mirror of
https://github.com/nsnail/FreeSql.git
synced 2025-04-22 02:32:50 +08:00
- 完善 DynamicFilter Custom 安全问题;
This commit is contained in:
2881099
parent
bbaf947bb0
commit
487913f7ef
@ -538,5 +538,14 @@
|
|||||||
<param name="that"></param>
|
<param name="that"></param>
|
||||||
<returns></returns>
|
<returns></returns>
|
||||||
</member>
|
</member>
|
||||||
|
<member name="M:Microsoft.Extensions.DependencyInjection.FreeSqlRepositoryDependencyInjection.AddFreeRepository(Microsoft.Extensions.DependencyInjection.IServiceCollection,System.Action{FreeSql.FluentDataFilter},System.Reflection.Assembly[])">
|
||||||
|
<summary>
|
||||||
|
批量注入 Repository,可以参考代码自行调整
|
||||||
|
</summary>
|
||||||
|
<param name="services"></param>
|
||||||
|
<param name="globalDataFilter"></param>
|
||||||
|
<param name="assemblies"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
</members>
|
</members>
|
||||||
</doc>
|
</doc>
|
||||||
|
|||||||
@ -2543,6 +2543,7 @@ WHERE (((name,no) in (('testname01','testname01')) OR not((a.""no"") LIKE '%test
|
|||||||
|
|
||||||
public class DynamicFilterMyCustom
|
public class DynamicFilterMyCustom
|
||||||
{
|
{
|
||||||
|
[DynamicFilterCustom]
|
||||||
public static string MyRawSql(string value) => value;
|
public static string MyRawSql(string value) => value;
|
||||||
|
|
||||||
public static string TupleIn(string value)
|
public static string TupleIn(string value)
|
||||||
|
|||||||
@ -3186,6 +3186,177 @@
|
|||||||
<param name="parms"></param>
|
<param name="parms"></param>
|
||||||
<returns></returns>
|
<returns></returns>
|
||||||
</member>
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteConnectTestAsync(System.Int32,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
测试数据库是否连接正确,本方法执行如下命令:<para></para>
|
||||||
|
MySql/SqlServer/PostgreSQL/达梦/人大金仓/神通: SELECT 1<para></para>
|
||||||
|
Oracle: SELECT 1 FROM dual<para></para>
|
||||||
|
</summary>
|
||||||
|
<param name="commandTimeout">命令超时设置(秒)</param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns>true: 成功, false: 失败</returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteReaderAsync(System.Func{FreeSql.Internal.Model.FetchCallbackArgs{System.Data.Common.DbDataReader},System.Threading.Tasks.Task},System.Data.CommandType,System.String,System.Data.Common.DbParameter[],System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
查询,若使用读写分离,查询【从库】条件cmdText.StartsWith("SELECT "),否则查询【主库】
|
||||||
|
</summary>
|
||||||
|
<param name="readerHander"></param>
|
||||||
|
<param name="cmdType"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="cmdParms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteReaderAsync(System.Func{FreeSql.Internal.Model.FetchCallbackArgs{System.Data.Common.DbDataReader},System.Threading.Tasks.Task},System.String,System.Object,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
查询,ExecuteReaderAsync(dr => {}, "select * from user where age > @age", new { age = 25 })<para></para>
|
||||||
|
提示:parms 参数还可以传 Dictionary<string, object>
|
||||||
|
</summary>
|
||||||
|
<param name="readerHander"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="parms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteArrayAsync(System.Data.CommandType,System.String,System.Data.Common.DbParameter[],System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
查询
|
||||||
|
</summary>
|
||||||
|
<param name="cmdType"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="cmdParms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteArrayAsync(System.String,System.Object,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
查询,ExecuteArrayAsync("select * from user where age > @age", new { age = 25 })<para></para>
|
||||||
|
提示:parms 参数还可以传 Dictionary<string, object>
|
||||||
|
</summary>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="parms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteDataSetAsync(System.Data.CommandType,System.String,System.Data.Common.DbParameter[],System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
查询
|
||||||
|
</summary>
|
||||||
|
<param name="cmdType"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="cmdParms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteDataSetAsync(System.String,System.Object,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
查询,ExecuteDataSetAsync("select * from user where age > @age; select 2", new { age = 25 })<para></para>
|
||||||
|
提示:parms 参数还可以传 Dictionary<string, object>
|
||||||
|
</summary>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="parms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteDataTableAsync(System.Data.CommandType,System.String,System.Data.Common.DbParameter[],System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
查询
|
||||||
|
</summary>
|
||||||
|
<param name="cmdType"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="cmdParms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteDataTableAsync(System.String,System.Object,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
查询,ExecuteDataTableAsync("select * from user where age > @age", new { age = 25 })<para></para>
|
||||||
|
提示:parms 参数还可以传 Dictionary<string, object>
|
||||||
|
</summary>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="parms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteNonQueryAsync(System.Data.CommandType,System.String,System.Data.Common.DbParameter[],System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
在【主库】执行
|
||||||
|
</summary>
|
||||||
|
<param name="cmdType"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="cmdParms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteNonQueryAsync(System.String,System.Object,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
在【主库】执行,ExecuteNonQueryAsync("delete from user where age > @age", new { age = 25 })<para></para>
|
||||||
|
提示:parms 参数还可以传 Dictionary<string, object>
|
||||||
|
</summary>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="parms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteScalarAsync(System.Data.CommandType,System.String,System.Data.Common.DbParameter[],System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
在【主库】执行
|
||||||
|
</summary>
|
||||||
|
<param name="cmdType"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="cmdParms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.ExecuteScalarAsync(System.String,System.Object,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
在【主库】执行,ExecuteScalarAsync("select 1 from user where age > @age", new { age = 25 })<para></para>
|
||||||
|
提示:parms 参数还可以传 Dictionary<string, object>
|
||||||
|
</summary>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="parms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.QueryAsync``1(System.Data.CommandType,System.String,System.Data.Common.DbParameter[],System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
执行SQL返回对象集合,QueryAsync<User>("select * from user where age > @age", new SqlParameter { ParameterName = "age", Value = 25 })
|
||||||
|
</summary>
|
||||||
|
<typeparam name="T"></typeparam>
|
||||||
|
<param name="cmdType"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="cmdParms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.QueryAsync``1(System.String,System.Object,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
执行SQL返回对象集合,QueryAsync<User>("select * from user where age > @age", new { age = 25 })<para></para>
|
||||||
|
提示:parms 参数还可以传 Dictionary<string, object>
|
||||||
|
</summary>
|
||||||
|
<typeparam name="T"></typeparam>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="parms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.QueryAsync``2(System.Data.CommandType,System.String,System.Data.Common.DbParameter[],System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
执行SQL返回对象集合,Query<User>("select * from user where age > @age; select * from address", new SqlParameter { ParameterName = "age", Value = 25 })
|
||||||
|
</summary>
|
||||||
|
<typeparam name="T1"></typeparam>
|
||||||
|
<typeparam name="T2"></typeparam>
|
||||||
|
<param name="cmdType"></param>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="cmdParms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
|
<member name="M:FreeSql.IAdo.QueryAsync``2(System.String,System.Object,System.Threading.CancellationToken)">
|
||||||
|
<summary>
|
||||||
|
执行SQL返回对象集合,Query<User, Address>("select * from user where age > @age; select * from address", new { age = 25 })<para></para>
|
||||||
|
提示:parms 参数还可以传 Dictionary<string, object>
|
||||||
|
</summary>
|
||||||
|
<typeparam name="T1"></typeparam>
|
||||||
|
<typeparam name="T2"></typeparam>
|
||||||
|
<param name="cmdText"></param>
|
||||||
|
<param name="parms"></param>
|
||||||
|
<param name="cancellationToken"></param>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
<member name="E:FreeSql.IAop.ParseExpression">
|
<member name="E:FreeSql.IAop.ParseExpression">
|
||||||
<summary>
|
<summary>
|
||||||
可自定义解析表达式
|
可自定义解析表达式
|
||||||
@ -4020,11 +4191,17 @@
|
|||||||
{<para></para>
|
{<para></para>
|
||||||
public class DynamicFilterCustom<para></para>
|
public class DynamicFilterCustom<para></para>
|
||||||
{<para></para>
|
{<para></para>
|
||||||
|
[DynamicFilterCustom]<para></para>
|
||||||
public static string RawSql(string value) => value;<para></para>
|
public static string RawSql(string value) => value;<para></para>
|
||||||
}<para></para>
|
}<para></para>
|
||||||
}<para></para>
|
}<para></para>
|
||||||
</summary>
|
</summary>
|
||||||
</member>
|
</member>
|
||||||
|
<member name="T:FreeSql.Internal.Model.DynamicFilterCustomAttribute">
|
||||||
|
<summary>
|
||||||
|
授权 DynamicFilter 支持 Custom 自定义解析
|
||||||
|
</summary>
|
||||||
|
</member>
|
||||||
<member name="P:FreeSql.Internal.Model.FetchCallbackArgs`1.IsBreak">
|
<member name="P:FreeSql.Internal.Model.FetchCallbackArgs`1.IsBreak">
|
||||||
<summary>
|
<summary>
|
||||||
是否放弃继续读取
|
是否放弃继续读取
|
||||||
@ -4074,6 +4251,12 @@
|
|||||||
<param name="timeout">超时</param>
|
<param name="timeout">超时</param>
|
||||||
<returns></returns>
|
<returns></returns>
|
||||||
</member>
|
</member>
|
||||||
|
<member name="M:FreeSql.Internal.ObjectPool.IObjectPool`1.GetAsync">
|
||||||
|
<summary>
|
||||||
|
获取资源
|
||||||
|
</summary>
|
||||||
|
<returns></returns>
|
||||||
|
</member>
|
||||||
<member name="M:FreeSql.Internal.ObjectPool.IObjectPool`1.Return(FreeSql.Internal.ObjectPool.Object{`0},System.Boolean)">
|
<member name="M:FreeSql.Internal.ObjectPool.IObjectPool`1.Return(FreeSql.Internal.ObjectPool.Object{`0},System.Boolean)">
|
||||||
<summary>
|
<summary>
|
||||||
使用完毕后,归还资源
|
使用完毕后,归还资源
|
||||||
@ -4144,6 +4327,12 @@
|
|||||||
</summary>
|
</summary>
|
||||||
<param name="obj">资源对象</param>
|
<param name="obj">资源对象</param>
|
||||||
</member>
|
</member>
|
||||||
|
<member name="M:FreeSql.Internal.ObjectPool.IPolicy`1.OnGetAsync(FreeSql.Internal.ObjectPool.Object{`0})">
|
||||||
|
<summary>
|
||||||
|
从对象池获取对象成功的时候触发,通过该方法统计或初始化对象
|
||||||
|
</summary>
|
||||||
|
<param name="obj">资源对象</param>
|
||||||
|
</member>
|
||||||
<member name="M:FreeSql.Internal.ObjectPool.IPolicy`1.OnReturn(FreeSql.Internal.ObjectPool.Object{`0})">
|
<member name="M:FreeSql.Internal.ObjectPool.IPolicy`1.OnReturn(FreeSql.Internal.ObjectPool.Object{`0})">
|
||||||
<summary>
|
<summary>
|
||||||
归还对象给对象池的时候触发
|
归还对象给对象池的时候触发
|
||||||
|
|||||||
@ -553,9 +553,10 @@ namespace FreeSql.Internal.CommonProvider
|
|||||||
if (string.IsNullOrWhiteSpace(fiValueCustomArray[0])) throw new ArgumentException("Custom {静态方法名}不能为空,格式:{静态方法名}{空格}{反射信息}");
|
if (string.IsNullOrWhiteSpace(fiValueCustomArray[0])) throw new ArgumentException("Custom {静态方法名}不能为空,格式:{静态方法名}{空格}{反射信息}");
|
||||||
if (string.IsNullOrWhiteSpace(fiValueCustomArray[1])) throw new ArgumentException("Custom {反射信息}不能为空,格式:{静态方法名}{空格}{反射信息}");
|
if (string.IsNullOrWhiteSpace(fiValueCustomArray[1])) throw new ArgumentException("Custom {反射信息}不能为空,格式:{静态方法名}{空格}{反射信息}");
|
||||||
var fiValue1Type = Type.GetType(fiValueCustomArray[1]);
|
var fiValue1Type = Type.GetType(fiValueCustomArray[1]);
|
||||||
if (fiValue1Type == null) throw new ArgumentException($"Custom 找到对应的{{反射信息}}:{fiValueCustomArray[1]}");
|
if (fiValue1Type == null) throw new ArgumentException($"Custom 找不到对应的{{反射信息}}:{fiValueCustomArray[1]}");
|
||||||
var fiValue0Method = fiValue1Type.GetMethod(fiValueCustomArray[0], new Type[] { typeof(string) });
|
var fiValue0Method = fiValue1Type.GetMethod(fiValueCustomArray[0], new Type[] { typeof(string) });
|
||||||
if (fiValue0Method == null) throw new ArgumentException($"Custom 找到对应的{{静态方法名}}:{fiValueCustomArray[0]}");
|
if (fiValue0Method == null) throw new ArgumentException($"Custom 找不到对应的{{静态方法名}}:{fiValueCustomArray[0]}");
|
||||||
|
if (MethodIsDynamicFilterCustomAttribute(fiValue0Method) == false) throw new ArgumentException($"Custom 对应的{{静态方法名}}:{fiValueCustomArray[0]} 未设置 [DynamicFilterCustomAttribute] 特性");
|
||||||
var fiValue0MethodReturn = fiValue0Method?.Invoke(null, new object[] { fi.Value?.ToString() })?.ToString();
|
var fiValue0MethodReturn = fiValue0Method?.Invoke(null, new object[] { fi.Value?.ToString() })?.ToString();
|
||||||
exp = Expression.Call(typeof(SqlExt).GetMethod("InternalRawSql", BindingFlags.NonPublic | BindingFlags.Static), Expression.Constant(fiValue0MethodReturn, typeof(string)));
|
exp = Expression.Call(typeof(SqlExt).GetMethod("InternalRawSql", BindingFlags.NonPublic | BindingFlags.Static), Expression.Constant(fiValue0MethodReturn, typeof(string)));
|
||||||
break;
|
break;
|
||||||
@ -693,6 +694,21 @@ namespace FreeSql.Internal.CommonProvider
|
|||||||
string.IsNullOrEmpty(testFilter.Value?.ToString());
|
string.IsNullOrEmpty(testFilter.Value?.ToString());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
static ConcurrentDictionary<MethodInfo, bool> _dicMethodIsDynamicFilterCustomAttribute = new ConcurrentDictionary<MethodInfo, bool>();
|
||||||
|
static bool MethodIsDynamicFilterCustomAttribute(MethodInfo method) => _dicMethodIsDynamicFilterCustomAttribute.GetOrAdd(method, m =>
|
||||||
|
{
|
||||||
|
object[] attrs = null;
|
||||||
|
try
|
||||||
|
{
|
||||||
|
attrs = m.GetCustomAttributes(false).ToArray(); //.net core 反射存在版本冲突问题,导致该方法异常
|
||||||
|
}
|
||||||
|
catch { }
|
||||||
|
|
||||||
|
var dyattr = attrs?.Where(a => {
|
||||||
|
return ((a as Attribute)?.TypeId as Type)?.Name == "DynamicFilterCustomAttribute";
|
||||||
|
}).FirstOrDefault();
|
||||||
|
return dyattr != null;
|
||||||
|
});
|
||||||
|
|
||||||
public TSelect DisableGlobalFilter(params string[] name)
|
public TSelect DisableGlobalFilter(params string[] name)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -131,10 +131,17 @@ namespace FreeSql.Internal.Model
|
|||||||
/// {<para></para>
|
/// {<para></para>
|
||||||
/// public class DynamicFilterCustom<para></para>
|
/// public class DynamicFilterCustom<para></para>
|
||||||
/// {<para></para>
|
/// {<para></para>
|
||||||
|
/// [DynamicFilterCustom]<para></para>
|
||||||
/// public static string RawSql(string value) => value;<para></para>
|
/// public static string RawSql(string value) => value;<para></para>
|
||||||
/// }<para></para>
|
/// }<para></para>
|
||||||
/// }<para></para>
|
/// }<para></para>
|
||||||
/// </summary>
|
/// </summary>
|
||||||
Custom
|
Custom
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// 授权 DynamicFilter 支持 Custom 自定义解析
|
||||||
|
/// </summary>
|
||||||
|
[AttributeUsage(AttributeTargets.Method)]
|
||||||
|
public class DynamicFilterCustomAttribute : Attribute { }
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user