refactor(curd): 重构排序字段处理，预防 SQL 注入问题

2025-09-10 20:57:18 +08:00 · 2024-08-13 20:36:10 +08:00
parent 4786af5104
commit ea6b316296
13 changed files with 273 additions and 231 deletions
--- a/continew-starter-data/continew-starter-data-mybatis-plus/src/main/java/top/continew/starter/data/mybatis/plus/query/QueryWrapperHelper.java
+++ b/continew-starter-data/continew-starter-data-mybatis-plus/src/main/java/top/continew/starter/data/mybatis/plus/query/QueryWrapperHelper.java
@@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package top.continew.starter.data.mybatis.plus.query;
+package top.continew.starter.data.mybatis.plus.util;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -23,18 +23,17 @@ import cn.hutool.core.util.ArrayUtil;
 import cn.hutool.core.util.ObjectUtil;
 import cn.hutool.core.text.CharSequenceUtil;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
+import org.springframework.data.domain.Sort;
 import top.continew.starter.core.exception.BadRequestException;
 import top.continew.starter.core.util.ReflectUtils;
 import top.continew.starter.core.util.validate.ValidationUtils;
 import top.continew.starter.data.core.annotation.Query;
 import top.continew.starter.data.core.annotation.QueryIgnore;
 import top.continew.starter.data.core.enums.QueryType;
+import top.continew.starter.data.core.util.SqlInjectionUtils;

 import java.lang.reflect.Field;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
+import java.util.*;
 import java.util.function.Consumer;

 /**
@@ -60,11 +59,33 @@ public class QueryWrapperHelper {
     * @return QueryWrapper
     */
    public static <Q, R> QueryWrapper<R> build(Q query) {
+        return build(query, Sort.unsorted());
+    }
+
+    /**
+     * 构建 QueryWrapper
+     *
+     * @param query 查询条件
+     * @param sort  排序条件
+     * @param <Q>   查询条件数据类型
+     * @param <R>   查询数据类型
+     * @return QueryWrapper
+     * @since 2.5.2
+     */
+    public static <Q, R> QueryWrapper<R> build(Q query, Sort sort) {
        QueryWrapper<R> queryWrapper = new QueryWrapper<>();
        // 没有查询条件，直接返回
        if (null == query) {
            return queryWrapper;
        }
+        // 设置排序条件
+        if (sort != null && sort.isSorted()) {
+            for (Sort.Order order : sort) {
+                String field = CharSequenceUtil.toUnderlineCase(order.getProperty());
+                ValidationUtils.throwIf(SqlInjectionUtils.check(field), "排序字段包含非法字符");
+                queryWrapper.orderBy(true, order.isAscending(), field);
+            }
+        }
        // 获取查询条件中所有的字段
        List<Field> fieldList = ReflectUtils.getNonStaticFields(query.getClass());
        return build(query, fieldList, queryWrapper);