feature:修复已知安全问题。

server/service/system/sys_export_template.go

@@ -203,14 +203,43 @@ func (sysExportTemplateService *SysExportTemplateService) ExportExcel(templateID
 		}
 	}
 
+	// 获取当前表的所有字段
+	table := template.TableName
+	orderColumns, err := global.GVA_DB.Migrator().ColumnTypes(table)
+	if err != nil {
+		return nil, "", err
+	}
+
+	// 创建一个 map 来存储字段名
+	fields := make(map[string]bool)
+
+	for _, column := range orderColumns {
+		fields[column.Name()] = true
+	}
+
 	// 通过参数传入order
 	order := values.Get("order")
-	if order != "" {
-		db = db.Order(order)
-	}
-	// 模板的默认order
+
 	if order == "" && template.Order != "" {
-		db = db.Order(template.Order)
+		// 如果没有order入参，这里会使用模板的默认排序
+		order = template.Order
+	}
+
+	if order != "" {
+		checkOrderArr := strings.Split(order, " ")
+		orderStr := ""
+		// 检查请求的排序字段是否在字段列表中
+		if _, ok := fields[checkOrderArr[0]]; !ok {
+			return nil, "", fmt.Errorf("order by %s is not in the fields", order)
+		}
+		orderStr = checkOrderArr[0]
+		if len(checkOrderArr) > 1 {
+			if checkOrderArr[1] != "asc" && checkOrderArr[1] != "desc" {
+				return nil, "", fmt.Errorf("order by %s is not secure", order)
+			}
+			orderStr = orderStr + " " + checkOrderArr[1]
+		}
+		db = db.Order(orderStr)
 	}
 
 	err = db.Debug().Find(&tableMap).Error