From 45bc7810c44688925ecb0e9d71887eb27880024c Mon Sep 17 00:00:00 2001
From: wangjiahao <1522128093@qq.com>
Date: Fri, 28 Feb 2025 16:54:12 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8DSQL=20Injection?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../dao/ext/mapper/ExtDataVisualizationMapper.java     |  2 +-
 .../visualization/manage/CoreVisualizationManage.java  | 10 +++++-----
 .../resources/mybatis/ExtDataVisualizationMapper.xml   | 10 +++++++++-
 .../mybatis/ExtVisualizationLinkJumpMapper.xml         |  8 ++++----
 4 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/core/core-backend/src/main/java/io/dataease/visualization/dao/ext/mapper/ExtDataVisualizationMapper.java b/core/core-backend/src/main/java/io/dataease/visualization/dao/ext/mapper/ExtDataVisualizationMapper.java
index 866d87b58b..008cd4fce3 100644
--- a/core/core-backend/src/main/java/io/dataease/visualization/dao/ext/mapper/ExtDataVisualizationMapper.java
+++ b/core/core-backend/src/main/java/io/dataease/visualization/dao/ext/mapper/ExtDataVisualizationMapper.java
@@ -37,7 +37,7 @@ public interface ExtDataVisualizationMapper {
 
     DataVisualizationVO findDvInfo(@Param("dvId") Long dvId,@Param("dvType") String dvType);
 
-    IPage<VisualizationResourcePO> findRecent(IPage<VisualizationResourcePO> page, @Param("uid") Long uid, @Param("keyword") String keyword, @Param("ew") QueryWrapper<Object> ew);
+    IPage<VisualizationResourcePO> findRecent(IPage<VisualizationResourcePO> page, @Param("uid") Long uid, @Param("keyword") String keyword, @Param("ew") Map ew);
 
     void copyLinkJump(@Param("copyId") Long copyId);
 
diff --git a/core/core-backend/src/main/java/io/dataease/visualization/manage/CoreVisualizationManage.java b/core/core-backend/src/main/java/io/dataease/visualization/manage/CoreVisualizationManage.java
index 9d4fe99f6e..617071b315 100644
--- a/core/core-backend/src/main/java/io/dataease/visualization/manage/CoreVisualizationManage.java
+++ b/core/core-backend/src/main/java/io/dataease/visualization/manage/CoreVisualizationManage.java
@@ -191,20 +191,20 @@ public class CoreVisualizationManage {
 
     public IPage<VisualizationResourcePO> queryVisualizationPage(int goPage, int pageSize, VisualizationWorkbranchQueryRequest request) {
         Long uid = AuthUtils.getUser().getUserId();
-        QueryWrapper<Object> queryWrapper = new QueryWrapper<>();
+        Map<String,Object> params = new HashMap<>();
         if (StringUtils.isNotBlank(request.getType())) {
             BusiResourceEnum busiResourceEnum = BusiResourceEnum.valueOf(request.getType().toUpperCase());
             if (ObjectUtils.isEmpty(busiResourceEnum)) {
                 DEException.throwException("type is invalid");
             }
-            queryWrapper.eq("dvResource.type", request.getType());
+            params.put("type",request.getType());
         }
         String info = CommunityUtils.getInfo();
         if (StringUtils.isNotBlank(info)) {
-            queryWrapper.notExists(String.format(info, "core_opt_recent.resource_id"));
+            params.put("info",info);
         }
-        queryWrapper.orderBy(true, request.isAsc(), "core_opt_recent.time");
+        params.put("isAsc",request.isAsc());
         Page<VisualizationResourcePO> page = new Page<>(goPage, pageSize);
-        return extDataVisualizationMapper.findRecent(page, uid, request.getKeyword(), queryWrapper);
+        return extDataVisualizationMapper.findRecent(page, uid, request.getKeyword(), params);
     }
 }
diff --git a/core/core-backend/src/main/resources/mybatis/ExtDataVisualizationMapper.xml b/core/core-backend/src/main/resources/mybatis/ExtDataVisualizationMapper.xml
index 908a83503c..6aeeb91254 100644
--- a/core/core-backend/src/main/resources/mybatis/ExtDataVisualizationMapper.xml
+++ b/core/core-backend/src/main/resources/mybatis/ExtDataVisualizationMapper.xml
@@ -237,7 +237,15 @@
              <if test="keyword">
                 AND LOWER(dvResource.name) LIKE LOWER(CONCAT('%', #{keyword}, '%'))
              </if>
-             ${ew.customSqlSegment}
+             <if test="ew.type != null">
+                AND dvResource.type = #{ew.type}
+             </if>
+             <if test="ew.info != null">
+                AND NOT EXISTS(select 1 from per_busi_resource community where core_opt_recent.resource_id = community.id)
+             </if>
+             <if test="ew.isAsc">
+                order by core_opt_recent.time asc
+             </if>
     </select>
 
     <insert id="copyLinkJump">
diff --git a/core/core-backend/src/main/resources/mybatis/ExtVisualizationLinkJumpMapper.xml b/core/core-backend/src/main/resources/mybatis/ExtVisualizationLinkJumpMapper.xml
index e1be07a325..79aa74b4fa 100644
--- a/core/core-backend/src/main/resources/mybatis/ExtVisualizationLinkJumpMapper.xml
+++ b/core/core-backend/src/main/resources/mybatis/ExtVisualizationLinkJumpMapper.xml
@@ -125,8 +125,8 @@
 
     <select id="queryWithDvId" resultMap="BaseResultMapDTO">
         SELECT core_chart_view.id                     AS source_view_id,
-               ${uid}                                 as queryUid,
-               ${isDesktop}                                 as isDesktop,
+               #{uid}                                 as queryUid,
+               #{isDesktop}                                 as isDesktop,
                visualization_link_jump.id,
                #{dvId} as source_dv_id, visualization_link_jump.link_jump_info,
                ifnull(core_chart_view.jump_active, 0) AS checked
@@ -163,8 +163,8 @@
 
     <select id="queryWithViewId" resultMap="BaseResultMapDTO">
         SELECT core_chart_view.id                         AS source_view_id,
-               ${uid}                                     as queryUid,
-               ${isDesktop}                                 as isDesktop,
+               #{uid}                                     as queryUid,
+               #{isDesktop}                                 as isDesktop,
                visualization_link_jump.id,
                #{dvId} as source_dv_id, visualization_link_jump.link_jump_info,
                ifnull(visualization_link_jump.checked, 0) AS checked