修复两处存在SQL注入漏洞问题

2025-09-06 04:18:07 +00:00 · 2021-05-27 21:13:01 +08:00
parent 2f3949d732
commit af479c7838
2 changed files with 15 additions and 1 deletions
--- a/ruoyi-common/ruoyi-common-datascope/src/main/java/com/ruoyi/common/datascope/aspect/DataScopeAspect.java
+++ b/ruoyi-common/ruoyi-common-datascope/src/main/java/com/ruoyi/common/datascope/aspect/DataScopeAspect.java
@@ -68,6 +68,7 @@ public class DataScopeAspect
    @Before("dataScopePointCut()")
    public void doBefore(JoinPoint point) throws Throwable
    {
+        clearDataScope(point);
        handleDataScope(point);
    }

@@ -169,4 +170,17 @@ public class DataScopeAspect
        }
        return null;
    }
+
+    /**
+     * 拼接权限sql前先清空params.dataScope参数防止注入
+     */
+    private void clearDataScope(final JoinPoint joinPoint)
+    {
+        Object params = joinPoint.getArgs()[0];
+        if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
+        {
+            BaseEntity baseEntity = (BaseEntity) params;
+            baseEntity.getParams().put(DATA_SCOPE, "");
+        }
+    }
 }