修复两处存在SQL注入漏洞问题
This commit is contained in:
parent
5e64a93d11
commit
6fa3bfe051
@ -66,6 +66,7 @@ public class DataScopeAspect
|
|||||||
@Before("dataScopePointCut()")
|
@Before("dataScopePointCut()")
|
||||||
public void doBefore(JoinPoint point) throws Throwable
|
public void doBefore(JoinPoint point) throws Throwable
|
||||||
{
|
{
|
||||||
|
clearDataScope(point);
|
||||||
handleDataScope(point);
|
handleDataScope(point);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -166,4 +167,17 @@ public class DataScopeAspect
|
|||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 拼接权限sql前先清空params.dataScope参数防止注入
|
||||||
|
*/
|
||||||
|
private void clearDataScope(final JoinPoint joinPoint)
|
||||||
|
{
|
||||||
|
Object params = joinPoint.getArgs()[0];
|
||||||
|
if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
|
||||||
|
{
|
||||||
|
BaseEntity baseEntity = (BaseEntity) params;
|
||||||
|
baseEntity.getParams().put(DATA_SCOPE, "");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -147,7 +147,7 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
|
|||||||
<if test="updateBy != null and updateBy != ''">update_by = #{updateBy},</if>
|
<if test="updateBy != null and updateBy != ''">update_by = #{updateBy},</if>
|
||||||
update_time = sysdate()
|
update_time = sysdate()
|
||||||
</set>
|
</set>
|
||||||
where dept_id in (${ancestors})
|
where find_in_set(#{deptId}, ancestors)
|
||||||
</update>
|
</update>
|
||||||
|
|
||||||
<delete id="deleteDeptById" parameterType="Long">
|
<delete id="deleteDeptById" parameterType="Long">
|
||||||
|
Loading…
Reference in New Issue
Block a user