6 سال پیش · 8a37d2ae24
--- a/ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java
@@ -1,7 +1,6 @@
 
				 package com.ruoyi.common.page;

			
 
				 

			
 
				 import com.ruoyi.common.utils.StringUtils;

			
 
				-import com.ruoyi.common.utils.sql.SqlUtil;

			
 
				 

			
 
				 /**

			
 
				  * 分页数据

			
@@ -12,14 +11,11 @@ public class PageDomain
 
				 {

			
 
				     /** 当前记录起始索引 */

			
 
				     private Integer pageNum;

			
 
				-

			
 
				     /** 每页显示记录数 */

			
 
				     private Integer pageSize;

			
 
				-

			
 
				     /** 排序列 */

			
 
				     private String orderByColumn;

			
 
				     /** 排序的方向 "desc" 或者 "asc". */

			
 
				-

			
 
				     private String isAsc;

			
 
				 

			
 
				     public String getOrderBy()

			
@@ -58,7 +54,7 @@ public class PageDomain
 
				 

			
 
				     public void setOrderByColumn(String orderByColumn)

			
 
				     {

			
 
				-        this.orderByColumn = SqlUtil.escapeSql(orderByColumn);

			
 
				+        this.orderByColumn = orderByColumn;

			
 
				     }

			
 
				 

			
 
				     public String getIsAsc()

			
@@ -68,6 +64,6 @@ public class PageDomain
 
				 

			
 
				     public void setIsAsc(String isAsc)

			
 
				     {

			
 
				-        this.isAsc = SqlUtil.escapeSql(isAsc);

			
 
				+        this.isAsc = isAsc;

			
 
				     }

			
 
				 }

			
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
@@ -10,15 +10,27 @@ import com.ruoyi.common.utils.StringUtils;
 
				 public class SqlUtil
			
 
				 {
			
 
				     /**
			
 
				-     * 防止sql注入 替换危险字符
			
 
				+     * 仅支持字母、数字、下划线、空格、逗号（支持多个字段排序）
			
 
				      */
			
 
				-    public static String escapeSql(String value)
			
 
				+    public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,]+";
			
 
				+
			
 
				+    /**
			
 
				+     * 检查字符，防止注入绕过
			
 
				+     */
			
 
				+    public static String escapeOrderBySql(String value)
			
 
				     {
			
 
				-        if (StringUtils.isNotEmpty(value))
			
 
				+        if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value))
			
 
				         {
			
 
				-            value = value.replaceAll("\\(", "");
			
 
				-            value = value.replaceAll("\\)", "");
			
 
				+            return StringUtils.EMPTY;
			
 
				         }
			
 
				         return value;
			
 
				     }
			
 
				+
			
 
				+    /**
			
 
				+     * 验证 order by 语法是否符合规范
			
 
				+     */
			
 
				+    public static boolean isValidOrderBySql(String value)
			
 
				+    {
			
 
				+        return value.matches(SQL_PATTERN);
			
 
				+    }
			
 
				 }
			
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/base/BaseController.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/base/BaseController.java
@@ -13,6 +13,7 @@ import com.ruoyi.common.page.TableDataInfo;
 
				 import com.ruoyi.common.page.TableSupport;
			
 
				 import com.ruoyi.common.utils.DateUtils;
			
 
				 import com.ruoyi.common.utils.StringUtils;
			
 
				+import com.ruoyi.common.utils.sql.SqlUtil;
			
 
				 import com.ruoyi.framework.util.ShiroUtils;
			
 
				 import com.ruoyi.system.domain.SysUser;
			
 
				 
			
@@ -50,7 +51,7 @@ public class BaseController
 
				         Integer pageSize = pageDomain.getPageSize();
			
 
				         if (StringUtils.isNotNull(pageNum) && StringUtils.isNotNull(pageSize))
			
 
				         {
			
 
				-            String orderBy = pageDomain.getOrderBy();
			
 
				+            String orderBy = SqlUtil.escapeOrderBySql(pageDomain.getOrderBy());
			
 
				             PageHelper.startPage(pageNum, pageSize, orderBy);
			
 
				         }
			
 
				     }