public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-20 19:48:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 修复SQL Injection漏洞

Browse Source
This commit is contained in:
wangjiahao
2025-02-28 16:54:12 +08:00
committed by xuwei-fit2cloud
parent acfc96e3d9
commit 45bc7810c4
4 changed files with 19 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/core-backend/src/main/java/io/dataease/visualization/dao/ext/mapper/ExtDataVisualizationMapper.java
View File

@@ -37,7 +37,7 @@ public interface ExtDataVisualizationMapper {
DataVisualizationVO findDvInfo(@Param("dvId") Long dvId,@Param("dvType") String dvType);
IPage<VisualizationResourcePO> findRecent(IPage<VisualizationResourcePO> page, @Param("uid") Long uid, @Param("keyword") String keyword, @Param("ew") QueryWrapper<Object> ew);
IPage<VisualizationResourcePO> findRecent(IPage<VisualizationResourcePO> page, @Param("uid") Long uid, @Param("keyword") String keyword, @Param("ew") Map ew);
void copyLinkJump(@Param("copyId") Long copyId);

10
core/core-backend/src/main/java/io/dataease/visualization/manage/CoreVisualizationManage.java
View File

@@ -191,20 +191,20 @@ public class CoreVisualizationManage {
public IPage<VisualizationResourcePO> queryVisualizationPage(int goPage, int pageSize, VisualizationWorkbranchQueryRequest request) {
Long uid = AuthUtils.getUser().getUserId();
QueryWrapper<Object> queryWrapper = new QueryWrapper<>();
Map<String,Object> params = new HashMap<>();
if (StringUtils.isNotBlank(request.getType())) {
BusiResourceEnum busiResourceEnum = BusiResourceEnum.valueOf(request.getType().toUpperCase());
if (ObjectUtils.isEmpty(busiResourceEnum)) {
DEException.throwException("type is invalid");
}
queryWrapper.eq("dvResource.type", request.getType());
params.put("type",request.getType());
}
String info = CommunityUtils.getInfo();
if (StringUtils.isNotBlank(info)) {
queryWrapper.notExists(String.format(info, "core_opt_recent.resource_id"));
params.put("info",info);
}
queryWrapper.orderBy(true, request.isAsc(), "core_opt_recent.time");
params.put("isAsc",request.isAsc());
Page<VisualizationResourcePO> page = new Page<>(goPage, pageSize);
return extDataVisualizationMapper.findRecent(page, uid, request.getKeyword(), queryWrapper);
return extDataVisualizationMapper.findRecent(page, uid, request.getKeyword(), params);
}
}

10
core/core-backend/src/main/resources/mybatis/ExtDataVisualizationMapper.xml
View File

@@ -237,7 +237,15 @@
<if test="keyword">
AND LOWER(dvResource.name) LIKE LOWER(CONCAT('%', #{keyword}, '%'))
</if>
${ew.customSqlSegment}
<if test="ew.type != null">
AND dvResource.type = #{ew.type}
</if>
<if test="ew.info != null">
AND NOT EXISTS(select 1 from per_busi_resource community where core_opt_recent.resource_id = community.id)
</if>
<if test="ew.isAsc">
order by core_opt_recent.time asc
</if>
</select>
<insert id="copyLinkJump">

8
core/core-backend/src/main/resources/mybatis/ExtVisualizationLinkJumpMapper.xml
View File

@@ -125,8 +125,8 @@
<select id="queryWithDvId" resultMap="BaseResultMapDTO">
SELECT core_chart_view.id AS source_view_id,
${uid} as queryUid,
${isDesktop} as isDesktop,
#{uid} as queryUid,
#{isDesktop} as isDesktop,
visualization_link_jump.id,
#{dvId} as source_dv_id, visualization_link_jump.link_jump_info,
ifnull(core_chart_view.jump_active, 0) AS checked
@@ -163,8 +163,8 @@
<select id="queryWithViewId" resultMap="BaseResultMapDTO">
SELECT core_chart_view.id AS source_view_id,
${uid} as queryUid,
${isDesktop} as isDesktop,
#{uid} as queryUid,
#{isDesktop} as isDesktop,
visualization_link_jump.id,
#{dvId} as source_dv_id, visualization_link_jump.link_jump_info,
ifnull(visualization_link_jump.checked, 0) AS checked