修复登录接口Sql注入高危漏洞; 通知通告接口参数暴漏问题

src/dashoo.cn/backend/api/controllers/document/document.go

@@ -13,6 +13,11 @@ type DocumentController struct {
 	BaseController
 }
 
+type NoticeDocument struct {
+	ColName   string `json:"colName"`
+	RangeType string `json:"RangeType"`
+}
+
 // @Title 获取文档管理列表  DocumentInfo
 // @Description get user by token
 // @Success 200 {object} models.Userblood
@@ -72,10 +77,13 @@ func (this *DocumentController) GetDocumentNameAndTime() {
 // @Title 获取文件名和创建时间首页
 // @Description get Name,CreateOn
 // @Success 200 {object} models.Userblood
-// @router /getdocumentnameandtimelogin [get]
+// @router /getdocumentnameandtimelogin [post]
 func (this *DocumentController) GetDocumentNameAndTimeLogin() {
-	colName := this.GetString("colName")
-	rangeType := this.GetString("RangeType")
+	var noticeDocument NoticeDocument
+	var jsonBlob = this.Ctx.Input.RequestBody
+	json.Unmarshal(jsonBlob, &noticeDocument)
+	colName := noticeDocument.ColName
+	rangeType := noticeDocument.RangeType
 
 	svc := documentmanage.GetDocumentmanageService(utils.DBE)
 	var list []documentmanage.DocumentNameTimeInfo

src/dashoo.cn/backend/api/controllers/token.go

@@ -47,12 +47,12 @@ func (this *TokenController) Post() {
 		this.ServeJSON()
 	} else {
 		if svc.VerifyUser3DES(user4CreateToken.Username, user4CreateToken.Password, &user) {
-			if user4CreateToken.Username!="yanshi"{
-				sql := " UserName='" + user4CreateToken.Username + "'"
+			if user4CreateToken.Username != "yanshi" {
+				//sql := " UserName='" + user4CreateToken.Username + "'"
 				var baseUser userRole.Base_User
-				svc.GetEntity(&baseUser,sql)
-				res:=utils.RBAC.GetRolesForUserInDomain("uid_"+strconv.Itoa(baseUser.Id),utils.DOMAIN)
-				if len(res)<=0{
+				svc.DBE.Table("Base_User").Where("UserName=?", user4CreateToken.Username).Get(&baseUser)
+				res := utils.RBAC.GetRolesForUserInDomain("uid_"+strconv.Itoa(baseUser.Id), utils.DOMAIN)
+				if len(res) <= 0 {
 					this.Abort("777")
 				}
 			}
@@ -71,11 +71,12 @@ func (this *TokenController) Post() {
 			this.ServeJSON()
 		} else {
 			var registerUser register.OilCorporateInfo
-			sql := " BINARY UserName='" + user4CreateToken.Username + "' and BINARY UserPass='"+user4CreateToken.Password+"'"
-			svc.GetEntity(&registerUser,sql)
-			if registerUser.UserName!=""{
+			//sql := " BINARY UserName='" + user4CreateToken.Username + "' and BINARY UserPass='"+user4CreateToken.Password+"'"
+			svc.DBE.Table("OilCorporateInfo").Where("BINARY UserName=?", user4CreateToken.Username).
+				Where("BINARY UserPass=?", user4CreateToken.Password).Get(&registerUser)
+			if registerUser.UserName != "" {
 				this.Abort("777")
-			}else {
+			} else {
 				this.Abort("401")
 			}
 		}

src/dashoo.cn/frontend_web/src/api/oilsupplier/document.js

@@ -0,0 +1,9 @@
+export default {
+  getNoticeDocument (params, myAxios) {
+    return myAxios({
+      url: '/document/getdocumentnameandtimelogin',
+      method: 'post',
+      data: params
+    })
+  }
+}

src/dashoo.cn/frontend_web/src/pages/login.vue

@@ -133,6 +133,7 @@ import Vue from 'vue'
 import Component from 'class-component'
 import Sticky from '@/components/Sticky'
 import api from '@/api/rtxservice/rtx'
+import documentApi from '@/api/oilsupplier/document'
 import SIdentify from '@/components/VCode.vue'
 // import {mapGetters} from 'vuex'
 @Component({
@@ -263,35 +264,29 @@ import SIdentify from '@/components/VCode.vue'
     initNoticeListData () {
       let _this = this
       // 传递列名
-      const params = {
+      let params = {
         colName: 'NoticeTab',
         RangeType: '1,3'
       }
-      _this.$axios
-        .get('/document/getdocumentnameandtimelogin', { params })
-        .then(function (response) {
-          _this.noticeList = response.data
-        })
-        .catch(function (error) {
-          console.log(error)
-        })
+      documentApi.getNoticeDocument(params, this.$axios).then(res => {
+        _this.noticeList = res.data
+      }).catch(err => {
+        console.error(err)
+      })
     },
     // 获取文件列表
     initFileListData () {
       let _this = this
       // 传递列名
-      const params = {
+      let params = {
         colName: 'DocTab',
         RangeType: '1,3'
       }
-      _this.$axios
-        .get('/document/getdocumentnameandtimelogin', { params })
-        .then(function (response) {
-          _this.fileList = response.data
-        })
-        .catch(function (error) {
-          console.log(error)
-        })
+      documentApi.getNoticeDocument(params, this.$axios).then(res => {
+        _this.fileList = res.data
+      }).catch(err => {
+        console.error(err)
+      })
     },
     // 下载文件
     DownloadFile (row) {