From 7fa8c53718a72b05c1258b26c1a9e02d13cc28fe Mon Sep 17 00:00:00 2001 From: fit2cloud-chenyw Date: Mon, 11 Sep 2023 13:45:11 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E6=97=A5=E5=BF=97=E5=88=97=E8=A1=A8?= =?UTF-8?q?=E6=8E=A5=E5=8F=A3sql-inject?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../controller/sys/SysLogController.java | 7 +- .../sys/request/LogGridRequest.java | 16 +++ .../java/io/dataease/ext/ExtSysLogMapper.java | 5 +- .../java/io/dataease/ext/ExtSysLogMapper.xml | 114 ++++++++-------- .../dataease/service/sys/log/LogService.java | 124 ++---------------- .../src/views/system/log/FilterUser.vue | 6 +- core/frontend/src/views/system/log/index.vue | 20 +-- 7 files changed, 102 insertions(+), 190 deletions(-) create mode 100644 core/backend/src/main/java/io/dataease/controller/sys/request/LogGridRequest.java diff --git a/core/backend/src/main/java/io/dataease/controller/sys/SysLogController.java b/core/backend/src/main/java/io/dataease/controller/sys/SysLogController.java index 5c58bcb57c..69498b8505 100644 --- a/core/backend/src/main/java/io/dataease/controller/sys/SysLogController.java +++ b/core/backend/src/main/java/io/dataease/controller/sys/SysLogController.java @@ -7,7 +7,7 @@ import io.dataease.auth.annotation.SqlInjectValidator; import io.dataease.commons.utils.PageUtils; import io.dataease.commons.utils.Pager; import io.dataease.controller.handler.annotation.I18n; -import io.dataease.controller.sys.request.KeyGridRequest; +import io.dataease.controller.sys.request.LogGridRequest; import io.dataease.dto.SysLogGridDTO; import io.dataease.dto.log.FolderItem; import io.dataease.service.sys.log.LogService; @@ -39,8 +39,7 @@ public class SysLogController { }) @SqlInjectValidator(value = {"time"}) public Pager> logGrid(@PathVariable int goPage, @PathVariable int pageSize, - @RequestBody KeyGridRequest request) { - request = logService.logRetentionProxy(request); + @RequestBody LogGridRequest request) { Page page = PageHelper.startPage(goPage, pageSize, true); return PageUtils.setPageInfo(page, logService.query(request)); } @@ -54,7 +53,7 @@ public class SysLogController { @ApiOperation("导出操作日志") @PostMapping("/export") @ApiImplicitParam(name = "request", value = "查询条件", required = true) - public void export(@RequestBody KeyGridRequest request) throws Exception { + public void export(@RequestBody LogGridRequest request) throws Exception { logService.exportExcel(request); } } diff --git a/core/backend/src/main/java/io/dataease/controller/sys/request/LogGridRequest.java b/core/backend/src/main/java/io/dataease/controller/sys/request/LogGridRequest.java new file mode 100644 index 0000000000..f8ff7f532d --- /dev/null +++ b/core/backend/src/main/java/io/dataease/controller/sys/request/LogGridRequest.java @@ -0,0 +1,16 @@ +package io.dataease.controller.sys.request; + +import io.dataease.plugins.common.request.KeywordRequest; +import lombok.Data; + +import java.util.List; + +@Data +public class LogGridRequest extends KeywordRequest { + + private List optypeList; + + private List userIdList; + + private Long[] timeList; +} diff --git a/core/backend/src/main/java/io/dataease/ext/ExtSysLogMapper.java b/core/backend/src/main/java/io/dataease/ext/ExtSysLogMapper.java index e8cccd646c..56a44c1788 100644 --- a/core/backend/src/main/java/io/dataease/ext/ExtSysLogMapper.java +++ b/core/backend/src/main/java/io/dataease/ext/ExtSysLogMapper.java @@ -1,16 +1,15 @@ package io.dataease.ext; +import io.dataease.controller.sys.request.LogGridRequest; import io.dataease.dto.log.FolderItem; -import io.dataease.ext.query.GridExample; import io.dataease.plugins.common.base.domain.SysLogWithBLOBs; -import io.dataease.service.sys.log.LogQueryParam; import org.apache.ibatis.annotations.Param; import java.util.List; public interface ExtSysLogMapper { - List query(LogQueryParam example); + List query(LogGridRequest request); List idAndName(@Param("ids") List ids, @Param("type") Integer type); } diff --git a/core/backend/src/main/java/io/dataease/ext/ExtSysLogMapper.xml b/core/backend/src/main/java/io/dataease/ext/ExtSysLogMapper.xml index edc5b01233..f3c7d7e02d 100644 --- a/core/backend/src/main/java/io/dataease/ext/ExtSysLogMapper.xml +++ b/core/backend/src/main/java/io/dataease/ext/ExtSysLogMapper.xml @@ -3,51 +3,59 @@ - - - - - select * from - (select * from sys_log where 1 = 1 - - and - ( - nick_name like concat('%', #{extendCondition} , '%') - or - source_name like concat('%', #{extendCondition} , '%') - or - position like concat('%', #{extendCondition} , '%') - - or - concat(operate_type, '-', source_type) in - - #{id} - - - ) - - ) t + (select * from sys_log where 1 = 1 + + and + ( + nick_name like concat('%', #{keyword} , '%') + or + source_name like concat('%', #{keyword} , '%') + or + position like concat('%', #{keyword} , '%') + ) + + ) t + where 1 = 1 + + and concat(operate_type, '-', source_type) in + + #{operate} + + + + and user_id in + + #{userId} + + + + and (time between #{timeList.[0]} and #{timeList.[1]}) + - - - - - order by ${orderByClause} - - - order by time desc - + + + order by + + ${item} + + + + order by time desc + + - select id, name from datasource - id in + id in #{id} @@ -57,23 +65,23 @@ id, name from ( - select id, name from dataset_group - - id in - - #{id} - - + select id, name from dataset_group + + id in + + #{id} + + - union all + union all - select id, name from dataset_table - - id in - - #{id} - - + select id, name from dataset_table + + id in + + #{id} + + ) dataset @@ -175,9 +183,9 @@ menu_id as id ,title as name from ( - select menu_id, title from sys_menu - union all - select menu_id, title from plugin_sys_menu + select menu_id, title from sys_menu + union all + select menu_id, title from plugin_sys_menu ) plugin_union menu_id in diff --git a/core/backend/src/main/java/io/dataease/service/sys/log/LogService.java b/core/backend/src/main/java/io/dataease/service/sys/log/LogService.java index be27c7a28f..c0a74e7ce1 100644 --- a/core/backend/src/main/java/io/dataease/service/sys/log/LogService.java +++ b/core/backend/src/main/java/io/dataease/service/sys/log/LogService.java @@ -2,7 +2,6 @@ package io.dataease.service.sys.log; import cn.hutool.core.date.DateUtil; - import com.google.gson.Gson; import io.dataease.auth.api.dto.CurrentUserDto; import io.dataease.commons.constants.ParamConstants; @@ -11,14 +10,12 @@ import io.dataease.commons.utils.AuthUtils; import io.dataease.commons.utils.BeanUtils; import io.dataease.commons.utils.IPUtils; import io.dataease.commons.utils.ServletUtils; -import io.dataease.controller.sys.base.ConditionEntity; -import io.dataease.controller.sys.request.KeyGridRequest; +import io.dataease.controller.sys.request.LogGridRequest; import io.dataease.dto.SysLogDTO; import io.dataease.dto.SysLogGridDTO; import io.dataease.dto.log.FolderItem; import io.dataease.exception.DataEaseException; import io.dataease.ext.ExtSysLogMapper; -import io.dataease.ext.query.GridExample; import io.dataease.i18n.Translator; import io.dataease.plugins.common.base.domain.SysLogExample; import io.dataease.plugins.common.base.domain.SysLogWithBLOBs; @@ -35,7 +32,10 @@ import javax.annotation.Resource; import javax.servlet.http.HttpServletResponse; import java.io.OutputStream; import java.net.URLEncoder; -import java.util.*; +import java.util.ArrayList; +import java.util.Calendar; +import java.util.Date; +import java.util.List; import java.util.stream.Collectors; @Service @@ -95,100 +95,10 @@ public class LogService { } - public KeyGridRequest logRetentionProxy(KeyGridRequest request) { - String value = systemParameterService.getValue(ParamConstants.BASIC.LOG_TIME_OUT.getValue()); - value = StringUtils.isBlank(value) ? LOG_RETENTION : value; - int logRetention = Integer.parseInt(value); - Calendar instance = Calendar.getInstance(); + public List query(LogGridRequest request) { - Calendar startInstance = (Calendar) instance.clone(); - startInstance.add(Calendar.DATE, -logRetention); - startInstance.set(Calendar.HOUR_OF_DAY, 0); - startInstance.set(Calendar.MINUTE, 0); - startInstance.set(Calendar.SECOND, 0); - long startTime = startInstance.getTimeInMillis(); - - Calendar endInstance = (Calendar) instance.clone(); - endInstance.add(Calendar.DATE, 1); - endInstance.set(Calendar.HOUR_OF_DAY, 0); - endInstance.set(Calendar.MINUTE, 0); - endInstance.set(Calendar.SECOND, 0); - long endTime = endInstance.getTimeInMillis(); - - - List conditions = request.getConditions(); - if (CollectionUtils.isNotEmpty(conditions) && conditions.stream().anyMatch(condition -> StringUtils.equals("time", condition.getField()))) { - conditions.forEach(condition -> { - if (StringUtils.equals("time", condition.getField()) && startTime > ((List) condition.getValue()).get(0)) { - ((List) condition.getValue()).set(0, startTime); - } - }); - } else { - ConditionEntity conditionEntity = new ConditionEntity(); - conditionEntity.setField("time"); - conditionEntity.setOperator("between"); - List times = new ArrayList<>(); - times.add(startTime); - times.add(endTime); - conditionEntity.setValue(times); - conditions.add(conditionEntity); - } - return request; - } - - - public List query(KeyGridRequest request) { - - - request = detailRequest(request); - String keyWord = request.getKeyWord(); - List ids = null; - GridExample gridExample = request.convertExample(); - gridExample.setExtendCondition(keyWord); - - LogQueryParam logQueryParam = gson.fromJson(gson.toJson(gridExample), LogQueryParam.class); - if (StringUtils.isNotBlank(keyWord)) { - List types = types(); - ids = types.stream().filter(item -> item.getName().toLowerCase().contains(keyWord.toLowerCase())).map(FolderItem::getId).collect(Collectors.toList()); - if (CollectionUtils.isNotEmpty(ids)) - logQueryParam.setUnionIds(ids); - } - List voLogs = extSysLogMapper.query(logQueryParam); - List dtos = voLogs.stream().map(this::convertDTO).collect(Collectors.toList()); - return dtos; - } - - private KeyGridRequest detailRequest(KeyGridRequest request) { - List conditions = request.getConditions(); - if (CollectionUtils.isNotEmpty(conditions)) { - - ConditionEntity uninCondition = null; - int matchIndex = -1; - for (int i = 0; i < conditions.size(); i++) { - ConditionEntity conditionEntity = conditions.get(i); - String field = conditionEntity.getField(); - Object value = conditionEntity.getValue(); - - if (StringUtils.isNotBlank(field) && StringUtils.equals("optype", field) && ObjectUtils.isNotEmpty(value)) { - matchIndex = i; - uninCondition = new ConditionEntity(); - - List values = (List) value; - uninCondition.setField("concat(operate_type, '-de-', source_type)"); - - List uninValue = values.stream().map(v -> v.replace("-", "-de-")).collect(Collectors.toList()); - - uninCondition.setValue(uninValue); - uninCondition.setOperator(conditionEntity.getOperator()); - } - } - if (matchIndex >= 0) { - conditions.remove(matchIndex); - - if (ObjectUtils.isNotEmpty(uninCondition)) conditions.add(uninCondition); - } - } - return request; + List voLogs = extSysLogMapper.query(request); + return voLogs.stream().map(this::convertDTO).collect(Collectors.toList()); } @@ -350,24 +260,12 @@ public class LogService { } - public void exportExcel(KeyGridRequest request) throws Exception { - request = logRetentionProxy(request); - request = detailRequest(request); - String keyWord = request.getKeyWord(); - List ids = null; + public void exportExcel(LogGridRequest request) throws Exception { + HttpServletResponse response = ServletUtils.response(); OutputStream outputStream = response.getOutputStream(); try { - GridExample gridExample = request.convertExample(); - gridExample.setExtendCondition(keyWord); - LogQueryParam logQueryParam = gson.fromJson(gson.toJson(gridExample), LogQueryParam.class); - if (StringUtils.isNotBlank(keyWord)) { - List types = types(); - ids = types.stream().filter(item -> item.getName().toLowerCase().contains(keyWord.toLowerCase())).map(FolderItem::getId).collect(Collectors.toList()); - if (CollectionUtils.isNotEmpty(ids)) - logQueryParam.setUnionIds(ids); - } - List lists = extSysLogMapper.query(logQueryParam); + List lists = extSysLogMapper.query(request); List details = lists.stream().map(item -> { String operateTypeName = SysLogConstants.operateTypeName(item.getOperateType()); String sourceTypeName = SysLogConstants.sourceTypeName(item.getSourceType()); diff --git a/core/frontend/src/views/system/log/FilterUser.vue b/core/frontend/src/views/system/log/FilterUser.vue index 717ef34cd5..ec23b1f72e 100644 --- a/core/frontend/src/views/system/log/FilterUser.vue +++ b/core/frontend/src/views/system/log/FilterUser.vue @@ -208,8 +208,8 @@ export default { }, formatCondition() { const fildMap = { - optype: this.activeType, - 'user_id': this.activeUser + optypeList: this.activeType, + userIdList: this.activeUser } const conditions = [] Object.keys(fildMap).forEach((ele) => { @@ -228,7 +228,7 @@ export default { max = +max + 24 * 3600 * 1000 } conditions.push({ - field: 'time', + field: 'timeList', operator: 'between', value: [+min, +max] }) diff --git a/core/frontend/src/views/system/log/index.vue b/core/frontend/src/views/system/log/index.vue index 9e8c371962..3a060da212 100644 --- a/core/frontend/src/views/system/log/index.vue +++ b/core/frontend/src/views/system/log/index.vue @@ -146,6 +146,7 @@ import GridTable from '@/components/gridTable/index.vue' import filterUser from './FilterUser' import _ from 'lodash' import keyEnter from '@/components/msgCfm/keyEnter.js' +import { buildParam } from '@/utils/GridConditionUtil' import { addOrder, formatOrders @@ -197,13 +198,8 @@ export default { }) }, exportData() { - const param = { - orders: formatOrders(this.orderConditions), - conditions: [...this.cacheCondition] - } - if (this.nickName) { - param.keyWord = this.nickName - } + const param = buildParam(this.cacheCondition, this.nickName) + param.orders = formatOrders(this.orderConditions) exportExcel(param).then((res) => { const blob = new Blob([res], { type: 'application/vnd.ms-excel' }) @@ -289,13 +285,9 @@ export default { this.$refs.filterUser.init() }, search() { - const param = { - orders: formatOrders(this.orderConditions), - conditions: [...this.cacheCondition] - } - if (this.nickName) { - param.keyWord = this.nickName - } + const param = buildParam(this.cacheCondition, this.nickName) + param.orders = formatOrders(this.orderConditions) + const { currentPage, pageSize } = this.paginationConfig logGrid(currentPage, pageSize, param).then((response) => { this.data = response.data.listObject