LiRuochen_WorkFlow/MaxKey
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sqlInjection & style

Browse Source 
sqlInjection & style
This commit is contained in:
Crystal.Sea
2020-12-14 23:43:34 +08:00
parent fb8adb82d8
commit 64bed39ee9
22 changed files with 121 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java
View File

@@ -22,13 +22,16 @@ import java.util.List;
import org.apache.mybatis.jpa.persistence.JpaBaseService;
import org.maxkey.domain.Groups;
import org.maxkey.persistence.mapper.GroupsMapper;
import org.maxkey.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Service;
@Service
public class GroupsService extends JpaBaseService<Groups>{
final static Logger _logger = LoggerFactory.getLogger(GroupsService.class);
@Autowired
@Qualifier("groupMemberService")
GroupMemberService groupMemberService;
@@ -62,10 +65,22 @@ public class GroupsService extends JpaBaseService<Groups>{
if(dynamicGroup.getOrgIdsList()!=null && !dynamicGroup.getOrgIdsList().equals("")) {
dynamicGroup.setOrgIdsList("'"+dynamicGroup.getOrgIdsList().replace(",", "','")+"'");
}
String filters = dynamicGroup.getFilters();
if(StringUtils.filtersSQLInjection(filters.toLowerCase())) {
_logger.info("filters include SQL Injection Attack Risk.");
return;
}
filters = filters.replace("&", " AND ");
filters = filters.replace("|", " OR ");
dynamicGroup.setFilters(filters);
groupMemberService.deleteDynamicGroupMember(dynamicGroup);
groupMemberService.addDynamicGroupMember(dynamicGroup);
}
}
}

17
maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java
View File

@@ -23,13 +23,17 @@ import org.apache.mybatis.jpa.persistence.JpaBaseService;
import org.maxkey.domain.RolePermissions;
import org.maxkey.domain.Roles;
import org.maxkey.persistence.mapper.RolesMapper;
import org.maxkey.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Service;
@Service
public class RolesService extends JpaBaseService<Roles>{
final static Logger _logger = LoggerFactory.getLogger(RolesService.class);
@Autowired
@Qualifier("roleMemberService")
RoleMemberService roleMemberService;
@@ -74,6 +78,17 @@ public class RolesService extends JpaBaseService<Roles>{
dynamicRole.setOrgIdsList("'"+dynamicRole.getOrgIdsList().replace(",", "','")+"'");
}
String filters = dynamicRole.getFilters();
if(StringUtils.filtersSQLInjection(filters.toLowerCase())) {
_logger.info("filters include SQL Injection Attack Risk.");
return;
}
filters = filters.replace("&", " AND ");
filters = filters.replace("|", " OR ");
dynamicRole.setFilters(filters);
roleMemberService.deleteDynamicRoleMember(dynamicRole);
roleMemberService.addDynamicRoleMember(dynamicRole);
}

6
maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml
View File

@@ -227,7 +227,7 @@
AND GM.TYPE='USER-DYNAMIC'
)
<if test="filters != null and filters != ''">
${filters}
AND (${filters})
</if>
<if test="orgIdsList != null and orgIdsList != ''">
AND U.DEPARTMENTID IN( ${orgIdsList})
@@ -244,10 +244,10 @@
WHERE 1 = 1
AND U.ID=GM.MEMBERID
<if test="filters != null and filters != ''">
${filters}
AND (${filters})
</if>
<if test="orgIdsList != null and orgIdsList != ''">
AND U.DEPARTMENTID IN( ${orgIdsList})
AND U.DEPARTMENTID IN ( ${orgIdsList})
</if>
)
</delete>