排序属性orderBy参数限制长度

yangzongzhuan · Jul 6, 2023 · ee2fef0 · ee2fef0
1 parent ad954da
commit ee2fef0
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/sql/SqlUtil.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/sql/SqlUtil.java
@@ -20,6 +20,11 @@ public class SqlUtil
      */
     public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,\\.]+";
 
+    /**
+     * 限制orderBy最大长度
+     */
+    private static final int ORDER_BY_MAX_LENGTH = 500;
+
     /**
      * 检查字符，防止注入绕过
      */
@@ -29,6 +34,10 @@ public static String escapeOrderBySql(String value)
         {
             throw new UtilException("参数不符合规范，不能进行查询");
         }
+        if (StringUtils.length(value) > ORDER_BY_MAX_LENGTH)
+        {
+            throw new UtilException("参数已超过最大限制，不能进行查询");
+        }
         return value;
     }