npm - doomiwork - Versions diffs - 4.1.5 → 4.1.7 - Mend

doomiwork 4.1.5 → 4.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/core/controller.js +1 -1
package/package.json +1 -1
package/utilities/requestparser.js +37 -15

package/core/controller.js CHANGED Viewed

@@ -182,7 +182,7 @@ class controller {
     */
     async getListData(req, dataKey, configFile = 0) {
         if (this.logger) this.logger.trace("准备获取dataconfig文件中对应的 %s list数据",dataKey)
-        const listinfo = getListInfo(req, dataKey, configFile, this._daoModel, ignorefilter==1);
+        const listinfo = getListInfo(req, dataKey, configFile, this._daoModel);  //, ignorefilter==1
         if (!listinfo) return { successed: false, errcode: -10, errmsg:`缺失${dataKey}对应的查询语句`};
         ////直接操作数据库之前，可由子类再次Handler

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "doomiwork",
-  "version": "4.1.5",
+  "version": "4.1.7",
   "description": "doomisoft nodejs web framework",
   "main": "index.js",
   "scripts": {

package/utilities/requestparser.js CHANGED Viewed

@@ -60,9 +60,7 @@ module.exports.parseTagInSql = (req, sql, allowNull = true) => {
         if (notdo && notdo.length > 0) return;
         let noQuoteProtect = matchValue[0] == '!';
-        if (noQuoteProtect) {
-            matchValue = matchValue.substring(1);
-        }
+        if (noQuoteProtect)   matchValue = matchValue.substring(1);
         ///是否有格式要求
         let validformat = matchValue.split('|');
         matchValue = validformat[0];
@@ -138,17 +136,39 @@ module.exports.parseTagForParameterize = (req, filterSetting={}) => {
     }
     return {sql,params};
 }
+/**
+ * 检查排序字段是否合法
+ * @param {*} sortField
+ * @returns
+ */
+function sortFieldIsLegal(sortField,allowedFields = []){
+    /// 没有传递排序字段，则不用检查
+    if (!sortField) return sortField;
+    /// 检查排序字段是否在允许的字段列表中,如果存在allowedFields，则只允许在allowedFields中排序
+    if (allowedFields && allowedFields.length) {
+        if(allowedFields.map(item => item.toLowerCase()).includes(sortField.toLowerCase())) return sortField;
+        /// 如果不在allowedFields中，则不允许使用传入的字段名进行排序，防止sql注入
+        return null;
+    }
+    /// 如果allowedFields为空，则检查排序的字段是否合法，防止sql注入
+    if (sortField.indexOf(' ') >= 0 || sortField.indexOf('(') >= 0 || sortField.indexOf(')') >= 0) return null;
+    return checkSqlInjection(sortField);
+}
 /*
 * 列表请求上下文中获取需要的信息
 * 如Page ,PageSize , Sort 等等
 */
 module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
     if (!dataKey) return null;
+    const dataConfig = dataconfig.getConfig(dataKey, cfgType);
+    if (!dataConfig?.list) return null;
     ///确认是否是需要导出Excel
     const export2Excel = (req.query.exportexcel + "").toLowerCase() === "true";
     let { page = 1, rows: pageSize = 100, sort, order, clientFilter: filter } = req.query
     ///防止sortSql 注入在排序的参数中
-    if (sort) sort = checkSqlInjection(sort);
+    if (sort) sort = sortFieldIsLegal(sort, dataConfig.list.allow_sort_fields) //checkSqlInjection(sort);
     // 防止页面数据传入非数字
     if (isNaN(pageSize)) pageSize = 30;
     // 防止页面数据传入非数字
@@ -158,7 +178,7 @@ module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
     ///拼接排序的语句
     if (order && sort && ORDER_STRING.includes(order.toLowerCase())) sort = sort + ' ' + order
     //req.order =req.sort? utility.ifNull((req.body.order || req.query.order), ""):'';
-    const dataConfig = dataconfig.getConfig(dataKey, cfgType);
     if (dataConfig && dataConfig.list) {
         req.dataConfig = dataConfig
         let { sql, listsql, countsql, sqltype = 'sql', field, footer, search, sort: constsort } = dataConfig.list
@@ -167,7 +187,8 @@ module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
         /**排序方式 *///
         sort = sort || constsort;
         /**来自req请求参数中的过滤条件 */
-        let clientfilter = checkSqlInjection(this.parseTagInSql(req, filter, false));
+        const clientfilter = null;// 不再支持可以通过客户端传递过滤条件，防止sql注入 //checkSqlInjection(this.parseTagInSql(req, filter, false));
+        let SqlParameters = [];
         //如果配置文件中不是直接的sql语句，则从DAO对象中的指定方法来获取sql
         if (sqltype !== 'sql' && listsql && typeof (dao[listsql]) === 'function') {
             sql = dao[sql](req, { page, rows: pageSize, sort, filter: searchCondition.filter, client: clientfilter });
@@ -177,20 +198,21 @@ module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
         /**根据过滤条件、排序条件、分页获取的方式，和原始sql拼接成最终获取数据的sql */
         if (sqltype==='sql'){
-            sql = this.parseTagInSql(req, sql) +
-                ' ' + searchCondition.filter + clientfilter +
-                (sort ? (' order by ' + sort) : '') +
-                (export2Excel ? '' : ' limit ' + Number(pageSize) + ' OFFSET ' + (Math.max(Number(page), 1) - 1) * Number(pageSize)) +
-                /////在Sql中再放入获取总记录数的语句
-                ';SELECT FOUND_ROWS() AS total;';
+            const mainParameterlizedSql = this.parseTagForParameterize(req, {pattern:sql});
+            if (!mainParameterlizedSql.sql) return null;
+            sql = `${mainParameterlizedSql.sql} ${searchCondition.filter} ${sort ? (' order by ' + sort) : ''} ${export2Excel ? '' : ' limit ' + Number(pageSize) + ' OFFSET ' + (Math.max(Number(page), 1) - 1) * Number(pageSize)};SELECT FOUND_ROWS() AS total`;
+            SqlParameters = SqlParameters.concat(mainParameterlizedSql.params || [], searchCondition.params);
             /*** 如果存在汇总列的sql，则把SQL放置在最末尾 */
             if (countsql) {
-                sql += appendSearchCondition2Count(this.parseTagInSql(req, countsql), searchCondition.filter)
+                const countParameterlizedSql = this.parseTagForParameterize(req, { pattern: countsql });
+                if (!countParameterlizedSql.sql) return null;
+                sql += appendSearchCondition2Count(countParameterlizedSql.sql, searchCondition.filter)
+                SqlParameters = SqlParameters.concat(countParameterlizedSql.params || [], searchCondition.params);
             }
         }
         ///如果存在统计的SQL，则参数需要Double一次
-        const sqlParams = countsql ? [].concat(searchCondition.params, searchCondition.params):searchCondition.params;
-        return { sql, fields: field, params: sqlParams, footers: footer, page, hascounter: countsql?true:false };
+        // const sqlParams = countsql ? [].concat(searchCondition.params, searchCondition.params):searchCondition.params;
+        return { sql, fields: field, params: SqlParameters, footers: footer, page, hascounter: countsql?true:false };
     }
 }
 /*