From 7677f2196ba388292d9ac434436589335fbb885f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=92=8B=E5=90=89=E5=85=86?= <303176530@qq.com> Date: Wed, 24 Nov 2021 00:15:09 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dsql=E6=B3=A8=E5=85=A5?= =?UTF-8?q?=E5=AE=89=E5=85=A8=E9=9A=90=E6=82=A3=20=E6=84=9F=E8=B0=A2@Tom4t?= =?UTF-8?q?0=E6=8F=90=E4=BA=A4=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- server/service/system/sys_api.go | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/server/service/system/sys_api.go b/server/service/system/sys_api.go index 1d3a8364..a9daef37 100644 --- a/server/service/system/sys_api.go +++ b/server/service/system/sys_api.go @@ -76,11 +76,22 @@ func (apiService *ApiService) GetAPIInfoList(api system.SysApi, info request.Pag db = db.Limit(limit).Offset(offset) if order != "" { var OrderStr string - if desc { - OrderStr = order + " desc" - } else { - OrderStr = order + // 设置有效排序key 防止sql注入 + // 感谢 Tom4t0 提交漏洞信息 + orderMap := make(map[string]bool, 5) + orderMap["id"] = true + orderMap["path"] = true + orderMap["api_group"] = true + orderMap["description"] = true + orderMap["method"] = true + if orderMap[order] { + if desc { + OrderStr = order + " desc" + } else { + OrderStr = order + } } + err = db.Order(OrderStr).Find(&apiList).Error } else { err = db.Order("api_group").Find(&apiList).Error