From 01d2b6ded9c93a34d38f363f0252505ee024fe0a Mon Sep 17 00:00:00 2001
From: 疯狂的狮子li <15040126243@163.com>
Date: 星期六, 29 五月 2021 19:03:11 +0800
Subject: [PATCH] update 优化dataScope参数防止注入
---
ruoyi-framework/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java | 41 +++++++++++++++++++++++++++++------------
1 files changed, 29 insertions(+), 12 deletions(-)
diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java
index 4d2f9bb..ce23af0 100644
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java
@@ -68,6 +68,7 @@
@Before("dataScopePointCut()")
public void doBefore(JoinPoint point) throws Throwable
{
+ clearDataScope(point);
handleDataScope(point);
}
@@ -144,18 +145,8 @@
if (StrUtil.isNotBlank(sqlString.toString()))
{
- Object params = joinPoint.getArgs()[0];
- if (Validator.isNotNull(params))
- {
- try {
- Method getParams = params.getClass().getDeclaredMethod("getParams", null);
- Map<String, Object> invoke = (Map<String, Object>) getParams.invoke(params, null);
- invoke.put(DATA_SCOPE, " AND (" + sqlString.substring(4) + ")");
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
- }
+ putDataScope(joinPoint, " AND (" + sqlString.substring(4) + ")");
+ }
}
/**
@@ -173,4 +164,30 @@
}
return null;
}
+
+ /**
+ * 鎷兼帴鏉冮檺sql鍓嶅厛娓呯┖params.dataScope鍙傛暟闃叉娉ㄥ叆
+ */
+ private void clearDataScope(final JoinPoint joinPoint)
+ {
+ Object params = joinPoint.getArgs()[0];
+ if (Validator.isNotNull(params))
+ {
+ putDataScope(joinPoint, "");
+ }
+ }
+
+ private static void putDataScope(JoinPoint joinPoint, String sql) {
+ Object params = joinPoint.getArgs()[0];
+ if (Validator.isNotNull(params))
+ {
+ try {
+ Method getParams = params.getClass().getDeclaredMethod("getParams", null);
+ Map<String, Object> invoke = (Map<String, Object>) getParams.invoke(params, null);
+ invoke.put(DATA_SCOPE, sql);
+ } catch (Exception e) {
+ // 鏂规硶鏈壘鍒� 涓嶅鐞�
+ }
+ }
+ }
}
--
Gitblit v1.9.3