修复1处存在SQL注入漏洞问题，再实体类中移除

2026-02-01 14:31:56 +08:00 · 2021-05-30 17:44:13 +08:00
parent 67feb9947e
commit e7d1fd6dbe
3 changed files with 53 additions and 50 deletions
--- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/DataScopeConstants.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/DataScopeConstants.java
@@ -0,0 +1,39 @@
+package com.ruoyi.common.core.constant;
+
+/**
+ * 数据过滤常量
+ * 
+ * @author lic
+ */
+public class DataScopeConstants
+{
+    /**
+     * 全部数据权限
+     */
+    public static final String DATA_SCOPE_ALL = "1";
+
+    /**
+     * 自定数据权限
+     */
+    public static final String DATA_SCOPE_CUSTOM = "2";
+
+    /**
+     * 部门数据权限
+     */
+    public static final String DATA_SCOPE_DEPT = "3";
+
+    /**
+     * 部门及以下数据权限
+     */
+    public static final String DATA_SCOPE_DEPT_AND_CHILD = "4";
+
+    /**
+     * 仅本人数据权限
+     */
+    public static final String DATA_SCOPE_SELF = "5";
+
+    /**
+     * 数据权限过滤关键字
+     */
+    public static final String DATA_SCOPE = "dataScope";
+}
--- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/web/domain/BaseEntity.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/web/domain/BaseEntity.java
@@ -5,6 +5,8 @@ import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 import com.fasterxml.jackson.annotation.JsonFormat;
+import com.ruoyi.common.core.constant.DataScopeConstants;
+import com.ruoyi.common.core.utils.StringUtils;

 /**
 * Entity基类
@@ -109,6 +111,10 @@ public class BaseEntity implements Serializable

    public void setParams(Map<String, Object> params)
    {
+        /** 拼接权限sql前先清空params.dataScope参数防止注入 */
+        if(StringUtils.isNotNull(params.get(DataScopeConstants.DATA_SCOPE))){
+            params.remove(DataScopeConstants.DATA_SCOPE);
+        }
        this.params = params;
    }
 }