diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/system/query/QueryGenerator.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/system/query/QueryGenerator.java index b8e807b8..45ac9b4a 100644 --- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/system/query/QueryGenerator.java +++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/system/query/QueryGenerator.java @@ -193,7 +193,7 @@ public class QueryGenerator { } } // 排序逻辑 处理 - doMultiFieldsOrder(queryWrapper, parameterMap, fieldColumnMap.keySet()); + doMultiFieldsOrder(queryWrapper, parameterMap, fieldColumnMap); //高级查询 doSuperQuery(queryWrapper, parameterMap, fieldColumnMap); @@ -229,7 +229,8 @@ public class QueryGenerator { } } - private static void doMultiFieldsOrder(QueryWrapper queryWrapper,Map parameterMap, Set allFields) { + private static void doMultiFieldsOrder(QueryWrapper queryWrapper,Map parameterMap, Map fieldColumnMap) { + Set allFields = fieldColumnMap.keySet(); String column=null,order=null; if(parameterMap!=null&& parameterMap.containsKey(ORDER_COLUMN)) { column = parameterMap.get(ORDER_COLUMN)[0]; @@ -252,6 +253,19 @@ public class QueryGenerator { } //update-end-author:taoyan date:2022-5-16 for: issues/3676 获取系统用户列表时,使用SQL注入生效 + //update-begin-author:scott date:2022-10-10 for:【jeecg-boot/issues/I5FJU6】doMultiFieldsOrder() 多字段排序方法存在问题 + //多字段排序方法没有读取 MybatisPlus 注解 @TableField 里 value 的值 + if (column.contains(",")) { + List columnList = Arrays.asList(column.split(",")); + String columnStrNew = columnList.stream().map(c -> fieldColumnMap.get(c)).collect(Collectors.joining(",")); + if (oConvertUtils.isNotEmpty(columnStrNew)) { + column = columnStrNew; + } + }else{ + column = fieldColumnMap.get(column); + } + //update-end-author:scott date:2022-10-10 for:【jeecg-boot/issues/I5FJU6】doMultiFieldsOrder() 多字段排序方法存在问题 + //SQL注入check SqlInjectionUtil.filterContent(column);