diff --git a/src/com/engine/salary/entity/hrm/dto/EmployeeInfoExpandDTO.java b/src/com/engine/salary/entity/hrm/dto/EmployeeInfoExpandDTO.java index 3bccd4a71..f24cbffc6 100644 --- a/src/com/engine/salary/entity/hrm/dto/EmployeeInfoExpandDTO.java +++ b/src/com/engine/salary/entity/hrm/dto/EmployeeInfoExpandDTO.java @@ -1,5 +1,8 @@ package com.engine.salary.entity.hrm.dto; +import com.engine.salary.util.valid.Modify; +import com.engine.salary.util.valid.ModifyTypeEnum; +import com.engine.salary.util.valid.ValueTypeEnum; import lombok.AllArgsConstructor; import lombok.Builder; import lombok.Data; @@ -38,11 +41,13 @@ public class EmployeeInfoExpandDTO { /** * sql */ + @Modify(modifyType = ModifyTypeEnum.RESTORE_SQL) private String expandSql; /** * 字段设置 */ + @Modify(valueType = ValueTypeEnum.ARRAY) private List fieldSettings; } diff --git a/src/com/engine/salary/entity/hrm/dto/FieldSetting.java b/src/com/engine/salary/entity/hrm/dto/FieldSetting.java index e63ce9ee7..1174b59ae 100644 --- a/src/com/engine/salary/entity/hrm/dto/FieldSetting.java +++ b/src/com/engine/salary/entity/hrm/dto/FieldSetting.java @@ -1,5 +1,6 @@ package com.engine.salary.entity.hrm.dto; +import com.engine.salary.util.valid.Modify; import lombok.AllArgsConstructor; import lombok.Builder; import lombok.Data; @@ -14,6 +15,7 @@ public class FieldSetting { /** * 字段 */ + @Modify() private String field; /** diff --git a/src/com/engine/salary/entity/salaryformula/param/SalaryFormulaSaveParam.java b/src/com/engine/salary/entity/salaryformula/param/SalaryFormulaSaveParam.java index 41a7cdfeb..705e09268 100644 --- a/src/com/engine/salary/entity/salaryformula/param/SalaryFormulaSaveParam.java +++ b/src/com/engine/salary/entity/salaryformula/param/SalaryFormulaSaveParam.java @@ -2,6 +2,8 @@ package com.engine.salary.entity.salaryformula.param; import com.engine.salary.entity.salaryformula.po.FormulaVar; import com.engine.salary.util.valid.DataCheck; +import com.engine.salary.util.valid.Modify; +import com.engine.salary.util.valid.ModifyTypeEnum; import com.engine.salary.util.valid.RuntimeTypeEnum; import lombok.AllArgsConstructor; import lombok.Builder; @@ -61,6 +63,7 @@ public class SalaryFormulaSaveParam { * 公式内容 */ @DataCheck(require = true,message = "公式内容为空") + @Modify(modifyType = ModifyTypeEnum.RESTORE_SQL) private String formula; diff --git a/src/com/engine/salary/report/wrapper/SalaryStatisticsDimensionWrapper.java b/src/com/engine/salary/report/wrapper/SalaryStatisticsDimensionWrapper.java index 7a59d343b..7e8c8a374 100644 --- a/src/com/engine/salary/report/wrapper/SalaryStatisticsDimensionWrapper.java +++ b/src/com/engine/salary/report/wrapper/SalaryStatisticsDimensionWrapper.java @@ -23,9 +23,9 @@ import com.engine.salary.service.SalaryItemService; import com.engine.salary.service.impl.SalaryItemServiceImpl; import com.engine.salary.util.JsonUtil; import com.engine.salary.util.SalaryI18nUtil; -import com.engine.salary.util.XssSQL; import com.engine.salary.util.page.PageInfo; import com.engine.salary.util.page.SalaryPageUtil; +import com.engine.salary.util.valid.ValidUtil; import com.google.common.collect.Lists; import org.apache.commons.collections4.CollectionUtils; import weaver.hrm.User; @@ -196,7 +196,8 @@ public class SalaryStatisticsDimensionWrapper extends Service { * @return */ public void saveExpandFieldSettings(EmployeeInfoExpandDTO saveParam) { - saveParam.setExpandSql(XssSQL.handleXSSContent(saveParam.getExpandSql())); + ValidUtil.modify(saveParam); +// Optional.ofNullable(saveParam.getFieldSettings()).orElse(new ArrayList<>()).forEach(fieldSetting -> fieldSetting.setField(fieldSetting.getField().trim())); salaryStatisticsDimensionService(user).saveExpandFieldSettings(saveParam); } diff --git a/src/com/engine/salary/service/impl/SalaryFormulaServiceImpl.java b/src/com/engine/salary/service/impl/SalaryFormulaServiceImpl.java index 3e34a2715..e15006e2b 100644 --- a/src/com/engine/salary/service/impl/SalaryFormulaServiceImpl.java +++ b/src/com/engine/salary/service/impl/SalaryFormulaServiceImpl.java @@ -119,24 +119,7 @@ public class SalaryFormulaServiceImpl extends Service implements SalaryFormulaSe } //将select因XSS过滤造成的异常字符转换回来 - param.setFormula(param.getFormula().replaceAll("select", "select")); - param.setFormula(param.getFormula().replaceAll("SELECT", "SELECT")); - param.setFormula(param.getFormula().replaceAll("join", "join")); - param.setFormula(param.getFormula().replaceAll("JOIN", "JOIN")); - param.setFormula(param.getFormula().replaceAll("and", "and")); - param.setFormula(param.getFormula().replaceAll("AND", "AND")); - param.setFormula(param.getFormula().replaceAll("or", "or")); - param.setFormula(param.getFormula().replaceAll("OR", "OR")); - param.setFormula(param.getFormula().replaceAll("in", "in")); - param.setFormula(param.getFormula().replaceAll("IN", "IN")); - param.setFormula(param.getFormula().replaceAll("like", "like")); - param.setFormula(param.getFormula().replaceAll("LIKE", "like")); - param.setFormula(param.getFormula().replaceAll("exists", "exists")); - param.setFormula(param.getFormula().replaceAll("EXISTS", "EXISTS")); - param.setFormula(param.getFormula().replaceAll("between", "between")); - param.setFormula(param.getFormula().replaceAll("BETWEEN", "BETWEEN")); - param.setFormula(param.getFormula().replaceAll("union", "union")); - param.setFormula(param.getFormula().replaceAll("UNION", "UNION")); + ValidUtil.modify(param); // 解析公式中的参数 if (ReferenceTypeEnum.parseByValue(param.getReferenceType()) == ReferenceTypeEnum.FORMULA) { diff --git a/src/com/engine/salary/util/XssSQL.java b/src/com/engine/salary/util/XssSQL.java deleted file mode 100644 index c6f4fab59..000000000 --- a/src/com/engine/salary/util/XssSQL.java +++ /dev/null @@ -1,25 +0,0 @@ -package com.engine.salary.util; - -public class XssSQL { - - public static String handleXSSContent(String xss) { - return xss.replace("select", "select") - .replace("SELECT", "SELECT") - .replace("join", "join") - .replace("JOIN", "JOIN") - .replace("and", "and") - .replace("AND", "AND") - .replace("or", "or") - .replace("OR", "OR") - .replace("in", "in") - .replace("IN", "IN") - .replace("like", "like") - .replace("LIKE", "like") - .replace("exists", "exists") - .replace("EXISTS", "EXISTS") - .replace("between", "between") - .replace("BETWEEN", "BETWEEN") - .replace("union", "union") - .replace("UNION", "UNION"); - } -} diff --git a/src/com/engine/salary/util/valid/Modify.java b/src/com/engine/salary/util/valid/Modify.java new file mode 100644 index 000000000..bf61ec974 --- /dev/null +++ b/src/com/engine/salary/util/valid/Modify.java @@ -0,0 +1,15 @@ +package com.engine.salary.util.valid; + +import java.lang.annotation.*; + +/** + * 数据参数合法性注解 + */ +@Target(ElementType.FIELD) +@Retention(RetentionPolicy.RUNTIME) +@Documented +public @interface Modify { + ModifyTypeEnum[] modifyType() default ModifyTypeEnum.TRIM; + + ValueTypeEnum valueType() default ValueTypeEnum.STRING; +} \ No newline at end of file diff --git a/src/com/engine/salary/util/valid/ModifyTypeEnum.java b/src/com/engine/salary/util/valid/ModifyTypeEnum.java new file mode 100644 index 000000000..e40ea143d --- /dev/null +++ b/src/com/engine/salary/util/valid/ModifyTypeEnum.java @@ -0,0 +1,13 @@ +package com.engine.salary.util.valid; + +/** + * 修改参数值 + *

Copyright: Copyright (c) 2022

+ *

Company: 泛微软件

+ * + * @author qiantao + * @version 1.0 + **/ +public enum ModifyTypeEnum { + TRIM, RESTORE_SQL +} diff --git a/src/com/engine/salary/util/valid/ValidUtil.java b/src/com/engine/salary/util/valid/ValidUtil.java index 6b1964c45..8c0d0932d 100644 --- a/src/com/engine/salary/util/valid/ValidUtil.java +++ b/src/com/engine/salary/util/valid/ValidUtil.java @@ -139,6 +139,21 @@ public class ValidUtil { return value; } + private static void setValue(T t, String fieldName, Object value) { + try { + BeanInfo beanInfo = Introspector.getBeanInfo(t.getClass()); + PropertyDescriptor[] props = beanInfo.getPropertyDescriptors(); + for (PropertyDescriptor property : props) { + if (fieldName.equals(property.getName())) { + Method method = property.getWriteMethod(); + method.invoke(t, value); + } + } + } catch (Exception e) { + e.printStackTrace(); + } + } + private static boolean notNull(Object value) { if (null == value) { return false; @@ -184,4 +199,57 @@ public class ValidUtil { return convertSuccess; } + public static void modify(T t) { + Class clazz = t.getClass(); + Field[] fields = clazz.getDeclaredFields(); + for (Field field : fields) { + Modify rule = field.getDeclaredAnnotation(Modify.class); + + if (null == rule) { + continue; + } + + ModifyTypeEnum[] modifyTypeEnums = rule.modifyType(); + ValueTypeEnum valueTypeEnum = rule.valueType(); + for (int i = 0; i < modifyTypeEnums.length; i++) { + Object value = getValue(t, field.getName()); + if (valueTypeEnum == ValueTypeEnum.STRING) { + String result = value.toString(); + + if (modifyTypeEnums[i] == ModifyTypeEnum.TRIM) { + result = result.trim(); + } + + if (modifyTypeEnums[i] == ModifyTypeEnum.RESTORE_SQL) { + result = result.replace("select", "select") + .replace("SELECT", "SELECT") + .replace("join", "join") + .replace("JOIN", "JOIN") + .replace("and", "and") + .replace("AND", "AND") + .replace("or", "or") + .replace("OR", "OR") + .replace("in", "in") + .replace("IN", "IN") + .replace("like", "like") + .replace("LIKE", "like") + .replace("exists", "exists") + .replace("EXISTS", "EXISTS") + .replace("between", "between") + .replace("BETWEEN", "BETWEEN") + .replace("union", "union") + .replace("UNION", "UNION"); + } + setValue(t, field.getName(), result); + } else if (valueTypeEnum == ValueTypeEnum.OBJECT) { + modify(value); + } else if (valueTypeEnum == ValueTypeEnum.ARRAY) { + Collection list = (Collection) value; + list.forEach(l -> modify(l)); + } + } + } + } + + } diff --git a/src/com/engine/salary/util/valid/ValueTypeEnum.java b/src/com/engine/salary/util/valid/ValueTypeEnum.java new file mode 100644 index 000000000..f2227d689 --- /dev/null +++ b/src/com/engine/salary/util/valid/ValueTypeEnum.java @@ -0,0 +1,13 @@ +package com.engine.salary.util.valid; + +/** + * 值类型 + *

Copyright: Copyright (c) 2022

+ *

Company: 泛微软件

+ * + * @author qiantao + * @version 1.0 + **/ +public enum ValueTypeEnum { + STRING, OBJECT,ARRAY +}