doomiwork 4.1.6 → 4.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/core/controller.js +1 -1
- package/package.json +1 -1
- package/utilities/requestparser.js +26 -19
package/core/controller.js
CHANGED
|
@@ -182,7 +182,7 @@ class controller {
|
|
|
182
182
|
*/
|
|
183
183
|
async getListData(req, dataKey, configFile = 0) {
|
|
184
184
|
if (this.logger) this.logger.trace("准备获取dataconfig文件中对应的 %s list数据",dataKey)
|
|
185
|
-
const listinfo = getListInfo(req, dataKey, configFile, this._daoModel
|
|
185
|
+
const listinfo = getListInfo(req, dataKey, configFile, this._daoModel); //, ignorefilter==1
|
|
186
186
|
if (!listinfo) return { successed: false, errcode: -10, errmsg:`缺失${dataKey}对应的查询语句`};
|
|
187
187
|
|
|
188
188
|
////直接操作数据库之前,可由子类再次Handler
|
package/package.json
CHANGED
|
@@ -19,12 +19,17 @@ function checkSqlInjection(sql) {
|
|
|
19
19
|
if (FORBID_SQL_KEYWORD.test(sql)) return '';
|
|
20
20
|
return sql;
|
|
21
21
|
}
|
|
22
|
+
|
|
23
|
+
function isEmptyValue(value){
|
|
24
|
+
if (value === undefined || value === null || value === '') return true;
|
|
25
|
+
return false;
|
|
26
|
+
}
|
|
22
27
|
/*
|
|
23
28
|
* 根据对应列表的配置(dataConfig.list.search),从请求上下文中获取用户进行搜索的参数信息
|
|
24
29
|
*/
|
|
25
30
|
module.exports.getSearchCondition = (option) => {
|
|
26
31
|
let paraCopy = option || {};
|
|
27
|
-
if (!paraCopy.request || !paraCopy.refer) return '';
|
|
32
|
+
if (!paraCopy.request || !paraCopy.refer) return { filter:'', params:[] };
|
|
28
33
|
if (!paraCopy.valueFrom) paraCopy.valueFrom = "all";
|
|
29
34
|
const request = paraCopy.request;
|
|
30
35
|
let retSearch = [],params = [];
|
|
@@ -88,6 +93,7 @@ module.exports.parseTagInSql = (req, sql, allowNull = true) => {
|
|
|
88
93
|
return sql;
|
|
89
94
|
}
|
|
90
95
|
|
|
96
|
+
|
|
91
97
|
/**
|
|
92
98
|
* 为列表查询定义参数化查询
|
|
93
99
|
* @param {*} req
|
|
@@ -100,7 +106,7 @@ module.exports.parseTagForParameterize = (req, filterSetting={}) => {
|
|
|
100
106
|
///type=parameter表示参数化方式查询
|
|
101
107
|
///type=joint 表示拼接sql语句查询
|
|
102
108
|
///scope=[] 表示需要解析的字段必须在此列表内容中
|
|
103
|
-
let {pattern:sql,type='parameter',inscope=[]} = filterSetting;
|
|
109
|
+
let {pattern:sql,type='parameter',inscope=[],allowEmpty=false} = filterSetting;
|
|
104
110
|
if (!sql) return {sql:''};
|
|
105
111
|
///定义正则准备查找sql中的特定关键字
|
|
106
112
|
const matched = sql.match(/@.*?@/g);
|
|
@@ -116,23 +122,24 @@ module.exports.parseTagForParameterize = (req, filterSetting={}) => {
|
|
|
116
122
|
///是否有格式要求
|
|
117
123
|
let validformat = matchValue.split('|');
|
|
118
124
|
matchValue = validformat[0];
|
|
125
|
+
|
|
119
126
|
let keyValue = parseKeyValue(req, matchValue)||''; //utility.ifNull(keyParse.parseKeyValue(req, matchValue), '')+'';
|
|
120
127
|
if (keyValue && validformat.length > 1) keyValue = validatorParamsType(keyValue, validformat[1], validformat[2], inscope)
|
|
121
128
|
///如果解析不出这个KeyValue ,则认为当前这条SQL过滤无效
|
|
122
|
-
if (
|
|
123
|
-
if (keyValue) {
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
}
|
|
129
|
+
if (isEmptyValue(keyValue) && !allowEmpty) return {sql:'',params:[]};
|
|
130
|
+
// if (keyValue) {
|
|
131
|
+
if(type.toLowerCase() === 'parameter'){
|
|
132
|
+
sql = sql.replace(ele, '?'); ///变成参数化查询
|
|
133
|
+
if (Array.isArray(keyValue))
|
|
134
|
+
params.push(keyValue)
|
|
135
|
+
else
|
|
136
|
+
params.push(matchContent[0].replace(matchContent[1], keyValue));// '%' + keyValue + '%')
|
|
137
|
+
} else if (type.toLowerCase() === 'joint'){ ///拼接sql语句查询
|
|
138
|
+
///拼接的SQL语句,keyvalue必须在scope列表中,否则不予拼接
|
|
139
|
+
const result = inscope.some(item => item.toLowerCase() === matchValue.toLowerCase());
|
|
140
|
+
if (result)sql = sql.replace(ele, keyValue||'');
|
|
135
141
|
}
|
|
142
|
+
// }
|
|
136
143
|
}
|
|
137
144
|
return {sql,params};
|
|
138
145
|
}
|
|
@@ -198,15 +205,15 @@ module.exports.getListInfo = (req, dataKey, cfgType = 0, dao) => {
|
|
|
198
205
|
|
|
199
206
|
/**根据过滤条件、排序条件、分页获取的方式,和原始sql拼接成最终获取数据的sql */
|
|
200
207
|
if (sqltype==='sql'){
|
|
201
|
-
const mainParameterlizedSql = this.parseTagForParameterize(req, {pattern:sql});
|
|
208
|
+
const mainParameterlizedSql = this.parseTagForParameterize(req, { pattern: sql, allowEmpty:true });
|
|
202
209
|
if (!mainParameterlizedSql.sql) return null;
|
|
203
|
-
sql = `${mainParameterlizedSql.sql} ${searchCondition.filter} ${sort ? (' order by ' + sort) : ''} ${export2Excel ? '' : ' limit ' + Number(pageSize) + ' OFFSET ' + (Math.max(Number(page), 1) - 1) * Number(pageSize)};SELECT FOUND_ROWS() AS total`;
|
|
210
|
+
sql = `${mainParameterlizedSql.sql} ${searchCondition.filter ||''} ${sort ? (' order by ' + sort) : ''} ${export2Excel ? '' : ' limit ' + Number(pageSize) + ' OFFSET ' + (Math.max(Number(page), 1) - 1) * Number(pageSize)};SELECT FOUND_ROWS() AS total`;
|
|
204
211
|
SqlParameters = SqlParameters.concat(mainParameterlizedSql.params || [], searchCondition.params);
|
|
205
212
|
/*** 如果存在汇总列的sql,则把SQL放置在最末尾 */
|
|
206
213
|
if (countsql) {
|
|
207
|
-
const countParameterlizedSql = this.parseTagForParameterize(req, { pattern: countsql });
|
|
214
|
+
const countParameterlizedSql = this.parseTagForParameterize(req, { pattern: countsql, allowEmpty: true });
|
|
208
215
|
if (!countParameterlizedSql.sql) return null;
|
|
209
|
-
sql += appendSearchCondition2Count(countParameterlizedSql.sql, searchCondition.filter)
|
|
216
|
+
sql += appendSearchCondition2Count(countParameterlizedSql.sql, searchCondition.filter||'')
|
|
210
217
|
SqlParameters = SqlParameters.concat(countParameterlizedSql.params || [], searchCondition.params);
|
|
211
218
|
}
|
|
212
219
|
}
|