/sys/user/putRecycleBin is affected by sql injection #4126

/sys/user/deleteRecycleBin is affected by sql injection #4125
3 years ago · 51e2227bfe
parent ff77973a6c
commit 51e2227bfe
3 changed files with 15 additions and 9 deletions
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/SysUserMapper.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/SysUserMapper.java
@ -1,12 +1,12 @@
 package org.jeecg.modules.system.mapper;

 import com.baomidou.mybatisplus.core.conditions.Wrapper;
+import com.baomidou.mybatisplus.core.mapper.BaseMapper;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.core.toolkit.Constants;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import org.apache.ibatis.annotations.Param;
 import org.jeecg.modules.system.entity.SysUser;
-import com.baomidou.mybatisplus.core.mapper.BaseMapper;
 import org.jeecg.modules.system.model.SysUserSysDepartModel;
 import org.jeecg.modules.system.vo.SysUserDepVo;

@ -133,14 +133,14 @@ public interface SysUserMapper extends BaseMapper<SysUser> {
     * @param entity
     * @return int
 	 */
-	int revertLogicDeleted(@Param("userIds") String userIds, @Param("entity") SysUser entity);
+	int revertLogicDeleted(@Param("userIds") List<String> userIds, @Param("entity") SysUser entity);

 	/**
 	 * 彻底删除被逻辑删除的用户
     * @param userIds 多个用户id
     * @return int
 	 */
-	int deleteLogicDeleted(@Param("userIds") String userIds);
+	int deleteLogicDeleted(@Param("userIds") List<String> userIds);

    /**
     * 更新空字符串为null【此写法有sql注入风险，禁止随便用】
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/xml/SysUserMapper.xml
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/xml/SysUserMapper.xml
@ -92,6 +92,8 @@
 			sys_user.id AS id,
 			sys_user.realname AS realname,
 			sys_user.avatar AS avatar,
+			sys_user.sex AS sex,
+			sys_user.birthday AS birthday,
 			sys_user.work_no AS workNo,
 			sys_user.post AS post,
 			sys_user.telephone AS telephone,
@ -141,12 +143,18 @@
 			update_time = #{entity.updateTime}
 		WHERE
 			del_flag = 1
-			AND id IN (${userIds})
+			AND id IN
+			<foreach collection="userIds" item="userId" open="(" close=")" separator="," >
+				#{userId}
+			</foreach>
 	</update>

 	<!-- 彻底删除被逻辑删除的用户 -->
 	<delete id="deleteLogicDeleted">
-		DELETE FROM sys_user WHERE del_flag = 1 AND id IN (${userIds})
+		DELETE FROM sys_user WHERE del_flag = 1 AND id IN
+		<foreach collection="userIds" item="userId" open="(" close=")" separator="," >
+			#{userId}
+		</foreach>
 	</delete>

    <!-- 更新空字符串为null -->
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysUserServiceImpl.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysUserServiceImpl.java
@ -459,16 +459,14 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
 	@Override
 	@CacheEvict(value={CacheConstant.SYS_USERS_CACHE}, allEntries=true)
 	public boolean revertLogicDeleted(List<String> userIds, SysUser updateEntity) {
-		String ids = String.format("'%s'", String.join("','", userIds));
-		return userMapper.revertLogicDeleted(ids, updateEntity) > 0;
+		return userMapper.revertLogicDeleted(userIds, updateEntity) > 0;
 	}

 	@Override
 	@Transactional(rollbackFor = Exception.class)
 	public boolean removeLogicDeleted(List<String> userIds) {
-		String ids = String.format("'%s'", String.join("','", userIds));
 		// 1. 删除用户
-		int line = userMapper.deleteLogicDeleted(ids);
+		int line = userMapper.deleteLogicDeleted(userIds);
 		// 2. 删除用户部门关系
 		line += sysUserDepartMapper.delete(new LambdaQueryWrapper<SysUserDepart>().in(SysUserDepart::getUserId, userIds));
 		//3. 删除用户角色关系