修复漏洞，重构初始化功能，优化媒体库 (#1024)

* 媒体库增加普通上传、压缩上传按钮，方便媒体库直接上传图片 * 增加数据类型切换后的的校验，避免使用错误的查询条件和字典条件。 * refactor: 重构初始化逻辑 * 媒体库功能丰富 * 修复注入漏洞和路径穿越 * 修复自动化接口获取数据库表失败后未能终止的bug * 微调媒体库样式 Co-authored-by: bypanghu <bypanghu@163.com> Co-authored-by: tesun <36953434+tesun@users.noreply.github.com> Co-authored-by: pnck <hio131@gmail.com> Co-authored-by: task <121913992@qq.com>
flipped-aurora · Apr 12, 2022 · 954859b · 954859b
1 parent 4d43583
commit 954859b
Show file tree

Hide file tree

Showing 40 changed files with 1,352 additions and 778 deletions.
diff --git a/server/api/v1/example/exa_excel.go b/server/api/v1/example/exa_excel.go
@@ -1,13 +1,13 @@
 package example
 
 import (
-	"os"
-
 	"github.com/flipped-aurora/gin-vue-admin/server/global"
 	"github.com/flipped-aurora/gin-vue-admin/server/model/common/response"
 	"github.com/flipped-aurora/gin-vue-admin/server/model/example"
 	"github.com/gin-gonic/gin"
 	"go.uber.org/zap"
+	"os"
+	"strings"
 )
 
 type ExcelApi struct{}
@@ -28,6 +28,10 @@ type ExcelApi struct{}
 func (e *ExcelApi) ExportExcel(c *gin.Context) {
 	var excelInfo example.ExcelInfo
 	_ = c.ShouldBindJSON(&excelInfo)
+	if strings.Index(excelInfo.FileName, "..") > -1 {
+		response.FailWithMessage("包含非法字符", c)
+		return
+	}
 	filePath := global.GVA_CONFIG.Excel.Dir + excelInfo.FileName
 	err := excelService.ParseInfoList2Excel(excelInfo.InfoList, filePath)
 	if err != nil {

diff --git a/server/api/v1/example/exa_file_upload_download.go b/server/api/v1/example/exa_file_upload_download.go
@@ -38,6 +38,18 @@ func (u *FileUploadAndDownloadApi) UploadFile(c *gin.Context) {
 	response.OkWithDetailed(exampleRes.ExaFileResponse{File: file}, "上传成功", c)
 }
 
+// EditFileName 编辑文件名或者备注
+func (u *FileUploadAndDownloadApi) EditFileName(c *gin.Context) {
+	var file example.ExaFileUploadAndDownload
+	_ = c.ShouldBindJSON(&file)
+	if err := fileUploadAndDownloadService.EditFileName(file); err != nil {
+		global.GVA_LOG.Error("编辑失败!", zap.Error(err))
+		response.FailWithMessage("编辑失败", c)
+		return
+	}
+	response.OkWithMessage("编辑成功", c)
+}
+
 // @Tags ExaFileUploadAndDownload
 // @Summary 删除文件
 // @Security ApiKeyAuth

diff --git a/server/api/v1/system/sys_auto_code.go b/server/api/v1/system/sys_auto_code.go
@@ -104,8 +104,9 @@ func (autoApi *AutoCodeApi) GetDB(c *gin.Context) {
 	if err != nil {
 		global.GVA_LOG.Error("获取失败!", zap.Error(err))
 		response.FailWithMessage("获取失败", c)
+	} else {
+		response.OkWithDetailed(gin.H{"dbs": dbs}, "获取成功", c)
 	}
-	response.OkWithDetailed(gin.H{"dbs": dbs}, "获取成功", c)
 }
 
 // GetTables
@@ -142,11 +143,11 @@ func (autoApi *AutoCodeApi) GetColumn(c *gin.Context) {
 	if err != nil {
 		global.GVA_LOG.Error("获取失败!", zap.Error(err))
 		response.FailWithMessage("获取失败", c)
+	} else {
+		response.OkWithDetailed(gin.H{"columns": columns}, "获取成功", c)
 	}
-	response.OkWithDetailed(gin.H{"columns": columns}, "获取成功", c)
 }
 
-
 // CreatePackage
 // @Tags AutoCode
 // @Summary 创建package
@@ -172,7 +173,6 @@ func (autoApi *AutoCodeApi) CreatePackage(c *gin.Context) {
 	}
 }
 
-
 // GetPackage
 // @Tags AutoCode
 // @Summary 获取package
@@ -182,17 +182,15 @@ func (autoApi *AutoCodeApi) CreatePackage(c *gin.Context) {
 // @Success 200 {object} response.Response{data=map[string]interface{},msg=string} "创建package成功"
 // @Router /autoCode/getPackage [post]
 func (autoApi *AutoCodeApi) GetPackage(c *gin.Context) {
-	pkgs,err := autoCodeService.GetPackage()
+	pkgs, err := autoCodeService.GetPackage()
 	if err != nil {
 		global.GVA_LOG.Error("获取失败!", zap.Error(err))
 		response.FailWithMessage("获取失败", c)
 	} else {
-		response.OkWithDetailed(gin.H{"pkgs": pkgs},"获取成功", c)
+		response.OkWithDetailed(gin.H{"pkgs": pkgs}, "获取成功", c)
 	}
 }
 
-
-
 // DelPackage
 // @Tags AutoCode
 // @Summary 删除package

diff --git a/server/initialize/ensure_tables.go b/server/initialize/ensure_tables.go
@@ -0,0 +1,99 @@
+package initialize
+
+import (
+	"context"
+	adapter "github.com/casbin/gorm-adapter/v3"
+	"github.com/flipped-aurora/gin-vue-admin/server/model/example"
+	sysModel "github.com/flipped-aurora/gin-vue-admin/server/model/system"
+	"github.com/flipped-aurora/gin-vue-admin/server/service/system"
+	"gorm.io/gorm"
+)
+
+const initOrderEnsureTables = system.InitOrderExternal - 1
+
+type ensureTables struct{}
+
+// auto run
+func init() {
+	system.RegisterInit(initOrderEnsureTables, &ensureTables{})
+}
+
+func (ensureTables) InitializerName() string {
+	return "ensure_tables_created"
+}
+func (e *ensureTables) InitializeData(ctx context.Context) (next context.Context, err error) {
+	return ctx, nil
+}
+
+func (e *ensureTables) DataInserted(ctx context.Context) bool {
+	return true
+}
+
+func (e *ensureTables) MigrateTable(ctx context.Context) (context.Context, error) {
+	db, ok := ctx.Value("db").(*gorm.DB)
+	if !ok {
+		return ctx, system.ErrMissingDBContext
+	}
+	tables := []interface{}{
+		sysModel.SysApi{},
+		sysModel.SysUser{},
+		sysModel.SysBaseMenu{},
+		sysModel.SysAuthority{},
+		sysModel.JwtBlacklist{},
+		sysModel.SysDictionary{},
+		sysModel.SysAutoCodeHistory{},
+		sysModel.SysOperationRecord{},
+		sysModel.SysDictionaryDetail{},
+		sysModel.SysBaseMenuParameter{},
+		sysModel.SysBaseMenuBtn{},
+		sysModel.SysAuthorityBtn{},
+		sysModel.SysAutoCode{},
+
+		adapter.CasbinRule{},
+
+		example.ExaFile{},
+		example.ExaCustomer{},
+		example.ExaFileChunk{},
+		example.ExaFileUploadAndDownload{},
+	}
+	for _, t := range tables {
+		_ = db.AutoMigrate(&t)
+		// 视图 authority_menu 会被当成表来创建，引发冲突错误（更新版本的gorm似乎不会）
+		// 由于 AutoMigrate() 基本无需考虑错误，因此显式忽略
+	}
+	return ctx, nil
+}
+
+func (e *ensureTables) TableCreated(ctx context.Context) bool {
+	db, ok := ctx.Value("db").(*gorm.DB)
+	if !ok {
+		return false
+	}
+	tables := []interface{}{
+		sysModel.SysApi{},
+		sysModel.SysUser{},
+		sysModel.SysBaseMenu{},
+		sysModel.SysAuthority{},
+		sysModel.JwtBlacklist{},
+		sysModel.SysDictionary{},
+		sysModel.SysAutoCodeHistory{},
+		sysModel.SysOperationRecord{},
+		sysModel.SysDictionaryDetail{},
+		sysModel.SysBaseMenuParameter{},
+		sysModel.SysBaseMenuBtn{},
+		sysModel.SysAuthorityBtn{},
+		sysModel.SysAutoCode{},
+
+		adapter.CasbinRule{},
+
+		example.ExaFile{},
+		example.ExaCustomer{},
+		example.ExaFileChunk{},
+		example.ExaFileUploadAndDownload{},
+	}
+	yes := true
+	for _, t := range tables {
+		yes = yes && db.Migrator().HasTable(t)
+	}
+	return yes
+}
diff --git a/server/initialize/register_init.go b/server/initialize/register_init.go
@@ -0,0 +1,10 @@
+package initialize
+
+import (
+	_ "github.com/flipped-aurora/gin-vue-admin/server/source/example"
+	_ "github.com/flipped-aurora/gin-vue-admin/server/source/system"
+)
+
+func init() {
+	// do nothing,only import source package so that inits can be registered
+}
diff --git a/server/model/common/request/common.go b/server/model/common/request/common.go
@@ -4,6 +4,7 @@ package request
 type PageInfo struct {
 	Page     int `json:"page" form:"page"`         // 页码
 	PageSize int `json:"pageSize" form:"pageSize"` // 每页大小
+	Keyword  string `json:"keyword" form:"keyword"`   //关键字
 }
 
 // GetById Find by id structure

diff --git a/server/model/example/exa_file_upload_download.go b/server/model/example/exa_file_upload_download.go
@@ -11,3 +11,7 @@ type ExaFileUploadAndDownload struct {
 	Tag  string `json:"tag" gorm:"comment:文件标签"` // 文件标签
 	Key  string `json:"key" gorm:"comment:编号"`   // 编号
 }
+
+func (ExaFileUploadAndDownload) TableName() string {
+	return "exa_file_upload_and_downloads"
+}
diff --git a/server/model/system/sys_api.go b/server/model/system/sys_api.go
@@ -11,3 +11,7 @@ type SysApi struct {
 	ApiGroup    string `json:"apiGroup" gorm:"comment:api组"`          // api组
 	Method      string `json:"method" gorm:"default:POST;comment:方法"` // 方法:创建POST(默认)|查看GET|更新PUT|删除DELETE
 }
+
+func (SysApi) TableName() string {
+	return "sys_apis"
+}
diff --git a/server/model/system/sys_authority.go b/server/model/system/sys_authority.go
@@ -5,15 +5,19 @@ import (
 )
 
 type SysAuthority struct {
-	CreatedAt       time.Time      // 创建时间
-	UpdatedAt       time.Time      // 更新时间
-	DeletedAt       *time.Time     `sql:"index"`
-	AuthorityId     string         `json:"authorityId" gorm:"not null;unique;primary_key;comment:角色ID;size:90"` // 角色ID
-	AuthorityName   string         `json:"authorityName" gorm:"comment:角色名"`                                    // 角色名
-	ParentId        string         `json:"parentId" gorm:"comment:父角色ID"`                                       // 父角色ID
-	DataAuthorityId []SysAuthority `json:"dataAuthorityId" gorm:"many2many:sys_data_authority_id"`
-	Children        []SysAuthority `json:"children" gorm:"-"`
-	SysBaseMenus    []SysBaseMenu  `json:"menus" gorm:"many2many:sys_authority_menus;"`
-	Users           []SysUser      `json:"-" gorm:"many2many:sys_user_authority;"`
-	DefaultRouter   string         `json:"defaultRouter" gorm:"comment:默认菜单;default:dashboard"` // 默认菜单(默认dashboard)
+	CreatedAt       time.Time       // 创建时间
+	UpdatedAt       time.Time       // 更新时间
+	DeletedAt       *time.Time      `sql:"index"`
+	AuthorityId     string          `json:"authorityId" gorm:"not null;unique;primary_key;comment:角色ID;size:90"` // 角色ID
+	AuthorityName   string          `json:"authorityName" gorm:"comment:角色名"`                                    // 角色名
+	ParentId        string          `json:"parentId" gorm:"comment:父角色ID"`                                       // 父角色ID
+	DataAuthorityId []*SysAuthority `json:"dataAuthorityId" gorm:"many2many:sys_data_authority_id;"`
+	Children        []SysAuthority  `json:"children" gorm:"-"`
+	SysBaseMenus    []SysBaseMenu   `json:"menus" gorm:"many2many:sys_authority_menus;"`
+	Users           []SysUser       `json:"-" gorm:"many2many:sys_user_authority;"`
+	DefaultRouter   string          `json:"defaultRouter" gorm:"comment:默认菜单;default:dashboard"` // 默认菜单(默认dashboard)
+}
+
+func (SysAuthority) TableName() string {
+	return "sys_authorities"
 }
diff --git a/server/model/system/sys_base_menu.go b/server/model/system/sys_base_menu.go
@@ -35,3 +35,7 @@ type SysBaseMenuParameter struct {
 	Key           string `json:"key" gorm:"comment:地址栏携带参数的key"`            // 地址栏携带参数的key
 	Value         string `json:"value" gorm:"comment:地址栏携带参数的值"`            // 地址栏携带参数的值
 }
+
+func (SysBaseMenu) TableName() string {
+	return "sys_base_menus"
+}
diff --git a/server/model/system/sys_dictionary.go b/server/model/system/sys_dictionary.go
@@ -14,3 +14,7 @@ type SysDictionary struct {
 	Desc                 string                `json:"desc" form:"desc" gorm:"column:desc;comment:描述"`       // 描述
 	SysDictionaryDetails []SysDictionaryDetail `json:"sysDictionaryDetails" form:"sysDictionaryDetails"`
 }
+
+func (SysDictionary) TableName() string {
+	return "sys_dictionaries"
+}
diff --git a/server/model/system/sys_dictionary_detail.go b/server/model/system/sys_dictionary_detail.go
@@ -14,3 +14,7 @@ type SysDictionaryDetail struct {
 	Sort            int    `json:"sort" form:"sort" gorm:"column:sort;comment:排序标记"`                                    // 排序标记
 	SysDictionaryID int    `json:"sysDictionaryID" form:"sysDictionaryID" gorm:"column:sys_dictionary_id;comment:关联标记"` // 关联标记
 }
+
+func (SysDictionaryDetail) TableName() string {
+	return "sys_dictionary_details"
+}
diff --git a/server/model/system/sys_initdb.go b/server/model/system/sys_initdb.go
diff --git a/server/model/system/sys_user.go b/server/model/system/sys_user.go
@@ -21,3 +21,7 @@ type SysUser struct {
 	Phone       string         `json:"phone"  gorm:"comment:用户手机号"` // 用户手机号
 	Email       string         `json:"email"  gorm:"comment:用户邮箱"`  // 用户邮箱
 }
+
+func (SysUser) TableName() string {
+	return "sys_users"
+}
diff --git a/server/router/example/exa_file_upload_and_download.go b/server/router/example/exa_file_upload_and_download.go
@@ -14,6 +14,7 @@ func (e *FileUploadAndDownloadRouter) InitFileUploadAndDownloadRouter(Router *gi
 		fileUploadAndDownloadRouter.POST("upload", exaFileUploadAndDownloadApi.UploadFile)                                 // 上传文件
 		fileUploadAndDownloadRouter.POST("getFileList", exaFileUploadAndDownloadApi.GetFileList)                           // 获取上传文件列表
 		fileUploadAndDownloadRouter.POST("deleteFile", exaFileUploadAndDownloadApi.DeleteFile)                             // 删除指定文件
+		fileUploadAndDownloadRouter.POST("editFileName", exaFileUploadAndDownloadApi.EditFileName)                         // 编辑文件名或者备注
 		fileUploadAndDownloadRouter.POST("breakpointContinue", exaFileUploadAndDownloadApi.BreakpointContinue)             // 断点续传
 		fileUploadAndDownloadRouter.GET("findFile", exaFileUploadAndDownloadApi.FindFile)                                  // 查询当前文件成功的切片
 		fileUploadAndDownloadRouter.POST("breakpointContinueFinish", exaFileUploadAndDownloadApi.BreakpointContinueFinish) // 查询当前文件成功的切片

diff --git a/server/service/enter.go b/server/service/enter.go
@@ -6,8 +6,8 @@ import (
 )
 
 type ServiceGroup struct {
-	SystemServiceGroup   system.ServiceGroup
-	ExampleServiceGroup  example.ServiceGroup
+	SystemServiceGroup  system.ServiceGroup
+	ExampleServiceGroup example.ServiceGroup
 }
 
 var ServiceGroupApp = new(ServiceGroup)