修复sql注入安全隐患感谢@Tom4t0提交漏洞

7677f219 · Mr.奇淼（ · f11c0eec · 7677f219
隐藏空白更改
内联并排

Showing with 15 addition and 4 deletion

server/service/system/sys_api.go server/service/system/sys_api.go +15 -4

未找到文件。
--- a/server/service/system/sys_api.go
+++ b/server/service/system/sys_api.go
@@ -76,11 +76,22 @@ func (apiService *ApiService) GetAPIInfoList(api system.SysApi, info request.Pag
 		db = db.Limit(limit).Offset(offset)
 		if order != "" {
 			var OrderStr string
-			if desc {
-				OrderStr = order + " desc"
-			} else {
-				OrderStr = order
+			// 设置有效排序key 防止sql注入
+			// 感谢 Tom4t0 提交漏洞信息
+			orderMap := make(map[string]bool, 5)
+			orderMap["id"] = true
+			orderMap["path"] = true
+			orderMap["api_group"] = true
+			orderMap["description"] = true
+			orderMap["method"] = true
+			if orderMap[order] {
+				if desc {
+					OrderStr = order + " desc"
+				} else {
+					OrderStr = order
+				}
 			}
+
 			err = db.Order(OrderStr).Find(&apiList).Error
 		} else {
 			err = db.Order("api_group").Find(&apiList).Error