- 完善 DynamicFilter Custom 安全问题；

2025-06-20 04:48:16 +08:00 · 2021-12-10 12:17:58 +08:00
parent bbaf947bb0
commit 487913f7ef
5 changed files with 224 additions and 2 deletions
--- a/FreeSql/Internal/CommonProvider/SelectProvider/Select0Provider.cs
+++ b/FreeSql/Internal/CommonProvider/SelectProvider/Select0Provider.cs
@ -553,9 +553,10 @@ namespace FreeSql.Internal.CommonProvider
                            if (string.IsNullOrWhiteSpace(fiValueCustomArray[0])) throw new ArgumentException("Custom {静态方法名}不能为空，格式：{静态方法名}{空格}{反射信息}");
                            if (string.IsNullOrWhiteSpace(fiValueCustomArray[1])) throw new ArgumentException("Custom {反射信息}不能为空，格式：{静态方法名}{空格}{反射信息}");
                            var fiValue1Type = Type.GetType(fiValueCustomArray[1]);
-                            if (fiValue1Type == null) throw new ArgumentException($"Custom 找到对应的{{反射信息}}：{fiValueCustomArray[1]}");
+                            if (fiValue1Type == null) throw new ArgumentException($"Custom 找不到对应的{{反射信息}}：{fiValueCustomArray[1]}");
                            var fiValue0Method = fiValue1Type.GetMethod(fiValueCustomArray[0], new Type[] { typeof(string) });
-                            if (fiValue0Method == null) throw new ArgumentException($"Custom 找到对应的{{静态方法名}}：{fiValueCustomArray[0]}");
+                            if (fiValue0Method == null) throw new ArgumentException($"Custom 找不到对应的{{静态方法名}}：{fiValueCustomArray[0]}");
+                            if (MethodIsDynamicFilterCustomAttribute(fiValue0Method) == false) throw new ArgumentException($"Custom 对应的{{静态方法名}}：{fiValueCustomArray[0]} 未设置 [DynamicFilterCustomAttribute] 特性");
                            var fiValue0MethodReturn = fiValue0Method?.Invoke(null, new object[] { fi.Value?.ToString() })?.ToString();
                            exp = Expression.Call(typeof(SqlExt).GetMethod("InternalRawSql", BindingFlags.NonPublic | BindingFlags.Static), Expression.Constant(fiValue0MethodReturn, typeof(string)));
                            break;
@ -693,6 +694,21 @@ namespace FreeSql.Internal.CommonProvider
                    string.IsNullOrEmpty(testFilter.Value?.ToString());
            }
        }
+        static ConcurrentDictionary<MethodInfo, bool> _dicMethodIsDynamicFilterCustomAttribute = new ConcurrentDictionary<MethodInfo, bool>();
+        static bool MethodIsDynamicFilterCustomAttribute(MethodInfo method) => _dicMethodIsDynamicFilterCustomAttribute.GetOrAdd(method, m =>
+        {
+            object[] attrs = null;
+            try
+            {
+                attrs = m.GetCustomAttributes(false).ToArray(); //.net core 反射存在版本冲突问题，导致该方法异常
+            }
+            catch { }
+
+            var dyattr = attrs?.Where(a => {
+                return ((a as Attribute)?.TypeId as Type)?.Name == "DynamicFilterCustomAttribute";
+            }).FirstOrDefault();
+            return dyattr != null;
+        });

        public TSelect DisableGlobalFilter(params string[] name)
        {
--- a/FreeSql/Internal/Model/DynamicFilterInfo.cs
+++ b/FreeSql/Internal/Model/DynamicFilterInfo.cs
@ -131,10 +131,17 @@ namespace FreeSql.Internal.Model
        /// {<para></para>
        /// public class DynamicFilterCustom<para></para>
        /// {<para></para>
+        /// [DynamicFilterCustom]<para></para>
        /// public static string RawSql(string value) => value;<para></para>
        /// }<para></para>
        /// }<para></para>
        /// </summary>
        Custom
    }
+
+    /// <summary>
+    /// 授权 DynamicFilter 支持 Custom 自定义解析
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Method)]
+    public class DynamicFilterCustomAttribute : Attribute { }
 }