联讯物业系统后台
blame | 历史 | 原始文档
wuxw
2021-09-14 068a077a6fef29249f7f4b3d768d5dd33beb14ae 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

package com.java110.oa.cmd.oaWorkflow;


 


import com.alibaba.fastjson.JSONObject;


import com.java110.core.annotation.Java110Cmd;


import com.java110.core.annotation.Java110Transactional;


import com.java110.core.context.ICmdDataFlowContext;


import com.java110.core.event.cmd.AbstractServiceCmdListener;


import com.java110.core.event.cmd.CmdEvent;


import com.java110.dto.oaWorkflow.OaWorkflowDto;


import com.java110.dto.oaWorkflowForm.OaWorkflowFormDto;


import com.java110.intf.oa.IOaWorkflowFormInnerServiceSMO;


import com.java110.intf.oa.IOaWorkflowInnerServiceSMO;


import com.java110.oa.bmo.oaWorkflowForm.IGetOaWorkflowFormBMO;


import com.java110.utils.exception.CmdException;


import com.java110.utils.util.Assert;


import com.java110.utils.util.StringUtil;


import com.java110.vo.ResultVo;


import org.springframework.beans.factory.annotation.Autowired;


 


import java.util.ArrayList;


import java.util.List;


import java.util.Map;


import java.util.regex.Matcher;


import java.util.regex.Pattern;


 


/**


 * 修改表单数据


 */


@Java110Cmd(serviceCode = "oaWorkflow.updateOaWorkflowFormData")


public class UpdateOaWorkflowFormData extends AbstractServiceCmdListener {


 


    @Autowired


    private IOaWorkflowFormInnerServiceSMO oaWorkflowFormInnerServiceSMOImpl;


 


    @Autowired


    private IOaWorkflowInnerServiceSMO oaWorkflowInnerServiceSMOImpl;


 


    @Autowired


    private IGetOaWorkflowFormBMO getOaWorkflowFormBMOImpl;


 


    @Override


    public void validate(CmdEvent event, ICmdDataFlowContext cmdDataFlowContext, JSONObject reqJson) {


        Assert.hasKeyAndValue(reqJson, "id", "ID不能为空");


        Assert.hasKeyAndValue(reqJson, "flowId", "流程不能为空");


    }


 


    @Override


    @Java110Transactional


    public void doCmd(CmdEvent event, ICmdDataFlowContext cmdDataFlowContext, JSONObject reqJson) throws CmdException {


        Map<String,String> headers = cmdDataFlowContext.getReqHeaders();


 


        reqJson.put("storeId",headers.get("store-id"));


 


        OaWorkflowFormDto oaWorkflowFormDto = new OaWorkflowFormDto();


        oaWorkflowFormDto.setFlowId(reqJson.get("flowId").toString());


        oaWorkflowFormDto.setStoreId(reqJson.get("storeId").toString());


        oaWorkflowFormDto.setRow(1);


        oaWorkflowFormDto.setPage(1);


        List<OaWorkflowFormDto> oaWorkflowFormDtos = oaWorkflowFormInnerServiceSMOImpl.queryOaWorkflowForms(oaWorkflowFormDto);


        Assert.listOnlyOne(oaWorkflowFormDtos, "未包含流程表单,请先设置表单");


 


        //


        OaWorkflowDto oaWorkflowDto = new OaWorkflowDto();


        oaWorkflowDto.setStoreId(reqJson.getString("storeId"));


        oaWorkflowDto.setFlowId(reqJson.getString("flowId"));


        List<OaWorkflowDto> oaWorkflowDtos = oaWorkflowInnerServiceSMOImpl.queryOaWorkflows(oaWorkflowDto);


        Assert.listOnlyOne(oaWorkflowDtos, "流程不存在");


 


        if (!OaWorkflowDto.STATE_COMPLAINT.equals(oaWorkflowDtos.get(0).getState())) {


            throw new IllegalArgumentException(oaWorkflowDtos.get(0).getFlowName() + "流程未部署");


        }


 


        if (StringUtil.isEmpty(oaWorkflowDtos.get(0).getProcessDefinitionKey())) {


            throw new IllegalArgumentException(oaWorkflowDtos.get(0).getFlowName() + "流程未部署");


        }


 


        List<String> columns = new ArrayList<>();


        for (String key : reqJson.keySet()) {


            if ("flowId".equals(key) || "id".equals(key) || "storeId".equals(key)) {


                continue;


            }


            columns.add(key + "='" + reqJson.getString(key)+"'");


 


            //简单校验


            validateColumns(columns);


        }


        reqJson.put("columns", columns.toArray(new String[columns.size()]));


 


        //保存表单数据


        reqJson.put("tableName", oaWorkflowFormDtos.get(0).getTableName());


 


        int flag = oaWorkflowFormInnerServiceSMOImpl.updateOaWorkflowFormDataAll(reqJson);


        if (flag < 1) {


            throw new IllegalArgumentException("保存失败");


        }


 


 


        cmdDataFlowContext.setResponseEntity(ResultVo.success());


 


    }


 


    private void validateColumns(List<String> columns) {


        String columnBak = "";


        for (String column : columns) {


            columnBak = column.toLowerCase();


            if (containsSqlInjection(columnBak)) {


                throw new IllegalArgumentException("非法操作,可能破坏系统稳定性");


            }


        }


    }


 


    public static boolean containsSqlInjection(Object obj) {


        Pattern pattern = Pattern.compile("\\b(exec|insert|select|drop|grant|alter|delete|update|count|chr|mid|master|truncate|char|declare)\\b|(\\*|;|\\+|'|%)");


        Matcher matcher = pattern.matcher(obj.toString().toLowerCase());


        return matcher.find();


    }


}