task-4651 修复dev1的sql注入问题

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/components/sqlzdy/Service/SwdlService.java

@@ -31,4 +31,6 @@ public interface SwdlService {
     APIResult queryUserCommunicateList(@RequestBody(required = true) Map<String,Object> map)throws Exception ;
 
     APIResult queryUserassessmentList(@RequestBody(required = true) Map<String, Object> map)throws Exception ;
+
+    APIResult queryUserDashboardList(@RequestBody(required = true) Map<String, Object> map)throws Exception ;
 }

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/components/sqlzdy/Service/SwdlServiceImpl.java

@@ -1,55 +1,35 @@
 package com.lc.ibps.components.sqlzdy.Service;
 
-import com.alibaba.fastjson.JSON;
-import com.alibaba.fastjson.JSONArray;
-import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
 import com.lc.ibps.api.base.constants.StateEnum;
-import com.lc.ibps.base.bo.exception.BoBaseException;
 import com.lc.ibps.base.core.constants.StringPool;
+import com.lc.ibps.base.core.exception.BaseException;
 import com.lc.ibps.base.core.util.AppUtil;
 import com.lc.ibps.base.core.util.BeanUtils;
-import com.lc.ibps.base.core.util.Collections;
 import com.lc.ibps.base.core.util.I18nUtil;
-import com.lc.ibps.base.framework.id.UniqueIdUtil;
 import com.lc.ibps.base.framework.table.ICommonDao;
 import com.lc.ibps.base.web.context.ContextUtil;
-import com.lc.ibps.base.web.util.RequestUtil;
-import com.lc.ibps.bpmn.api.service.BpmProcInstService;
-import com.lc.ibps.bpmn.provider.BpmInstProvider;
 import com.lc.ibps.cloud.entity.APIPageList;
 import com.lc.ibps.cloud.entity.APIPageResult;
 import com.lc.ibps.cloud.entity.APIResult;
 import com.lc.ibps.cloud.provider.GenericProvider;
-import com.lc.ibps.cloud.redis.utils.RedisUtil;
-import com.lc.ibps.cloud.util.AESUtil;
-import com.lc.ibps.config.JsonUtilConfig;
-import com.lc.ibps.config.SerialConfig;
 import com.lc.ibps.org.api.IPartyPositionService;
 import com.lc.ibps.org.party.persistence.entity.PartyPositionPo;
-import com.lc.ibps.sysdata.QueryDTO;
 import com.lc.ibps.sysdata.dao.UpdateDataTableDao;
-import com.lc.ibps.sysdata.entity.Material;
-import com.lc.ibps.sysdata.entity.User;
-import com.lc.ibps.sysdata.services.UpdateDataTableService;
+import com.lc.ibps.untils.JsonUtil;
 import io.swagger.annotations.ApiParam;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
-import org.springframework.util.DigestUtils;
 import org.springframework.web.bind.annotation.RequestBody;
 
 import javax.annotation.Resource;
-import java.nio.ByteBuffer;
-import java.nio.ByteOrder;
-import java.text.SimpleDateFormat;
-import java.time.Duration;
-import java.time.Instant;
-import java.util.*;
-import java.util.concurrent.TimeUnit;
-
-import static com.lc.ibps.api.base.constants.StateEnum.ERROR;
-import static com.lc.ibps.api.base.constants.StateEnum.SUCCESS;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 /**
  * @title: xiexh
@@ -62,7 +42,8 @@ public class SwdlServiceImpl extends GenericProvider implements SwdlService {
     @Autowired
     UpdateDataTableDao  updateDataTableDao;
     private static final String EXAMINEE = "1169304256906264576";
-
+    @Resource
+    private ICommonDao<?> commonDao;
 
     @Override
     public APIResult<Object> queryData(
@@ -377,6 +358,169 @@ public class SwdlServiceImpl extends GenericProvider implements SwdlService {
             return result;
         }
 
+    @Override
+    public APIResult queryUserDashboardList(
+            @ApiParam(name = "request", value = "传入查询请求map对象", required = true)
+            @RequestBody(required = true) Map<String,Object> map) throws Exception  {
+        APIResult<Object> result = new APIResult<>();
+        try {
+            int pageNo = Integer.parseInt(map.get("pageNo").toString());
+            int limit = Integer.parseInt(map.get("limit").toString());
+            int startPage = limit*(pageNo-1);
+            map.put("startPage",startPage);
+            HashMap<String, Object> stringObjectHashMap = new HashMap<>();
+            //检查入参
+            Map param = checkParam(map);
+            //1.读取配置
+            String sql = "select setting from t_ipcc WHERE org_ = '" + param.get("org") + "' limit 1";
+            Map<String, Object> lcMap = commonDao.queryOne(sql);
+            if(BeanUtils.isEmpty(lcMap)){
+                throw new BaseException("用户配置不允许为空！");
+            }
+            String jsonContent = (String) lcMap.get("setting");
+            ObjectMapper mapper = new ObjectMapper();
+            JsonNode root = mapper.readTree(jsonContent);
+            JsonNode optionArr = root.path("ryzsOption").path("optionArr");
+            String[] paraArray = mapper.convertValue(optionArr, String[].class);
+            //2.拼接sql
+            StringBuilder pzSql = new StringBuilder();
+            for (int i = 0; i < paraArray.length; i++) {
+                String certificate = paraArray[i];
+                pzSql.append("IFNULL( sum( zheng_shu_lei_xin LIKE '%")
+                        .append(certificate)
+                        .append("%' ), 0 ) AS zsb")
+                        .append(i);
+
+                // 如果不是最后一个元素，添加逗号和换行
+                if (i < paraArray.length - 1) {
+                    pzSql.append(",\n");
+                }
+            }
+
+            String excuteSql;
+            if("pie".equals(param.get("type"))){
+                 excuteSql = concatPieChartsSql(pzSql.toString(),param.get("path").toString(),param.get("id").toString());
+            }else{
+                 excuteSql = concatPieChartsSql(pzSql.toString(),param.get("path").toString(),param.get("id").toString());
+                 excuteSql = concatCylindricalChartSql(excuteSql,pzSql.toString(),param.get("parentId").toString());
+            }
+
+            List<Map<String, Object>> datas = (List<Map<String, Object>>) commonDao.query(excuteSql);
+            APIPageList<Map<String,Object>> pageList = getAPIPageList(datas);
+            APIPageResult pageResult = new APIPageResult();
+            pageResult.setTotalCount(datas.size());
+            pageResult.setLimit(limit);
+            pageResult.setPage(pageNo);
+            pageList.setPageResult(pageResult);
+            result.setData(pageList);
+        } catch (Exception e) {
+            setExceptionResult(result, StateEnum.ERROR_FORM_BO.getCode(), I18nUtil.getMessage(StateEnum.ERROR_FORM_BO.getCode()+""), e);
+        }
+        return result;
+    }
+
+    private String concatCylindricalChartSql(String excuteSql,String pzSql,String parentId) {
+        String sql ="SELECT\n" +
+                "\tjh.enName,\n" +
+                "\tIFNULL( jh.zsb0, 0 ) AS zsb0,\n" +
+                "\tIFNULL( jh.zsb1, 0 ) AS zsb1,\n" +
+                "\tIFNULL( jh.zsb2, 0 ) AS zsb2,\n" +
+                "\tIFNULL( jh.zsb3, 0 ) AS zsb3,\n" +
+                "\tIFNULL( jh.zsb4, 0 ) AS zsb4,\n" +
+                "\tIFNULL( jh.zsb5, 0 ) AS zsb5,\n" +
+                "\tIFNULL( jh.zsb6, 0 ) AS zsb6 \n" +
+                "FROM\n" +
+                "\t(\n" +
+                "\tSELECT\n" +
+                "\t\ten.id_,\n" +
+                "\t\ten.name_ AS enName,\n" +
+                pzSql+
+                "\t\nFROM\n" +
+                "\t\t(\n" +
+                "\t\tSELECT\n" +
+                "\t\t\tee.id_ AS eeID,\n" +
+                "\t\t\tee.name_ AS eeName,\n" +
+                "\t\t\tee.positions_,\n" +
+                "\t\t\try.zheng_shu_lei_xin \n" +
+                "\t\tFROM\n" +
+                "\t\t\tt_ryzsb AS ry\n" +
+                "\t\t\tJOIN ibps_party_employee AS ee ON ry.parent_id_ = ee.id_ \n" +
+                "\t\tWHERE\n" +
+                "\t\t\tee.name_ NOT LIKE '%系统%' \n" +
+                "\t\t\tAND ee.STATUS_ = 'actived' \n" +
+                "\t\t\tAND ee.name_ NOT LIKE '%金通%' \n" +
+                "\t\t\tAND ee.name_ NOT LIKE '%管理%' \n" +
+                "\t\t\tAND ee.id_ != '702117247933480960' \n" +
+                "\t\t) gy\n" +
+                "\t\tRIGHT JOIN ibps_party_entity en ON FIND_IN_SET( en.id_, gy.positions_ ) \n" +
+                "\tWHERE\n" +
+                "\t\ten.DEPTH_ LIKE '%4%' \n" +
+                "\t\tAND en.PARENT_ID_ LIKE '%"+parentId+"%' \n" +
+                "\t\tAND en.id_ != '1166373874003083264' \n" +
+                "\t\tAND en.name_ NOT LIKE '%综合%' \n" +
+                "\tGROUP BY\n" +
+                "\t\ten.id_ \n" +
+                "\t) jh \nUNION \n"+ excuteSql;
+        return sql;
+    }
+
+    private Map checkParam(Map<String, Object> map) {
+        Map param = (Map) map.get("param");
+        if (BeanUtils.isNotEmpty(map)) {
+            if(BeanUtils.isEmpty(map.get("param"))){
+                throw new BaseException("用户配置不允许为空！");
+            }
+            if(BeanUtils.isEmpty(param.get("org"))){
+                throw new BaseException("用户配置org不允许为空！");
+            }
+            if(BeanUtils.isEmpty(param.get("path"))){
+                throw new BaseException("path不允许为空！");
+            }
+            if(BeanUtils.isEmpty(param.get("type"))){
+                throw new BaseException("查询种类type不允许为空！");
+            }
+            if(BeanUtils.isEmpty(param.get("id"))){
+                throw new BaseException("id不允许为空！");
+            }
+            if(BeanUtils.isEmpty(param.get("parentId")) && !param.get("type").equals("pie")){
+                throw new BaseException("parentId不允许为空！");
+            }
+        }
+        return param;
+    }
+
+    private String  concatPieChartsSql(String sql,String path,String id) {
+        String prefixes = "SELECT\n" +
+                "\t( SELECT name_ FROM ibps_party_entity WHERE id_ = '"+id+"' ) AS enName,\n";
+
+        String suffixes ="\n FROM\n" +
+                "\tt_ryzsb \n" +
+                "WHERE\n" +
+                "\tparent_id_ IN (\n" +
+                "\tSELECT\n" +
+                "\t\tee.id_ AS bid \n" +
+                "\tFROM\n" +
+                "\t\t(\n" +
+                "\t\tSELECT\n" +
+                "\t\t\te.* \n" +
+                "\t\tFROM\n" +
+                "\t\t\tibps_party_employee e\n" +
+                "\t\t\tJOIN ibps_party_entity en ON FIND_IN_SET( en.id_, e.POSITIONS_ ) > 0 \n" +
+                "\t\tWHERE\n" +
+                "\t\t\ten.PATH_ LIKE '%"+path+"%' \n" +
+                "\t\tGROUP BY\n" +
+                "\t\t\te.id_ \n" +
+                "\t\t) ee \n" +
+                "\tWHERE\n" +
+                "\t\tee.name_ NOT LIKE '%系统%' \n" +
+                "\t\tAND ee.STATUS_ = 'actived' \n" +
+                "\t\tAND ee.name_ NOT LIKE '%金通%' \n" +
+                "\tAND ee.name_ NOT LIKE '%管理%' \n" +
+                "\tAND ee.id_ != '702117247933480960')";
+        String excuteSql =  prefixes + sql +suffixes;
+        return excuteSql;
+    }
+
     private Map getAttendanceMap(Map<String, Object> map) {
         HashMap<String, Object> stringObjectHashMap = new HashMap<>();
         if (BeanUtils.isNotEmpty(map)) {

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/components/sqlzdy/control/SwdlController.java

@@ -139,4 +139,16 @@ public class SwdlController extends GenericProvider {
         return result;
 
     }
+    @ApiOperation("人员大方看板--证书表数据饼图/柱图统计接口")
+    @PostMapping("/personnel/dashboard/queryData")
+    APIResult queryUserDashboardList(@RequestBody(required = true) Map<String,Object> map) throws Exception{
+        APIResult result = new APIResult<>();
+        try {
+            result = swdlService.queryUserDashboardList(map);
+        } catch (Exception e) {
+            setExceptionResult(result, StateEnum.ILLEGAL_REQUEST.getCode(), I18nUtil.getMessage(StateEnum.ILLEGAL_REQUEST.getCode() + ""), e);
+        }
+        return result;
+
+    }
 }