github_mirrors/hotgo
1
0
Fork 0
mirror of https://github.com/bufanyun/hotgo.git synced 2025-01-23 10:50:24 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix 修复潜在关键词查询sql注入漏洞

Browse Source
This commit is contained in:
孟帅 2024-09-02 14:03:50 +08:00
parent 37b2b82130
commit 6caa644259
2 changed files with 38 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
server/internal/library/hgorm/dao.go
View File

@ -14,6 +14,7 @@ import (
"github.com/gogf/gf/v2/frame/g" "github.com/gogf/gf/v2/frame/g"
"github.com/gogf/gf/v2/text/gstr" "github.com/gogf/gf/v2/text/gstr"
"hotgo/utility/convert" "hotgo/utility/convert"
"strings"
) )
type daoInstance interface { type daoInstance interface {
@ -197,3 +198,31 @@ func IsUnique(ctx context.Context, dao daoInstance, where g.Map, message string,
} }
return nil return nil
} }
// FilterKeywordsWithOr 多条件关键词OR查询
func FilterKeywordsWithOr(m *gdb.Model, filterColumns map[string]string, keyword string) *gdb.Model {
if filterColumns == nil || len(filterColumns) == 0 {
return m
}
conditions := make([]string, 0)
args := make([]interface{}, 0)
for col, operator := range filterColumns {
val := keyword
var condition string
switch operator {
case "LIKE":
condition = fmt.Sprintf("%s LIKE ?", col)
val = "%" + keyword + "%"
default:
condition = fmt.Sprintf("%s = ?", col)
}
conditions = append(conditions, condition)
args = append(args, val)
}
filter := fmt.Sprintf("(%s)", strings.Join(conditions, " OR "))
return m.Where(filter, args...)
}

15
server/internal/logic/sys/log.go
View File

@ -23,6 +23,7 @@ import (
"hotgo/internal/global" "hotgo/internal/global"
"hotgo/internal/library/contexts" "hotgo/internal/library/contexts"
"hotgo/internal/library/dict" "hotgo/internal/library/dict"
"hotgo/internal/library/hgorm"
"hotgo/internal/library/hgorm/handler" "hotgo/internal/library/hgorm/handler"
"hotgo/internal/library/hgorm/hook" "hotgo/internal/library/hgorm/hook"
"hotgo/internal/library/location" "hotgo/internal/library/location"
@ -372,12 +373,14 @@ func (s *sSysLog) List(ctx context.Context, in *sysin.LogListInp) (list []*sysin
// 非生产环境,允许关键词查询日志 // 非生产环境,允许关键词查询日志
// 生成环境使用需谨慎,日志量大易产生慢日志 // 生成环境使用需谨慎,日志量大易产生慢日志
if !gmode.IsProduct() && in.Keyword != "" { if !gmode.IsProduct() && in.Keyword != "" {
mod = mod.Where("(`get_data` LIKE '%" + filterColumns := map[string]string{
in.Keyword + "%' or `post_data` LIKE '%" + "get_data": "LIKE",
in.Keyword + "%' or `header_data` LIKE '%" + "post_data": "LIKE",
in.Keyword + "%' or `error_data` LIKE '%" + "header_data": "LIKE",
in.Keyword + "%' or `error_msg` LIKE '%" + "error_data": "LIKE",
in.Keyword + "%')") "error_msg": "LIKE",
}
mod = hgorm.FilterKeywordsWithOr(mod, filterColumns, in.Keyword)
} }
totalCount, err = mod.Count() totalCount, err = mod.Count()