feat: for custom query, add whitelist judgment

zhufuyi · zhufuyi · commit fed822c5b7b2 · 2025-05-18T23:23:08.000+08:00
diff --git a/internal/dao/userExample.go b/internal/dao/userExample.go
@@ -175,41 +175,10 @@ func (d *userExampleDao) GetByID(ctx context.Context, id uint64) (*model.UserExa
 	return nil, err
 }
 
-// GetByColumns get paging records by column information,
-// Note: query performance degrades when table rows are very large because of the use of offset.
-//
-// params includes paging parameters and query parameters
-// paging parameters (required):
-//
-//	page: page number, starting from 0
-//	limit: lines per page
-//	sort: sort fields, default is id backwards, you can add - sign before the field to indicate reverse order, no - sign to indicate ascending order, multiple fields separated by comma
-//
-// query parameters (not required):
-//
-//	name: column name
-//	exp: expressions, which default is "=",  support =, !=, >, >=, <, <=, like, in, notin, isnull, isnotnull
-//	value: column value, if exp=in, multiple values are separated by commas
-//	logic: logical type, default value is "and", support &, and, ||, or
-//
-// example: search for a male over 20 years of age
-//
-//	params = &query.Params{
-//	    Page: 0,
-//	    Limit: 20,
-//	    Columns: []query.Column{
-//		{
-//			Name:    "age",
-//			Exp: ">",
-//			Value:   20,
-//		},
-//		{
-//			Name:  "gender",
-//			Value: "male",
-//		},
-//	}
+// GetByColumns get paging records by column information.
+// For more details, please refer to https://go-sponge.com/component/custom-page-query.html
 func (d *userExampleDao) GetByColumns(ctx context.Context, params *query.Params) ([]*model.UserExample, int64, error) {
-	queryStr, args, err := params.ConvertToGormConditions()
+	queryStr, args, err := params.ConvertToGormConditions(query.WithWhitelistNames(model.UserExampleColumnNames))
 	if err != nil {
 		return nil, 0, errors.New("query params error: " + err.Error())
 	}
diff --git a/internal/dao/userExample.go.exp b/internal/dao/userExample.go.exp
@@ -181,41 +181,10 @@ func (d *userExampleDao) GetByID(ctx context.Context, id uint64) (*model.UserExa
 	return nil, err
 }
 
-// GetByColumns get paging records by column information,
-// Note: query performance degrades when table rows are very large because of the use of offset.
-//
-// params includes paging parameters and query parameters
-// paging parameters (required):
-//
-//	page: page number, starting from 0
-//	limit: lines per page
-//	sort: sort fields, default is id backwards, you can add - sign before the field to indicate reverse order, no - sign to indicate ascending order, multiple fields separated by comma
-//
-// query parameters (not required):
-//
-//	name: column name
-//	exp: expressions, which default is "=",  support =, !=, >, >=, <, <=, like, in, notin, isnull, isnotnull
-//	value: column value, if exp=in, multiple values are separated by commas
-//	logic: logical type, default value is "and", support &, and, ||, or
-//
-// example: search for a male over 20 years of age
-//
-//	params = &query.Params{
-//	    Page: 0,
-//	    Limit: 20,
-//	    Columns: []query.Column{
-//		{
-//			Name:    "age",
-//			Exp: ">",
-//			Value:   20,
-//		},
-//		{
-//			Name:  "gender",
-//			Value: "male",
-//		},
-//	}
+// GetByColumns get paging records by column information.
+// For more details, please refer to https://go-sponge.com/component/custom-page-query.html
 func (d *userExampleDao) GetByColumns(ctx context.Context, params *query.Params) ([]*model.UserExample, int64, error) {
-	queryStr, args, err := params.ConvertToGormConditions()
+	queryStr, args, err := params.ConvertToGormConditions(query.WithWhitelistNames(model.UserExampleColumnNames))
 	if err != nil {
 		return nil, 0, errors.New("query params error: " + err.Error())
 	}
@@ -256,29 +225,10 @@ func (d *userExampleDao) DeleteByIDs(ctx context.Context, ids []uint64) error {
 	return nil
 }
 
-// GetByCondition get a record by condition
-// query conditions:
-//
-//	name: column name
-//	exp: expressions, which default is "=",  support =, !=, >, >=, <, <=, like, in, notin, isnull, isnotnull
-//	value: column value, if exp=in, multiple values are separated by commas
-//	logic: logical type, default value is "and", support &, and, ||, or
-//
-// example: find a male aged 20
-//
-//	condition = &query.Conditions{
-//	    Columns: []query.Column{
-//		{
-//			Name:    "age",
-//			Value:   20,
-//		},
-//		{
-//			Name:  "gender",
-//			Value: "male",
-//		},
-//	}
+// GetByCondition get a record by condition.
+// For more details, please refer to https://go-sponge.com/component/custom-page-query.html#_2-condition-parameters-optional
 func (d *userExampleDao) GetByCondition(ctx context.Context, c *query.Conditions) (*model.UserExample, error) {
-	queryStr, args, err := c.ConvertToGorm()
+	queryStr, args, err := c.ConvertToGorm(query.WithWhitelistNames(model.UserExampleColumnNames))
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/dao/userExample.go.exp.tpl b/internal/dao/userExample.go.exp.tpl
@@ -187,44 +187,13 @@ func (d *{{.TableNameCamelFCL}}Dao) GetBy{{.ColumnNameCamel}}(ctx context.Contex
 	return nil, err
 }
 
-// GetByColumns get paging records by column information,
-// Note: query performance degrades when table rows are very large because of the use of offset.
-//
-// params includes paging parameters and query parameters
-// paging parameters (required):
-//
-//	page: page number, starting from 0
-//	limit: lines per page
-//	sort: sort fields, default is {{.ColumnNameCamelFCL}} backwards, you can add - sign before the field to indicate reverse order, no - sign to indicate ascending order, multiple fields separated by comma
-//
-// query parameters (not required):
-//
-//	name: column name
-//	exp: expressions, which default is "=",  support =, !=, >, >=, <, <=, like, in, notin, isnull, isnotnull
-//	value: column value, if exp=in, multiple values are separated by commas
-//	logic: logical type, default value is "and", support &, and, ||, or
-//
-// example: search for a male over 20 years of age
-//
-//	params = &query.Params{
-//	    Page: 0,
-//	    Limit: 20,
-//	    Columns: []query.Column{
-//		{
-//			Name:    "age",
-//			Exp: ">",
-//			Value:   20,
-//		},
-//		{
-//			Name:  "gender",
-//			Value: "male",
-//		},
-//	}
+// GetByColumns get paging records by column information.
+// For more details, please refer to https://go-sponge.com/component/custom-page-query.html
 func (d *{{.TableNameCamelFCL}}Dao) GetByColumns(ctx context.Context, params *query.Params) ([]*model.{{.TableNameCamel}}, int64, error) {
 	if params.Sort == "" {
 		params.Sort = "-{{.ColumnName}}"
 	}
-	queryStr, args, err := params.ConvertToGormConditions()
+	queryStr, args, err := params.ConvertToGormConditions(query.WithWhitelistNames(model.{{.TableNameCamel}}ColumnNames))
 	if err != nil {
 		return nil, 0, errors.New("query params error: " + err.Error())
 	}
@@ -266,28 +235,9 @@ func (d *{{.TableNameCamelFCL}}Dao) DeleteBy{{.ColumnNamePluralCamel}}(ctx conte
 }
 
 // GetByCondition get a record by condition
-// query conditions:
-//
-//	name: column name
-//	exp: expressions, which default is "=",  support =, !=, >, >=, <, <=, like, in, notin, isnull, isnotnull
-//	value: column value, if exp=in, multiple values are separated by commas
-//	logic: logical type, default value is "and", support &, and, ||, or
-//
-// example: find a male aged 20
-//
-//	condition = &query.Conditions{
-//	    Columns: []query.Column{
-//		{
-//			Name:    "age",
-//			Value:   20,
-//		},
-//		{
-//			Name:  "gender",
-//			Value: "male",
-//		},
-//	}
+// For more details, please refer to https://go-sponge.com/component/custom-page-query.html#_2-condition-parameters-optional
 func (d *{{.TableNameCamelFCL}}Dao) GetByCondition(ctx context.Context, c *query.Conditions) (*model.{{.TableNameCamel}}, error) {
-	queryStr, args, err := c.ConvertToGorm()
+	queryStr, args, err := c.ConvertToGorm(query.WithWhitelistNames(model.{{.TableNameCamel}}ColumnNames))
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/dao/userExample.go.mgo b/internal/dao/userExample.go.mgo
@@ -225,9 +225,13 @@ func (d *userExampleDao) GetByID(ctx context.Context, id string) (*model.UserExa
 //			Name:  "gender",
 //			Value: "male",
 //		},
+//		{
+//			Name:  "post_id:oid",   // suffix :oid is required for objectId type
+//			Value: "65ce48483f11aff697e30d6d",
+//		},
 //	}
 func (d *userExampleDao) GetByColumns(ctx context.Context, params *query.Params) ([]*model.UserExample, int64, error) {
-	filter, err := params.ConvertToMongoFilter()
+	filter, err := params.ConvertToMongoFilter(query.WithWhitelistNames(model.UserExampleColumnNames))
 	if err != nil {
 		return nil, 0, errors.New("query params error: " + err.Error())
 	}
diff --git a/internal/dao/userExample.go.mgo.exp b/internal/dao/userExample.go.mgo.exp
@@ -230,9 +230,13 @@ func (d *userExampleDao) GetByID(ctx context.Context, id string) (*model.UserExa
 //			Name:  "gender",
 //			Value: "male",
 //		},
+//		{
+//			Name:  "post_id:oid",   // suffix :oid is required for objectId type
+//			Value: "65ce48483f11aff697e30d6d",
+//		},
 //	}
 func (d *userExampleDao) GetByColumns(ctx context.Context, params *query.Params) ([]*model.UserExample, int64, error) {
-	filter, err := params.ConvertToMongoFilter()
+	filter, err := params.ConvertToMongoFilter(query.WithWhitelistNames(model.UserExampleColumnNames))
 	if err != nil {
 		return nil, 0, errors.New("query params error: " + err.Error())
 	}
@@ -297,12 +301,12 @@ func (d *userExampleDao) DeleteByIDs(ctx context.Context, ids []string) error {
 //			Value: "James",
 //		},
 //		{
-//			Name:  "post_id:oid",
+//			Name:  "post_id:oid",   // suffix :oid is required for objectId type
 //			Value: "65ce48483f11aff697e30d6d",
 //		},
 //	}
 func (d *userExampleDao) GetByCondition(ctx context.Context, c *query.Conditions) (*model.UserExample, error) {
-	filter, err := c.ConvertToMongo()
+	filter, err := c.ConvertToMongo(query.WithWhitelistNames(model.UserExampleColumnNames))
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/dao/userExample.go.tpl b/internal/dao/userExample.go.tpl
@@ -181,44 +181,13 @@ func (d *{{.TableNameCamelFCL}}Dao) GetBy{{.ColumnNameCamel}}(ctx context.Contex
 	return nil, err
 }
 
-// GetByColumns get paging records by column information,
-// Note: query performance degrades when table rows are very large because of the use of offset.
-//
-// params includes paging parameters and query parameters
-// paging parameters (required):
-//
-//	page: page number, starting from 0
-//	limit: lines per page
-//	sort: sort fields, default is {{.ColumnNameCamelFCL}} backwards, you can add - sign before the field to indicate reverse order, no - sign to indicate ascending order, multiple fields separated by comma
-//
-// query parameters (not required):
-//
-//	name: column name
-//	exp: expressions, which default is "=",  support =, !=, >, >=, <, <=, like, in, notin, isnull, isnotnull
-//	value: column value, if exp=in, multiple values are separated by commas
-//	logic: logical type, default value is "and", support &, and, ||, or
-//
-// example: search for a male over 20 years of age
-//
-//	params = &query.Params{
-//	    Page: 0,
-//	    Limit: 20,
-//	    Columns: []query.Column{
-//		{
-//			Name:    "age",
-//			Exp: ">",
-//			Value:   20,
-//		},
-//		{
-//			Name:  "gender",
-//			Value: "male",
-//		},
-//	}
+// GetByColumns get paging records by column information.
+// For more details, please refer to https://go-sponge.com/component/custom-page-query.html
 func (d *{{.TableNameCamelFCL}}Dao) GetByColumns(ctx context.Context, params *query.Params) ([]*model.{{.TableNameCamel}}, int64, error) {
 	if params.Sort == "" {
 		params.Sort = "-{{.ColumnName}}"
 	}
-	queryStr, args, err := params.ConvertToGormConditions()
+	queryStr, args, err := params.ConvertToGormConditions(query.WithWhitelistNames(model.{{.TableNameCamel}}ColumnNames))
 	if err != nil {
 		return nil, 0, errors.New("query params error: " + err.Error())
 	}
diff --git a/internal/model/userExample.go b/internal/model/userExample.go
@@ -27,4 +27,21 @@ func (table *UserExample) TableName() string {
 	return "user_example"
 }
 
+// UserExampleColumnNames Whitelist for custom query fields to prevent sql injection attacks
+var UserExampleColumnNames = map[string]bool{
+	"id":         true,
+	"created_at": true,
+	"updated_at": true,
+	"deleted_at": true,
+	"name":       true,
+	"password":   true,
+	"email":      true,
+	"phone":      true,
+	"avatar":     true,
+	"age":        true,
+	"gender":     true,
+	"status":     true,
+	"login_at":   true,
+}
+
 // delete the templates code end
diff --git a/pkg/gin/middleware/auth/auth.go b/pkg/gin/middleware/auth/auth.go
@@ -35,7 +35,7 @@ type initAuthOptions struct {
 	signingMethod *SigningMethodHMAC
 }
 
-func defaultInirAuthOptions() *initAuthOptions {
+func defaultInitAuthOptions() *initAuthOptions {
 	return &initAuthOptions{
 		signingMethod: HS256,
 	}
@@ -66,7 +66,7 @@ func WithInitAuthIssuer(issuer string) InitAuthOption {
 
 // InitAuth initializes jwt options.
 func InitAuth(signingKey []byte, expire time.Duration, opts ...InitAuthOption) {
-	o := defaultInirAuthOptions()
+	o := defaultInitAuthOptions()
 	o.apply(opts...)
 
 	customSigningKey = signingKey
diff --git a/pkg/mgo/query/query_condition.go b/pkg/mgo/query/query_condition.go
diff --git a/pkg/mgo/query/query_condition_test.go b/pkg/mgo/query/query_condition_test.go
diff --git a/pkg/sgorm/query/query_condition.go b/pkg/sgorm/query/query_condition.go
diff --git a/pkg/sgorm/query/query_condition_test.go b/pkg/sgorm/query/query_condition_test.go

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ type initAuthOptions struct {`
`35`	`35`	`signingMethod *SigningMethodHMAC`
`36`	`36`	`}`
`37`	`37`
`38`		`-func defaultInirAuthOptions() *initAuthOptions {`
	`38`	`+func defaultInitAuthOptions() *initAuthOptions {`
`39`	`39`	`return &initAuthOptions{`
`40`	`40`	`signingMethod: HS256,`
`41`	`41`	`}`
`@@ -66,7 +66,7 @@ func WithInitAuthIssuer(issuer string) InitAuthOption {`
`66`	`66`
`67`	`67`	`// InitAuth initializes jwt options.`
`68`	`68`	`func InitAuth(signingKey []byte, expire time.Duration, opts ...InitAuthOption) {`
`69`		`- o := defaultInirAuthOptions()`
	`69`	`+ o := defaultInitAuthOptions()`
`70`	`70`	`o.apply(opts...)`
`71`	`71`
`72`	`72`	`customSigningKey = signingKey`