fix:修复 SettleAccountBill.SettleAccountBillList sql注入漏洞

makefile

@@ -0,0 +1,4 @@
+
+testlog:
+	ssh dashoo-test "cd /home/workservices/lims_latest/ && docker-compose logs --follow --tail=200 lims_latest_adapter"
+	# ssh root@192.168.0.219 "cd /home/workservices/labsop/apparatus && tail -n 300 -f log/log.log"

service/settle_account_bill/settle_account_bill.go

@@ -27,9 +27,7 @@ func NewService(tenant string) Service {
 
 // List 会议室列表
 func (s Service) List(req model.ListReq, user request.UserInfo) ([]accountModel.BillInfo, int, error) {
-	entityModel := s.Dao.M
-	where := "1=1"
-
+	m := s.Dao.M
 	if req.Entity != nil {
 		entity := new(accountModel.SettleAccountBillReq)
 		err := gconv.Struct(req.Entity, entity)
@@ -37,32 +35,33 @@ func (s Service) List(req model.ListReq, user request.UserInfo) ([]accountModel.
 			return nil, 0, err
 		}
 		if entity.MainUserId != 0 {
-			where += fmt.Sprintf(" AND settle_account_bill.MainUserId='%v'", entity.MainUserId)
+			m = m.Where("settle_account_bill.MainUserId = ?", entity.MainUserId)
 		}
 		if entity.Status != "" {
-			where += fmt.Sprintf(" AND settle_account_bill.Status='%v'", entity.Status)
+			m = m.Where("settle_account_bill.Status = ?", entity.Status)
 		}
 		if entity.SettleDate != "" {
 			timelist := strings.Split(entity.SettleDate, ",")
 			if len(timelist) == 2 {
-				where += fmt.Sprintf(" AND settle_account_bill.SettleDate>='%v' AND settle_account_bill.SettleDate<='%v'", timelist[0], timelist[1])
+				m = m.Where("settle_account_bill.SettleDate >= ? and settle_account_bill.SettleDate <= ?", timelist[0], timelist[1])
 			}
 		}
 		if entity.SettleUser != "" {
-			where += fmt.Sprintf(" AND settle_account_bill.SettleUser LIKE '%%%v%%'", entity.SettleUser)
+			likestr := fmt.Sprintf("%%%s%%", entity.SettleUser)
+			m = m.Where("settle_account_bill.SettleUser LIKE ?", likestr)
 		}
 		if entity.MainUser != "" {
-			where += fmt.Sprintf(" AND settle_account_bill.MainUser LIKE '%%%v%%'", entity.MainUser)
+			likestr := fmt.Sprintf("%%%s%%", entity.MainUser)
+			m = m.Where("settle_account_bill.MainUser LIKE ?", likestr)
 		}
 		if entity.StartDate != "" && entity.EndDate != "" {
-			where += fmt.Sprintf(" AND settle_account_bill.StartDate>='%v' AND settle_account_bill.EndDate<='%v'", entity.StartDate, entity.EndDate)
+			m = m.Where("settle_account_bill.StartDate >= ? and settle_account_bill.EndDate <= ?", entity.StartDate, entity.EndDate)
 		}
 		if entity.IsSelf != "1" { // 1 查看全部；其他 查看自己
-			where += fmt.Sprintf(" AND settle_account_bill.MainUserId='%v'", user.Id)
+			m = m.Where("settle_account_bill.MainUserId = ?", user.Id)
 		}
 	}
-	entityModel = entityModel.Where(where)
-	total, err := entityModel.Count()
+	total, err := m.Count()
 	if err != nil {
 		return nil, 0, err
 	}
@@ -70,7 +69,7 @@ func (s Service) List(req model.ListReq, user request.UserInfo) ([]accountModel.
 		return nil, 0, nil
 	}
 
-	res, err := entityModel.InnerJoin("settle_account_main", "settle_account_bill.Id=settle_account_main.BillId").Group("settle_account_bill.Id").Page(req.Current, req.Size).Order("settle_account_bill.Id DESC").Fields("settle_account_bill.*, SUM(settle_account_main.TotalPrice) TotalAmount").FindAll()
+	res, err := m.InnerJoin("settle_account_main", "settle_account_bill.Id=settle_account_main.BillId").Group("settle_account_bill.Id").Page(req.Current, req.Size).Order("settle_account_bill.Id DESC").Fields("settle_account_bill.*, SUM(settle_account_main.TotalPrice) TotalAmount").FindAll()
 	if err != nil {
 		return nil, 0, err
 	}