 import io.dataease.plugins.common.base.domain.SysRole;
+import io.dataease.plugins.common.request.KeywordRequest;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.Resource;
@@ -16,10 +16,9 @@ public class SysRoleService {
     @Resource
     private ExtSysRoleMapper extSysRoleMapper;
 
-    public List<SysRole> query(BaseGridRequest request) {
-        List<SysRole> result = extSysRoleMapper.query(request.convertExample());
+    public List<SysRole> query(KeywordRequest request) {
 
-        return result;
+        return extSysRoleMapper.query(request);
     }
 
     public List<RoleUserItem> allRoles() {
diff --git a/core/frontend/src/views/panel/grantAuth/role/index.vue b/core/frontend/src/views/panel/grantAuth/role/index.vue
index 7b79785240..fb99b10946 100644
--- a/core/frontend/src/views/panel/grantAuth/role/index.vue
+++ b/core/frontend/src/views/panel/grantAuth/role/index.vue
@@ -28,7 +28,6 @@
 
 <script>
 import { roleGrid } from '@/api/system/user'
-import { formatCondition } from '@/utils/index'
 import { loadShares } from '@/api/panel/share'
 export default {
   name: 'GrantRole',
@@ -70,9 +69,8 @@ export default {
       this.columnLabel = this.defaultHeadName
     },
 
-    search(condition) {
-      const temp = formatCondition(condition)
-      const param = temp || {}
+    search() {
+      const param = {}
       roleGrid(1, 0, param).then(response => {
         const data = response.data
         this.data = data.listObject
diff --git a/core/frontend/src/views/system/plugin/index.vue b/core/frontend/src/views/system/plugin/index.vue
index 4af4b481ae..b23e72c68d 100644
--- a/core/frontend/src/views/system/plugin/index.vue
+++ b/core/frontend/src/views/system/plugin/index.vue
@@ -219,13 +219,7 @@ export default {
     search() {
       const param = {}
       if (this.name) {
-        param.conditions = [
-          {
-            field: 'name',
-            operator: 'like',
-            value: this.name
-          }
-        ]
+        param.keyword = this.name
       }
       pluginLists(0, 0, param).then((response) => {
         this.data = response.data.listObject.filter(item => item.pluginId > 1)