Browse Source

修复sql注入安全隐患 感谢@Tom4t0提交漏洞

main
蒋吉兆 3 years ago
parent
commit
7677f2196b
  1. 11
      server/service/system/sys_api.go

11
server/service/system/sys_api.go

@ -76,11 +76,22 @@ func (apiService *ApiService) GetAPIInfoList(api system.SysApi, info request.Pag
db = db.Limit(limit).Offset(offset) db = db.Limit(limit).Offset(offset)
if order != "" { if order != "" {
var OrderStr string var OrderStr string
// 设置有效排序key 防止sql注入
// 感谢 Tom4t0 提交漏洞信息
orderMap := make(map[string]bool, 5)
orderMap["id"] = true
orderMap["path"] = true
orderMap["api_group"] = true
orderMap["description"] = true
orderMap["method"] = true
if orderMap[order] {
if desc { if desc {
OrderStr = order + " desc" OrderStr = order + " desc"
} else { } else {
OrderStr = order OrderStr = order
} }
}
err = db.Order(OrderStr).Find(&apiList).Error err = db.Order(OrderStr).Find(&apiList).Error
} else { } else {
err = db.Order("api_group").Find(&apiList).Error err = db.Order("api_group").Find(&apiList).Error

Loading…
Cancel
Save