zhangyuheng/Dominion
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 144 Wiki Activity

修复了潜在的数据库注入风险,建议使用此更新
All checks were successful
Java CI-CD with Maven / build (push) Successful in 29m32s
Details

Browse Source
This commit is contained in:
zhangyuheng 2024-05-21 16:44:18 +08:00
parent bccbec972b
commit ca9f5b0925
4 changed files with 71 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pom.xml
View File

@ -6,7 +6,7 @@
<groupId>cn.lunadeer</groupId>
<artifactId>Dominion</artifactId>
<version>1.24.3-beta</version>
<version>1.24.4-beta</version>
<packaging>jar</packaging>
<name>Dominion</name>

85
src/main/java/cn/lunadeer/dominion/dtos/DominionDTO.java
View File

@ -14,9 +14,9 @@ import java.util.UUID;
public class DominionDTO {
private static List<DominionDTO> query(String sql) {
private static List<DominionDTO> query(String sql, Object... args) {
List<DominionDTO> dominions = new ArrayList<>();
try (ResultSet rs = Dominion.database.query(sql)) {
try (ResultSet rs = Dominion.database.query(sql, args)) {
if (sql.contains("UPDATE") || sql.contains("DELETE") || sql.contains("INSERT")) {
// 如果是更新操作重新加载缓存
Cache.instance.loadDominions();
@ -100,18 +100,18 @@ public class DominionDTO {
}
public static List<DominionDTO> selectAll(String world) {
String sql = "SELECT * FROM dominion WHERE world = '" + world + "' AND id > 0;";
return query(sql);
String sql = "SELECT * FROM dominion WHERE world = ? AND id > 0;";
return query(sql, world);
}
public static List<DominionDTO> search(String name) {
String sql = "SELECT * FROM dominion WHERE name LIKE '%" + name + "%' AND id > 0;";
return query(sql);
String sql = "SELECT * FROM dominion WHERE name LIKE ? AND id > 0;";
return query(sql, "%" + name + "%");
}
public static List<DominionDTO> selectAll(UUID owner) {
String sql = "SELECT * FROM dominion WHERE owner = '" + owner.toString() + "' AND id > 0";
return query(sql);
String sql = "SELECT * FROM dominion WHERE owner = ? AND id > 0;";
return query(sql, owner.toString());
}
public static DominionDTO select(Integer id) {
@ -122,28 +122,28 @@ public class DominionDTO {
-2147483648, -2147483648, -2147483648,
2147483647, 2147483647, 2147483647, -1);
}
String sql = "SELECT * FROM dominion WHERE id = " + id + " AND id > 0";
List<DominionDTO> dominions = query(sql);
String sql = "SELECT * FROM dominion WHERE id = ? AND id > 0;";
List<DominionDTO> dominions = query(sql, id);
if (dominions.size() == 0) return null;
return dominions.get(0);
}
public static List<DominionDTO> selectByParentId(String world, Integer parentId) {
String sql = "SELECT * FROM dominion WHERE world = '" + world + "' AND parent_dom_id = " + parentId + " AND id > 0;";
return query(sql);
String sql = "SELECT * FROM dominion WHERE world = ? AND parent_dom_id = ? AND id > 0;";
return query(sql, world, parentId);
}
public static List<DominionDTO> selectByLocation(String world, Integer x, Integer y, Integer z) {
String sql = "SELECT * FROM dominion WHERE world = '" + world + "' AND " +
"x1 <= " + x + " AND x2 >= " + x + " AND " +
"y1 <= " + y + " AND y2 >= " + y + " AND " +
"z1 <= " + z + " AND z2 >= " + z + " AND " + "id > 0;";
return query(sql);
String sql = "SELECT * FROM dominion WHERE world = ? AND " +
"x1 <= ? AND x2 >= ? AND " +
"y1 <= ? AND y2 >= ? AND " +
"z1 <= ? AND z2 >= ? AND " + "id > 0;";
return query(sql, world, x, x, y, y, z, z);
}
public static DominionDTO select(String name) {
String sql = "SELECT * FROM dominion WHERE name = '" + name + "' AND id > 0;";
List<DominionDTO> dominions = query(sql);
String sql = "SELECT * FROM dominion WHERE name = ? AND id > 0;";
List<DominionDTO> dominions = query(sql, name);
if (dominions.size() == 0) return null;
return dominions.get(0);
}
@ -151,25 +151,24 @@ public class DominionDTO {
public static DominionDTO insert(DominionDTO dominion) {
String sql = "INSERT INTO dominion (" +
"owner, name, world, x1, y1, z1, x2, y2, z2" +
") VALUES (" +
"'" + dominion.getOwner().toString() + "', " +
"'" + dominion.getName() + "', " +
"'" + dominion.getWorld() + "', " +
dominion.getX1() + ", " +
dominion.getY1() + ", " +
dominion.getZ1() + ", " +
dominion.getX2() + ", " +
dominion.getY2() + ", " +
dominion.getZ2() +
") RETURNING *;";
List<DominionDTO> dominions = query(sql);
") VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?) RETURNING *;";
List<DominionDTO> dominions = query(sql,
dominion.getOwner(),
dominion.getName(),
dominion.getWorld(),
dominion.getX1(),
dominion.getY1(),
dominion.getZ1(),
dominion.getX2(),
dominion.getY2(),
dominion.getZ2());
if (dominions.size() == 0) return null;
return dominions.get(0);
}
public static void delete(DominionDTO dominion) {
String sql = "DELETE FROM dominion WHERE id = " + dominion.getId() + ";";
query(sql);
String sql = "DELETE FROM dominion WHERE id = ?;";
query(sql, dominion.getId());
}
private static DominionDTO update(DominionDTO dominion) {
@ -181,9 +180,9 @@ public class DominionDTO {
tp_location = loc.getBlockX() + ":" + loc.getBlockY() + ":" + loc.getBlockZ();
}
String sql = "UPDATE dominion SET " +
"owner = '" + dominion.getOwner().toString() + "', " +
"name = '" + dominion.getName() + "', " +
"world = '" + dominion.getWorld() + "', " +
"owner = ?," +
"name = ?," +
"world = ?," +
"x1 = " + dominion.getX1() + ", " +
"y1 = " + dominion.getY1() + ", " +
"z1 = " + dominion.getZ1() + ", " +
@ -191,8 +190,8 @@ public class DominionDTO {
"y2 = " + dominion.getY2() + ", " +
"z2 = " + dominion.getZ2() + ", " +
"parent_dom_id = " + dominion.getParentDomId() + ", " +
"join_message = '" + dominion.getJoinMessage() + "', " +
"leave_message = '" + dominion.getLeaveMessage() + "', " +
"join_message = ?," +
"leave_message = ?," +
"anchor = " + dominion.getAnchor() + ", " +
"animal_killing = " + dominion.getAnimalKilling() + ", " +
"anvil = " + dominion.getAnvil() + ", " +
@ -239,10 +238,16 @@ public class DominionDTO {
"vehicle_destroy = " + dominion.getVehicleDestroy() + ", " +
"vehicle_spawn = " + dominion.getVehicleSpawn() + ", " +
"wither_spawn = " + dominion.getWitherSpawn() + ", " + // dom only
"tp_location = '" + tp_location + "' " +
"tp_location = ?" +
" WHERE id = " + dominion.getId() +
" RETURNING *;";
List<DominionDTO> dominions = query(sql);
List<DominionDTO> dominions = query(sql,
dominion.getOwner().toString(),
dominion.getName(),
dominion.getWorld(),
dominion.getJoinMessage(),
dominion.getLeaveMessage(),
tp_location);
if (dominions.size() == 0) return null;
return dominions.get(0);
}

30
src/main/java/cn/lunadeer/dominion/dtos/PlayerDTO.java
View File

@ -28,9 +28,9 @@ public class PlayerDTO {
return update(this);
}
private static List<PlayerDTO> query(String sql) {
private static List<PlayerDTO> query(String sql, Object... params) {
List<PlayerDTO> players = new ArrayList<>();
try (ResultSet rs = Dominion.database.query(sql)) {
try (ResultSet rs = Dominion.database.query(sql, params)) {
if (rs == null) return players;
while (rs.next()) {
Integer id = rs.getInt("id");
@ -47,47 +47,47 @@ public class PlayerDTO {
}
public static PlayerDTO select(UUID uuid) {
String sql = "SELECT * FROM player_name WHERE uuid = '" + uuid.toString() + "';";
List<PlayerDTO> players = query(sql);
String sql = "SELECT * FROM player_name WHERE uuid = ?;";
List<PlayerDTO> players = query(sql, uuid.toString());
if (players.size() == 0) return null;
return players.get(0);
}
public static PlayerDTO select(String name) {
String sql = "SELECT * FROM player_name WHERE last_known_name = '" + name + "';";
List<PlayerDTO> players = query(sql);
String sql = "SELECT * FROM player_name WHERE last_known_name = ?;";
List<PlayerDTO> players = query(sql, name);
if (players.size() == 0) return null;
return players.get(0);
}
public static List<PlayerDTO> search(String name) {
// 模糊搜索
String sql = "SELECT * FROM player_name WHERE last_known_name LIKE '%" + name + "%';";
return query(sql);
String sql = "SELECT * FROM player_name WHERE last_known_name LIKE ?;";
return query(sql, "%" + name + "%");
}
public static void delete(PlayerDTO player) {
String sql = "DELETE FROM player_name WHERE uuid = '" + player.getUuid().toString() + "';";
query(sql);
String sql = "DELETE FROM player_name WHERE uuid = ?;";
query(sql, player.getUuid());
}
private static PlayerDTO insert(PlayerDTO player) {
String sql = "INSERT INTO player_name (uuid, last_known_name, last_join_at) " +
"VALUES" +
" ('" + player.getUuid().toString() + "', '" + player.getLastKnownName() + "', CURRENT_TIMESTAMP) " +
" (?, ?, CURRENT_TIMESTAMP) " +
"RETURNING *;";
List<PlayerDTO> players = query(sql);
List<PlayerDTO> players = query(sql, player.getUuid().toString(), player.getLastKnownName());
if (players.size() == 0) return null;
return players.get(0);
}
private static PlayerDTO update(PlayerDTO player) {
String sql = "UPDATE player_name SET " +
"last_known_name = '" + player.getLastKnownName() + "', " +
"last_known_name = ?, " +
"last_join_at = CURRENT_TIMESTAMP " +
"WHERE uuid = '" + player.getUuid().toString() + "' " +
"WHERE uuid = ? " +
"RETURNING *;";
List<PlayerDTO> players = query(sql);
List<PlayerDTO> players = query(sql, player.getLastKnownName(), player.getUuid().toString());
if (players.size() == 0) return null;
return players.get(0);
}

22
src/main/java/cn/lunadeer/dominion/dtos/PlayerPrivilegeDTO.java
View File

@ -55,22 +55,20 @@ public class PlayerPrivilegeDTO {
}
public static PlayerPrivilegeDTO select(UUID playerUUID, Integer dom_id) {
String sql = "SELECT * FROM player_privilege WHERE player_uuid = '" + playerUUID + "' " +
"AND dom_id = " + dom_id + ";";
List<PlayerPrivilegeDTO> p = query(sql);
String sql = "SELECT * FROM player_privilege WHERE player_uuid = ? AND dom_id = ?;";
List<PlayerPrivilegeDTO> p = query(sql, playerUUID.toString(), dom_id);
if (p.size() == 0) return null;
return p.get(0);
}
public static List<PlayerPrivilegeDTO> select(Integer dom_id) {
String sql = "SELECT * FROM player_privilege WHERE dom_id = " + dom_id + ";";
return query(sql);
String sql = "SELECT * FROM player_privilege WHERE dom_id = ?;";
return query(sql, dom_id);
}
public static void delete(UUID player, Integer domID) {
String sql = "DELETE FROM player_privilege WHERE player_uuid = '" + player + "' " +
"AND dom_id = " + domID + ";";
query(sql);
String sql = "DELETE FROM player_privilege WHERE player_uuid = ? AND dom_id = ?;";
query(sql, player.toString(), domID);
}
public static List<PlayerPrivilegeDTO> selectAll() {
@ -79,8 +77,8 @@ public class PlayerPrivilegeDTO {
}
public static List<PlayerPrivilegeDTO> selectAll(UUID player) {
String sql = "SELECT * FROM player_privilege WHERE player_uuid = '" + player + "';";
return query(sql);
String sql = "SELECT * FROM player_privilege WHERE player_uuid = ?;";
return query(sql, player.toString());
}
private final Integer id;
@ -579,9 +577,9 @@ public class PlayerPrivilegeDTO {
vehicleSpawn);
}
private static List<PlayerPrivilegeDTO> query(String sql) {
private static List<PlayerPrivilegeDTO> query(String sql, Object... params) {
List<PlayerPrivilegeDTO> players = new ArrayList<>();
try (ResultSet rs = Dominion.database.query(sql)) {
try (ResultSet rs = Dominion.database.query(sql, params)) {
if (sql.contains("UPDATE") || sql.contains("DELETE") || sql.contains("INSERT")) {
// 如果是更新操作重新加载缓存
Cache.instance.loadPlayerPrivileges();