Skip to content

Commit

Permalink
feature:修复已知安全问题。
Browse files Browse the repository at this point in the history
  • Loading branch information
pixelmaxQm committed Jun 2, 2024
1 parent 2f67c23 commit 53d0338
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 78 deletions.
39 changes: 34 additions & 5 deletions server/service/system/sys_export_template.go
Original file line number Diff line number Diff line change
Expand Up @@ -203,14 +203,43 @@ func (sysExportTemplateService *SysExportTemplateService) ExportExcel(templateID
}
}

// 获取当前表的所有字段
table := template.TableName
orderColumns, err := global.GVA_DB.Migrator().ColumnTypes(table)
if err != nil {
return nil, "", err
}

// 创建一个 map 来存储字段名
fields := make(map[string]bool)

for _, column := range orderColumns {
fields[column.Name()] = true
}

// 通过参数传入order
order := values.Get("order")
if order != "" {
db = db.Order(order)
}
// 模板的默认order

if order == "" && template.Order != "" {
db = db.Order(template.Order)
// 如果没有order入参,这里会使用模板的默认排序
order = template.Order
}

if order != "" {
checkOrderArr := strings.Split(order, " ")
orderStr := ""
// 检查请求的排序字段是否在字段列表中
if _, ok := fields[checkOrderArr[0]]; !ok {
return nil, "", fmt.Errorf("order by %s is not in the fields", order)
}
orderStr = checkOrderArr[0]
if len(checkOrderArr) > 1 {
if checkOrderArr[1] != "asc" && checkOrderArr[1] != "desc" {
return nil, "", fmt.Errorf("order by %s is not secure", order)
}
orderStr = orderStr + " " + checkOrderArr[1]
}
db = db.Order(orderStr)
}

err = db.Debug().Find(&tableMap).Error
Expand Down
18 changes: 10 additions & 8 deletions web/vite.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,14 @@ import vuePlugin from '@vitejs/plugin-vue'
import GvaPosition from './vitePlugin/gvaPosition'
import GvaPositionServer from './vitePlugin/codeServer'
import fullImportPlugin from './vitePlugin/fullImport/fullImport.js'
import { svgBuilder } from './vitePlugin/svgIcon/svgIcon.js'
import { svgBuilder } from 'vite-auto-import-svg'
import { AddSecret } from './vitePlugin/secret'
// @see https://cn.vitejs.dev/config/
export default ({
command,
mode
}) => {
AddSecret("")
const NODE_ENV = mode || 'development'
const envFiles = [
`.env.${NODE_ENV}`
Expand Down Expand Up @@ -106,13 +108,13 @@ export default ({
)
} else {
config.plugins.push(AutoImport({
resolvers: [ElementPlusResolver()]
}),
Components({
resolvers: [ElementPlusResolver({
importStyle: 'sass'
})]
}))
resolvers: [ElementPlusResolver()]
}),
Components({
resolvers: [ElementPlusResolver({
importStyle: 'sass'
})]
}))
}
return config
}
6 changes: 6 additions & 0 deletions web/vitePlugin/secret/index.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
export function AddSecret(secret) {
if(!secret){
secret = ""
}
global['gva-secret'] = secret;
}
65 changes: 0 additions & 65 deletions web/vitePlugin/svgIcon/svgIcon.js

This file was deleted.

0 comments on commit 53d0338

Please sign in to comment.