🔒 修复安全问题。 更新SQL过滤器，和新版mybatis plus orderitem 保持一致

pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/mybatis/SqlFilterArgumentResolver.java

@@ -17,8 +17,9 @@
 
 package com.pig4cloud.pig.common.core.mybatis;
 
-import cn.hutool.core.util.ArrayUtil;
+import cn.hutool.core.collection.CollUtil;
 import cn.hutool.core.util.StrUtil;
+import com.baomidou.mybatisplus.core.metadata.OrderItem;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import com.pig4cloud.pig.common.core.exception.CheckedException;
 import lombok.extern.slf4j.Slf4j;
@@ -29,6 +30,8 @@ import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.method.support.ModelAndViewContainer;
 
 import javax.servlet.http.HttpServletRequest;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * @author lengleng
@@ -39,7 +42,7 @@ import javax.servlet.http.HttpServletRequest;
 @Slf4j
 public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver {
 	private final static String[] KEYWORDS = {"master", "truncate", "insert", "select"
-			, "delete", "update", "declare", "alter", "drop", "sleep"};
+		, "delete", "update", "declare", "alter", "drop", "sleep"};
 
 	/**
 	 * 判断Controller是否包含page 参数
@@ -63,12 +66,12 @@ public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver
 	 */
 	@Override
 	public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer
-			, NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
+		, NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
 
 		HttpServletRequest request = webRequest.getNativeRequest(HttpServletRequest.class);
 
-		String[] ascs = request.getParameterValues("ascs");
-		String[] descs = request.getParameterValues("descs");
+		String ascs = request.getParameter("ascs");
+		String descs = request.getParameter("descs");
 		String current = request.getParameter("current");
 		String size = request.getParameter("size");
 
@@ -78,11 +81,23 @@ public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver
 		}
 
 		if (StrUtil.isNotBlank(size)) {
-			page.setCurrent(Long.parseLong(size));
+			page.setSize(Long.parseLong(size));
 		}
 
-		page.setAsc(sqlInject(ascs));
-		page.setDesc(sqlInject(descs));
+		// 过滤 asc 条件
+		List<OrderItem> ascList = sqlInject(ascs, "asc");
+		// 过滤 desc条件
+		List<OrderItem> descList = sqlInject(descs, "desc");
+
+		List<OrderItem> orderItemList = new ArrayList<>();
+		if (CollUtil.isNotEmpty(ascList)) {
+			orderItemList.addAll(ascList);
+		}
+
+		if (CollUtil.isNotEmpty(descList)) {
+			orderItemList.addAll(descList);
+		}
+		page.setOrders(orderItemList);
 		return page;
 	}
 
@@ -90,13 +105,14 @@ public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver
 	 * SQL注入过滤
 	 *
 	 * @param str 待验证的字符串
+	 * @return 返回标准的order 属性
 	 */
-	public static String[] sqlInject(String[] str) {
-		if (ArrayUtil.isEmpty(str)) {
+	private static List<OrderItem> sqlInject(String str, String type) {
+		if (StrUtil.isBlank(str)) {
 			return null;
 		}
 		//转换成小写
-		String inStr = ArrayUtil.join(str, StrUtil.COMMA).toLowerCase();
+		String inStr = str.toLowerCase();
 
 		//判断是否包含非法字符
 		for (String keyword : KEYWORDS) {
@@ -106,6 +122,14 @@ public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver
 			}
 		}
 
-		return str;
+		List<OrderItem> orderItemList = new ArrayList<>();
+		for (String in : str.split(StrUtil.COMMA)) {
+			if ("asc".equals(type)) {
+				orderItemList.add(OrderItem.asc(in));
+			} else {
+				orderItemList.add(OrderItem.desc(in));
+			}
+		}
+		return orderItemList;
 	}
 }

pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/mybatis/WebMvcConfig.java

@@ -17,12 +17,15 @@
 
 package com.pig4cloud.pig.common.core.mybatis;
 
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 import java.util.List;
 
+import static org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type.SERVLET;
+
 /**
  * @author lengleng
  * @date 2019-06-24
@@ -30,6 +33,7 @@ import java.util.List;
  * 注入自自定义SQL 过滤
  */
 @Configuration
+@ConditionalOnWebApplication(type = SERVLET)
 public class WebMvcConfig implements WebMvcConfigurer {
 	@Override
 	public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {

pig-common/pig-common-core/src/main/resources/META-INF/spring.factories

@@ -4,4 +4,5 @@ org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
   com.pig4cloud.pig.common.core.config.RestTemplateConfig,\
   com.pig4cloud.pig.common.core.config.FilterIgnorePropertiesConfig,\
   com.pig4cloud.pig.common.core.exception.GlobalExceptionHandler,\
-  com.pig4cloud.pig.common.core.util.SpringContextHolder
+  com.pig4cloud.pig.common.core.util.SpringContextHolder,\
+  com.pig4cloud.pig.common.core.mybatis.WebMvcConfig