常用类添加二级缓存、高级筛选sql添加校验防止sql注入

win-framework/win-common/src/main/java/com/win/framework/common/exception/enums/GlobalErrorCodeConstants.java

@@ -35,6 +35,7 @@ public interface GlobalErrorCodeConstants {
     ErrorCode REPEATED_REQUESTS = new ErrorCode(900, "重复请求，请稍后重试"); // 重复请求
     ErrorCode DEMO_DENY = new ErrorCode(901, "演示模式，禁止写操作");
 
+    ErrorCode SQL_INJECTION = new ErrorCode(901, "参数存在非法字符，请确认：{}");
     ErrorCode UNKNOWN = new ErrorCode(999, "未知错误");
 
 

win-framework/win-common/src/main/java/com/win/framework/common/util/sql/ValidSql.java

@@ -0,0 +1,27 @@
+package com.win.framework.common.util.sql;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static com.win.framework.common.exception.enums.GlobalErrorCodeConstants.SQL_INJECTION;
+import static com.win.framework.common.exception.util.ServiceExceptionUtil.exception;
+
+public class ValidSql {
+
+    static String reg = "\\b(and|exec|insert|select|drop|grant|alter|delete|update|count|mid|truncate|char|or)\\b|([*;+'%])";
+    static Pattern sqlPattern = Pattern.compile(reg, Pattern.CASE_INSENSITIVE);//表示忽略大小写
+
+    /**
+     * 参数校验
+     *
+     * @param str ep: "or 1=1"
+     */
+    public static boolean isSqlValid(String str) {
+        Matcher matcher = sqlPattern.matcher(str);
+        if (matcher.find()) {
+            throw exception(SQL_INJECTION, matcher.group());
+        }
+        return true;
+    }
+
+}

win-framework/win-spring-boot-starter-mybatis/src/main/java/com/win/framework/mybatis/core/util/QueryWrapperUtils.java

@@ -4,6 +4,7 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.google.common.base.CaseFormat;
 import com.win.framework.common.pojo.CustomConditions;
 import com.win.framework.common.util.collection.CollectionUtils;
+import com.win.framework.common.util.sql.ValidSql;
 
 import java.time.Instant;
 import java.time.LocalDateTime;
@@ -32,6 +33,8 @@ public class QueryWrapperUtils {
                 continue;
             }
             column = CaseFormat.LOWER_CAMEL.to(CaseFormat.LOWER_UNDERSCORE, column);
+            //校验sql是否包含关键字
+            ValidSql.isSqlValid(column);
             switch (condition.getAction()) {
                 case "==" :
                     queryWrapper.eq(column, condition.getValue());

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/DeptMapper.java

@@ -9,6 +9,7 @@ import com.win.module.system.controller.dept.vo.dept.DeptListReqVO;
 import com.win.module.system.controller.dept.vo.dept.DeptPageReqVO;
 import com.win.module.system.dal.dataobject.dept.DeptDO;
 import com.win.module.system.dal.dataobject.permission.RoleDO;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 import org.apache.ibatis.annotations.Param;
 
@@ -17,6 +18,7 @@ import java.util.List;
 import java.util.Map;
 
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface DeptMapper extends BaseMapperX<DeptDO> {
 
     default List<DeptDO> selectList(DeptListReqVO reqVO) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/PostMapper.java

@@ -6,12 +6,14 @@ import com.win.framework.mybatis.core.query.LambdaQueryWrapperX;
 import com.win.module.system.controller.dept.vo.post.PostExportReqVO;
 import com.win.module.system.controller.dept.vo.post.PostPageReqVO;
 import com.win.module.system.dal.dataobject.dept.PostDO;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 
 import java.util.Collection;
 import java.util.List;
 
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface PostMapper extends BaseMapperX<PostDO> {
 
     default List<PostDO> selectList(Collection<Long> ids, Collection<Integer> statuses) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/UserPostMapper.java

@@ -4,12 +4,14 @@ import com.win.framework.mybatis.core.mapper.BaseMapperX;
 import com.win.framework.mybatis.core.query.LambdaQueryWrapperX;
 import com.win.module.system.dal.dataobject.dept.UserPostDO;
 import com.baomidou.mybatisplus.core.toolkit.Wrappers;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 
 import java.util.Collection;
 import java.util.List;
 
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface UserPostMapper extends BaseMapperX<UserPostDO> {
 
     default List<UserPostDO> selectListByUserId(Long userId) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/MenuMapper.java

@@ -4,11 +4,13 @@ import com.win.framework.mybatis.core.mapper.BaseMapperX;
 import com.win.framework.mybatis.core.query.LambdaQueryWrapperX;
 import com.win.module.system.controller.permission.vo.menu.MenuListReqVO;
 import com.win.module.system.dal.dataobject.permission.MenuDO;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 
 import java.util.List;
 
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface MenuMapper extends BaseMapperX<MenuDO> {
 
     default MenuDO selectByParentIdAndName(Long parentId, String name) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMapper.java

@@ -9,6 +9,7 @@ import com.win.framework.mybatis.core.util.QueryWrapperUtils;
 import com.win.module.system.controller.permission.vo.role.RoleExportReqVO;
 import com.win.module.system.controller.permission.vo.role.RolePageReqVO;
 import com.win.module.system.dal.dataobject.permission.RoleDO;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 import org.springframework.lang.Nullable;
 
@@ -16,6 +17,7 @@ import java.util.Collection;
 import java.util.List;
 
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface RoleMapper extends BaseMapperX<RoleDO> {
 
     default PageResult<RoleDO> selectPage(RolePageReqVO reqVO) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMenuMapper.java

@@ -3,12 +3,14 @@ package com.win.module.system.dal.mysql.permission;
 import com.win.framework.mybatis.core.mapper.BaseMapperX;
 import com.win.module.system.dal.dataobject.permission.RoleMenuDO;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 
 import java.util.Collection;
 import java.util.List;
 
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface RoleMenuMapper extends BaseMapperX<RoleMenuDO> {
 
     default List<RoleMenuDO> selectListByRoleId(Long roleId) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/UserRoleMapper.java

@@ -3,12 +3,14 @@ package com.win.module.system.dal.mysql.permission;
 import com.win.framework.mybatis.core.mapper.BaseMapperX;
 import com.win.module.system.dal.dataobject.permission.UserRoleDO;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 
 import java.util.Collection;
 import java.util.List;
 
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface UserRoleMapper extends BaseMapperX<UserRoleDO> {
 
     default List<UserRoleDO> selectListByUserId(Long userId) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantMapper.java

@@ -6,6 +6,7 @@ import com.win.framework.mybatis.core.query.LambdaQueryWrapperX;
 import com.win.module.system.controller.tenant.vo.tenant.TenantExportReqVO;
 import com.win.module.system.controller.tenant.vo.tenant.TenantPageReqVO;
 import com.win.module.system.dal.dataobject.tenant.TenantDO;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 
 import java.util.List;
@@ -16,6 +17,7 @@ import java.util.List;
  * @author 闻荫源码
  */
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface TenantMapper extends BaseMapperX<TenantDO> {
 
     default PageResult<TenantDO> selectPage(TenantPageReqVO reqVO) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantPackageMapper.java

@@ -5,6 +5,7 @@ import com.win.framework.mybatis.core.mapper.BaseMapperX;
 import com.win.framework.mybatis.core.query.LambdaQueryWrapperX;
 import com.win.module.system.controller.tenant.vo.packages.TenantPackagePageReqVO;
 import com.win.module.system.dal.dataobject.tenant.TenantPackageDO;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 
 import java.util.List;
@@ -15,6 +16,7 @@ import java.util.List;
  * @author 闻荫源码
  */
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface TenantPackageMapper extends BaseMapperX<TenantPackageDO> {
 
     default PageResult<TenantPackageDO> selectPage(TenantPackagePageReqVO reqVO) {

win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/user/AdminUserMapper.java

@@ -7,12 +7,14 @@ import com.win.module.system.controller.user.vo.user.UserExportReqVO;
 import com.win.module.system.controller.user.vo.user.UserPageReqVO;
 import com.win.module.system.dal.dataobject.user.AdminUserDO;
 import com.win.module.system.dal.dataobject.user.AdminUserDOExpand;
+import org.apache.ibatis.annotations.CacheNamespace;
 import org.apache.ibatis.annotations.Mapper;
 
 import java.util.Collection;
 import java.util.List;
 
 @Mapper
+@CacheNamespace(flushInterval = 60000, size = 4096)
 public interface AdminUserMapper extends BaseMapperX<AdminUserDO> {
 
     default AdminUserDO selectByUsername(String username) {