From 5dd5c3b31b294c1d2b7b4197701f6ff6be48312c Mon Sep 17 00:00:00 2001
From: fit2cloud-chenyw <yawen.chen@fit2cloud.com>
Date: Mon, 11 Sep 2023 17:38:00 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E5=88=86=E4=BA=AB=E6=94=B6=E8=97=8F?=
 =?UTF-8?q?=E6=8E=A5=E5=8F=A3sql-inject?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../controller/panel/api/ShareApi.java        |  3 +--
 .../controller/panel/api/StoreApi.java        |  6 +----
 .../controller/panel/server/ShareServer.java  |  7 +++---
 .../controller/panel/server/StoreServer.java  |  5 ++--
 .../io/dataease/ext/ExtPanelStoreMapper.java  |  3 ++-
 .../io/dataease/ext/ExtPanelStoreMapper.xml   | 24 +++++--------------
 .../dataease/service/panel/ShareService.java  |  2 +-
 .../dataease/service/panel/StoreService.java  | 18 +++-----------
 8 files changed, 19 insertions(+), 49 deletions(-)

diff --git a/core/backend/src/main/java/io/dataease/controller/panel/api/ShareApi.java b/core/backend/src/main/java/io/dataease/controller/panel/api/ShareApi.java
index 95af14d0ae..04869d81c0 100644
--- a/core/backend/src/main/java/io/dataease/controller/panel/api/ShareApi.java
+++ b/core/backend/src/main/java/io/dataease/controller/panel/api/ShareApi.java
@@ -31,8 +31,7 @@ public interface ShareApi {
 
     @ApiOperation("查询分享给我")
     @PostMapping("/treeList")
-    @SqlInjectValidator(value = {"s.create_time"})
-    List<PanelShareDto> treeList(BaseGridRequest request);
+    List<PanelShareDto> treeList();
 
     @ApiOperation("查询我分享的")
     @PostMapping("/shareOut")
diff --git a/core/backend/src/main/java/io/dataease/controller/panel/api/StoreApi.java b/core/backend/src/main/java/io/dataease/controller/panel/api/StoreApi.java
index 5d63d3b88c..71e0930c36 100644
--- a/core/backend/src/main/java/io/dataease/controller/panel/api/StoreApi.java
+++ b/core/backend/src/main/java/io/dataease/controller/panel/api/StoreApi.java
@@ -2,15 +2,12 @@ package io.dataease.controller.panel.api;
 
 import com.github.xiaoymin.knife4j.annotations.ApiSupport;
 import io.dataease.auth.annotation.DePermission;
-import io.dataease.auth.annotation.SqlInjectValidator;
 import io.dataease.commons.constants.DePermissionType;
-import io.dataease.controller.sys.base.BaseGridRequest;
 import io.dataease.dto.panel.PanelStoreDto;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 
 import java.util.List;
@@ -32,8 +29,7 @@ public interface StoreApi {
 
     @ApiOperation("查询收藏")
     @PostMapping("/list")
-    @SqlInjectValidator(value = {"s.create_time"})
-    List<PanelStoreDto> list(@RequestBody BaseGridRequest request);
+    List<PanelStoreDto> list();
 
 
     @ApiOperation("移除收藏")
diff --git a/core/backend/src/main/java/io/dataease/controller/panel/server/ShareServer.java b/core/backend/src/main/java/io/dataease/controller/panel/server/ShareServer.java
index b4016c7cd4..40694d736c 100644
--- a/core/backend/src/main/java/io/dataease/controller/panel/server/ShareServer.java
+++ b/core/backend/src/main/java/io/dataease/controller/panel/server/ShareServer.java
@@ -1,14 +1,13 @@
 package io.dataease.controller.panel.server;
 
-import io.dataease.plugins.common.base.domain.PanelShare;
 import io.dataease.controller.panel.api.ShareApi;
 import io.dataease.controller.request.panel.PanelShareFineDto;
 import io.dataease.controller.request.panel.PanelShareRemoveRequest;
 import io.dataease.controller.request.panel.PanelShareSearchRequest;
-import io.dataease.controller.sys.base.BaseGridRequest;
 import io.dataease.dto.panel.PanelShareDto;
 import io.dataease.dto.panel.PanelShareOutDTO;
 import io.dataease.dto.panel.PanelSharePo;
+import io.dataease.plugins.common.base.domain.PanelShare;
 import io.dataease.service.panel.ShareService;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -24,8 +23,8 @@ public class ShareServer implements ShareApi {
     private ShareService shareService;
 
     @Override
-    public List<PanelShareDto> treeList(@RequestBody BaseGridRequest request) {
-        return shareService.queryTree(request);
+    public List<PanelShareDto> treeList() {
+        return shareService.queryTree();
     }
 
     @Override
diff --git a/core/backend/src/main/java/io/dataease/controller/panel/server/StoreServer.java b/core/backend/src/main/java/io/dataease/controller/panel/server/StoreServer.java
index 4ca86f0113..d42217d2d2 100644
--- a/core/backend/src/main/java/io/dataease/controller/panel/server/StoreServer.java
+++ b/core/backend/src/main/java/io/dataease/controller/panel/server/StoreServer.java
@@ -1,7 +1,6 @@
 package io.dataease.controller.panel.server;
 
 import io.dataease.controller.panel.api.StoreApi;
-import io.dataease.controller.sys.base.BaseGridRequest;
 import io.dataease.dto.panel.PanelStoreDto;
 import io.dataease.service.panel.StoreService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -21,8 +20,8 @@ public class StoreServer implements StoreApi {
     }
 
     @Override
-    public List<PanelStoreDto> list(BaseGridRequest request) {
-        return storeService.query(request);
+    public List<PanelStoreDto> list() {
+        return storeService.query();
     }
 
     @Override
diff --git a/core/backend/src/main/java/io/dataease/ext/ExtPanelStoreMapper.java b/core/backend/src/main/java/io/dataease/ext/ExtPanelStoreMapper.java
index 5022c822da..165d7e6fb6 100644
--- a/core/backend/src/main/java/io/dataease/ext/ExtPanelStoreMapper.java
+++ b/core/backend/src/main/java/io/dataease/ext/ExtPanelStoreMapper.java
@@ -2,10 +2,11 @@ package io.dataease.ext;
 
 import io.dataease.ext.query.GridExample;
 import io.dataease.dto.panel.PanelStoreDto;
+import org.apache.ibatis.annotations.Param;
 
 import java.util.List;
 
 public interface ExtPanelStoreMapper {
 
-    List<PanelStoreDto> query(GridExample example);
+    List<PanelStoreDto> query(@Param("uid") Long uid);
 }
diff --git a/core/backend/src/main/java/io/dataease/ext/ExtPanelStoreMapper.xml b/core/backend/src/main/java/io/dataease/ext/ExtPanelStoreMapper.xml
index 8e132af262..2bf4a6d9b7 100644
--- a/core/backend/src/main/java/io/dataease/ext/ExtPanelStoreMapper.xml
+++ b/core/backend/src/main/java/io/dataease/ext/ExtPanelStoreMapper.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
 <mapper namespace="io.dataease.ext.ExtPanelStoreMapper">
 
-    <resultMap id="panelStoreMap" type="io.dataease.dto.panel.PanelStoreDto" >
+    <resultMap id="panelStoreMap" type="io.dataease.dto.panel.PanelStoreDto">
         <id column="store_id" property="storeId"></id>
         <result column="panel_group_id" property="panelGroupId"></result>
         <result column="name" property="name"></result>
@@ -10,26 +10,14 @@
     </resultMap>
 
 
-
-
     <select id="query" parameterType="io.dataease.ext.query.GridExample" resultMap="panelStoreMap">
-       select s.store_id,s.panel_group_id, g.name ,g.status
-       from panel_store s
-       inner join panel_group g on g.id = s.panel_group_id
-        <if test="_parameter != null">
-            <include refid="io.dataease.ext.query.GridSql.gridCondition" />
-        </if>
-        <if test="orderByClause != null">
-            order by ${orderByClause}
-        </if>
-        <if test="orderByClause == null">
-            order by s.create_time desc
-        </if>
+        select s.store_id, s.panel_group_id, g.name, g.status
+        from panel_store s
+                 inner join panel_group g on g.id = s.panel_group_id
+        where s.user_id = #{uid}
+        order by s.create_time desc
 
     </select>
 
 
-
-
-
 </mapper>
diff --git a/core/backend/src/main/java/io/dataease/service/panel/ShareService.java b/core/backend/src/main/java/io/dataease/service/panel/ShareService.java
index 536f174528..a9b1901a55 100644
--- a/core/backend/src/main/java/io/dataease/service/panel/ShareService.java
+++ b/core/backend/src/main/java/io/dataease/service/panel/ShareService.java
@@ -338,7 +338,7 @@ public class ShareService {
         return extPanelShareMapper.queryOut(username);
     }
 
-    public List<PanelShareDto> queryTree(BaseGridRequest request) {
+    public List<PanelShareDto> queryTree() {
         CurrentUserDto user = AuthUtils.getUser();
         Long userId = user.getUserId();
         Long deptId = user.getDeptId();
diff --git a/core/backend/src/main/java/io/dataease/service/panel/StoreService.java b/core/backend/src/main/java/io/dataease/service/panel/StoreService.java
index af02b3a43f..48804116cb 100644
--- a/core/backend/src/main/java/io/dataease/service/panel/StoreService.java
+++ b/core/backend/src/main/java/io/dataease/service/panel/StoreService.java
@@ -1,18 +1,14 @@
 package io.dataease.service.panel;
 
-import io.dataease.ext.ExtPanelStoreMapper;
-import io.dataease.ext.query.GridExample;
 import io.dataease.commons.utils.AuthUtils;
-import io.dataease.controller.sys.base.BaseGridRequest;
-import io.dataease.controller.sys.base.ConditionEntity;
 import io.dataease.dto.panel.PanelStoreDto;
+import io.dataease.ext.ExtPanelStoreMapper;
 import io.dataease.plugins.common.base.domain.PanelStore;
 import io.dataease.plugins.common.base.domain.PanelStoreExample;
 import io.dataease.plugins.common.base.mapper.PanelStoreMapper;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.Resource;
-import java.util.ArrayList;
 import java.util.List;
 
 @Service
@@ -40,17 +36,9 @@ public class StoreService {
         panelStoreMapper.deleteByExample(panelStoreExample);
     }
 
-    public List<PanelStoreDto> query(BaseGridRequest request) {
+    public List<PanelStoreDto> query() {
         Long userId = AuthUtils.getUser().getUserId();
-        ConditionEntity condition = new ConditionEntity();
-        condition.setField("s.user_id");
-        condition.setOperator("eq");
-        condition.setValue(userId);
-        request.setConditions(new ArrayList<ConditionEntity>() {{
-            add(condition);
-        }});
-        GridExample example = request.convertExample();
-        return extPanelStoreMapper.query(example);
+        return extPanelStoreMapper.query(userId);
     }
 
     public Long count(String panelId) {