From 7677f2196ba388292d9ac434436589335fbb885f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=92=8B=E5=90=89=E5=85=86?= <303176530@qq.com>
Date: Wed, 24 Nov 2021 00:15:09 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dsql=E6=B3=A8=E5=85=A5?=
 =?UTF-8?q?=E5=AE=89=E5=85=A8=E9=9A=90=E6=82=A3=20=E6=84=9F=E8=B0=A2@Tom4t?=
 =?UTF-8?q?0=E6=8F=90=E4=BA=A4=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/service/system/sys_api.go | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/server/service/system/sys_api.go b/server/service/system/sys_api.go
index 1d3a8364..a9daef37 100644
--- a/server/service/system/sys_api.go
+++ b/server/service/system/sys_api.go
@@ -76,11 +76,22 @@ func (apiService *ApiService) GetAPIInfoList(api system.SysApi, info request.Pag
 		db = db.Limit(limit).Offset(offset)
 		if order != "" {
 			var OrderStr string
-			if desc {
-				OrderStr = order + " desc"
-			} else {
-				OrderStr = order
+			// 设置有效排序key 防止sql注入
+			// 感谢 Tom4t0 提交漏洞信息
+			orderMap := make(map[string]bool, 5)
+			orderMap["id"] = true
+			orderMap["path"] = true
+			orderMap["api_group"] = true
+			orderMap["description"] = true
+			orderMap["method"] = true
+			if orderMap[order] {
+				if desc {
+					OrderStr = order + " desc"
+				} else {
+					OrderStr = order
+				}
 			}
+
 			err = db.Order(OrderStr).Find(&apiList).Error
 		} else {
 			err = db.Order("api_group").Find(&apiList).Error
-- 
GitLab