Skip to content

Commit f914272

Browse files
TommyLemonTommyLemon
committed
Server:彻底解决普通对象包装表对象绕过Structure校验 key:{ Table: {}}
1 parent b403647 commit f914272

File tree

1 file changed

+52
-50
lines changed
  • APIJSON-Java-Server/APIJSON-Eclipse/src/main/java/zuo/biao/apijson/server

1 file changed

+52
-50
lines changed

APIJSON-Java-Server/APIJSON-Eclipse/src/main/java/zuo/biao/apijson/server/Structure.java

Lines changed: 52 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -123,10 +123,10 @@ public static void test() throws Exception {
123123

124124
}
125125

126-
127-
128-
129-
126+
127+
128+
129+
130130

131131
/**从request提取target指定的内容
132132
* @param method
@@ -160,35 +160,35 @@ public JSONObject onParseJSONObject(String key, JSONObject tobj, JSONObject robj
160160
// Log.i(TAG, "parseRequest.parse.onParseJSONObject key = " + key + "; robj = " + robj);
161161
if (robj == null) {
162162
if (tobj != null) {//不允许不传Target中指定的Table
163-
throw new IllegalArgumentException(method.name() + "请求,请设置 " + key + " !");
163+
throw new IllegalArgumentException(method.name() + "请求,请在 " + name + " 内传 " + key + ":{} !");
164164
}
165165
} else if (zuo.biao.apijson.JSONObject.isTableKey(key)) {
166166
if (method == RequestMethod.POST) {
167167
if (robj.containsKey(KEY_ID)) {
168-
throw new IllegalArgumentException("POST请求, " + key + " 不能设置 " + KEY_ID + " !");
168+
throw new IllegalArgumentException("POST请求," + name + "/" + key + " 不能传 " + KEY_ID + " !");
169169
}
170170
} else {
171171
if (RequestMethod.isQueryMethod(method) == false) {
172172
//单个修改或删除
173173
Object id = robj.get(KEY_ID); //如果必须传 id ,可在Request表中配置necessary
174174
if (id != null) {
175175
if (id instanceof Number == false) {
176-
throw new IllegalArgumentException(method.name() + "请求, " + key
176+
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
177177
+ " 里面的 " + KEY_ID_IN + ":value 中value的类型只能是Long!");
178178
}
179179
} else {
180180
//批量修改或删除
181181
Object arr = robj.get(KEY_ID_IN); //如果必须传 id{} ,可在Request表中配置necessary
182182
if (arr == null) {
183-
throw new IllegalArgumentException(method.name() + "请求, " + key
183+
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
184184
+ " 里面 " + KEY_ID + " 和 " + KEY_ID_IN + " 必须传其中一个!");
185185
}
186186
if (arr instanceof JSONArray == false) {
187-
throw new IllegalArgumentException(method.name() + "请求, " + key
187+
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
188188
+ " 里面的 " + KEY_ID_IN + ":value 中value的类型只能是 [Long] !");
189189
}
190190
if (((JSONArray)arr).size() > 10) { //不允许一次操作10条以上记录
191-
throw new IllegalArgumentException(method.name() + "请求, " + key
191+
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
192192
+ " 里面的 " + KEY_ID_IN + ":[] 中[]的长度不能超过10!");
193193
}
194194
}
@@ -265,8 +265,6 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
265265
//获取配置>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
266266

267267

268-
Set<String> tableKeySet = new HashSet<String>();
269-
270268

271269
//移除字段<<<<<<<<<<<<<<<<<<<
272270
String[] removes = StringUtil.split(remove);
@@ -283,42 +281,17 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
283281
for (String s : necessaryList) {
284282
if (real.get(s) == null) {//可能传null进来,这里还会通过 real.containsKey(s) == false) {
285283
throw new IllegalArgumentException(name
286-
+ "不能缺少 " + s + " 等[" + necessary + "]内的任何字段!");
284+
+ " 里面不能缺少 " + s + " 等[" + necessary + "]内的任何字段!");
287285
}
288286
}
289287
//判断必要字段是否都有>>>>>>>>>>>>>>>>>>>
290288

291289

292-
Set<String> rkset = real.keySet();
293-
294-
//判断是否都有不允许的字段<<<<<<<<<<<<<<<<<<<
295-
List<String> disallowList = new ArrayList<String>();
296-
if ("!".equals(disallow)) {//所有非necessary,改成 !necessary 更好
297-
if (rkset != null) {
298-
for (String key : rkset) {//对@key放行,@role,@column,自定义@position等
299-
if (key != null && key.startsWith("@") == false && necessaryList.contains(key) == false) {
300-
disallowList.add(key);
301-
}
302-
}
303-
}
304-
} else {
305-
String[] disallows = StringUtil.split(disallow);
306-
if (disallows != null && disallows.length > 0) {
307-
disallowList.addAll(Arrays.asList(disallows));
308-
}
309-
}
310-
for (String s : disallowList) {
311-
if (real.containsKey(s)) {
312-
throw new IllegalArgumentException(name
313-
+ "不允许传 " + s + " 等" + StringUtil.getString(disallowList) + "内的任何字段!");
314-
}
315-
}
316-
//判断是否都有不允许的字段>>>>>>>>>>>>>>>>>>>
317-
290+
Set<String> objKeySet = new HashSet<String>(); //不能用tableKeySet,仅判断 Table:{} 会导致 key:{ Table:{} } 绕过判断
318291

292+
//解析内容<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
319293

320294
Set<Entry<String, Object>> set = new LinkedHashSet<>(target.entrySet());
321-
zuo.biao.apijson.server.Entry<String, String> pair;
322295
if (set.isEmpty() == false) {
323296

324297
String key;
@@ -338,10 +311,7 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
338311
if (tvalue instanceof JSONObject) {//JSONObject,往下一级提取
339312
tvalue = callback.onParseJSONObject(key, (JSONObject) tvalue, (JSONObject) rvalue);
340313

341-
pair = Pair.parseEntry(key, true);
342-
if (pair != null && zuo.biao.apijson.JSONObject.isTableKey(pair.getKey())) {
343-
tableKeySet.add(key);
344-
}
314+
objKeySet.add(key);
345315
} else if (tvalue instanceof JSONArray) {//JSONArray
346316
tvalue = callback.onParseJSONArray(key, (JSONArray) tvalue, (JSONArray) rvalue);
347317
} else {//其它Object
@@ -355,17 +325,49 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
355325

356326
}
357327

328+
//解析内容>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
358329

359330

360-
//不允许操作未指定Table<<<<<<<<<<<<<<<<<<<<<<<<<
331+
332+
Set<String> rkset = real.keySet(); //解析内容并没有改变rkset
333+
334+
//解析不允许的字段<<<<<<<<<<<<<<<<<<<
335+
List<String> disallowList = new ArrayList<String>();
336+
if ("!".equals(disallow)) {//所有非necessary,改成 !necessary 更好
337+
for (String key : rkset) {//对@key放行,@role,@column,自定义@position等
338+
if (key != null && key.startsWith("@") == false
339+
&& necessaryList.contains(key) == false && objKeySet.contains(key) == false) {
340+
disallowList.add(key);
341+
}
342+
}
343+
} else {
344+
String[] disallows = StringUtil.split(disallow);
345+
if (disallows != null && disallows.length > 0) {
346+
disallowList.addAll(Arrays.asList(disallows));
347+
}
348+
}
349+
//解析不允许的字段>>>>>>>>>>>>>>>>>>>
350+
351+
352+
//判断不允许传的key<<<<<<<<<<<<<<<<<<<<<<<<<
361353
for (String rk : rkset) {
362-
pair = Pair.parseEntry(rk, true);//非GET类操作不允许Table:alias别名
363-
if (pair != null && zuo.biao.apijson.JSONObject.isTableKey(pair.getKey())
364-
&& tableKeySet.contains(rk) == false) {
365-
throw new UnsupportedOperationException("不允许操作 " + rk + " !");
354+
if (disallowList.contains(rk)) { //不允许的字段
355+
throw new IllegalArgumentException(name
356+
+ " 里面不允许传 " + rk + " 等" + StringUtil.getString(disallowList) + "内的任何字段!");
357+
}
358+
359+
if (rk == null) { //无效的key
360+
real.remove(rk);
361+
continue;
362+
}
363+
364+
//不在target内的 key:{}
365+
if (rk.startsWith("@") == false && objKeySet.contains(rk) == false && real.get(rk) instanceof JSONObject) {
366+
throw new UnsupportedOperationException(name + " 里面不允许传 " + rk + ":{} !");
366367
}
367368
}
368-
//不允许操作未指定Table>>>>>>>>>>>>>>>>>>>>>>>>>
369+
//判断不允许传的key>>>>>>>>>>>>>>>>>>>>>>>>>
370+
369371

370372

371373
//校验与修改Request<<<<<<<<<<<<<<<<<

0 commit comments

Comments
 (0)