- 完善 DynamicFilter Custom 安全问题;

This commit is contained in:
2881099
2021-12-10 12:17:58 +08:00
parent bbaf947bb0
commit 487913f7ef
5 changed files with 224 additions and 2 deletions

View File

@ -553,9 +553,10 @@ namespace FreeSql.Internal.CommonProvider
if (string.IsNullOrWhiteSpace(fiValueCustomArray[0])) throw new ArgumentException("Custom {静态方法名}不能为空,格式:{静态方法名}{空格}{反射信息}");
if (string.IsNullOrWhiteSpace(fiValueCustomArray[1])) throw new ArgumentException("Custom {反射信息}不能为空,格式:{静态方法名}{空格}{反射信息}");
var fiValue1Type = Type.GetType(fiValueCustomArray[1]);
if (fiValue1Type == null) throw new ArgumentException($"Custom 找到对应的{{反射信息}}{fiValueCustomArray[1]}");
if (fiValue1Type == null) throw new ArgumentException($"Custom 找到对应的{{反射信息}}{fiValueCustomArray[1]}");
var fiValue0Method = fiValue1Type.GetMethod(fiValueCustomArray[0], new Type[] { typeof(string) });
if (fiValue0Method == null) throw new ArgumentException($"Custom 找到对应的{{静态方法名}}{fiValueCustomArray[0]}");
if (fiValue0Method == null) throw new ArgumentException($"Custom 找到对应的{{静态方法名}}{fiValueCustomArray[0]}");
if (MethodIsDynamicFilterCustomAttribute(fiValue0Method) == false) throw new ArgumentException($"Custom 对应的{{静态方法名}}{fiValueCustomArray[0]} 未设置 [DynamicFilterCustomAttribute] 特性");
var fiValue0MethodReturn = fiValue0Method?.Invoke(null, new object[] { fi.Value?.ToString() })?.ToString();
exp = Expression.Call(typeof(SqlExt).GetMethod("InternalRawSql", BindingFlags.NonPublic | BindingFlags.Static), Expression.Constant(fiValue0MethodReturn, typeof(string)));
break;
@ -693,6 +694,21 @@ namespace FreeSql.Internal.CommonProvider
string.IsNullOrEmpty(testFilter.Value?.ToString());
}
}
static ConcurrentDictionary<MethodInfo, bool> _dicMethodIsDynamicFilterCustomAttribute = new ConcurrentDictionary<MethodInfo, bool>();
static bool MethodIsDynamicFilterCustomAttribute(MethodInfo method) => _dicMethodIsDynamicFilterCustomAttribute.GetOrAdd(method, m =>
{
object[] attrs = null;
try
{
attrs = m.GetCustomAttributes(false).ToArray(); //.net core 反射存在版本冲突问题,导致该方法异常
}
catch { }
var dyattr = attrs?.Where(a => {
return ((a as Attribute)?.TypeId as Type)?.Name == "DynamicFilterCustomAttribute";
}).FirstOrDefault();
return dyattr != null;
});
public TSelect DisableGlobalFilter(params string[] name)
{

View File

@ -131,10 +131,17 @@ namespace FreeSql.Internal.Model
/// {<para></para>
/// public class DynamicFilterCustom<para></para>
/// {<para></para>
/// [DynamicFilterCustom]<para></para>
/// public static string RawSql(string value) => value;<para></para>
/// }<para></para>
/// }<para></para>
/// </summary>
Custom
}
/// <summary>
/// 授权 DynamicFilter 支持 Custom 自定义解析
/// </summary>
[AttributeUsage(AttributeTargets.Method)]
public class DynamicFilterCustomAttribute : Attribute { }
}