😎1、优化仓储扩展可能引发sql注入问题 2、优化接口压测页面

Admin.NET/Admin.NET.Core/Extension/RepositoryExtension.cs

@@ -145,12 +145,12 @@ public static class RepositoryExtension
         typeAdapterConfig.ForType<T, BasePageInput>().IgnoreNullValues(true);
         Mapper mapper = new(typeAdapterConfig); // 务必将mapper设为单实例
         var nowPagerInput = mapper.Map<BasePageInput>(pageInput);
-        // 排序是否可用-排序字段和排序顺序都为非空才启用排序
+        // 排序是否可用-排序字段为非空才启用排序，排序顺序默认为倒序
-        if (!string.IsNullOrEmpty(nowPagerInput.Field) && !string.IsNullOrEmpty(nowPagerInput.Order))
+        if (!string.IsNullOrEmpty(nowPagerInput.Field))
         {
-            var col = queryable.Context.EntityMaintenance.GetEntityInfo<T>().Columns.FirstOrDefault(u => u.PropertyName.Equals(nowPagerInput.Field, StringComparison.CurrentCultureIgnoreCase));
+            nowPagerInput.Field = Regex.Replace(nowPagerInput.Field, @"[\s;()\-'@=/%]", ""); //过滤掉一些关键字符防止构造特殊SQL语句注入
-            var dbColumnName = col != null ? col.DbColumnName : nowPagerInput.Field;
+            var orderByDbName = queryable.Context.EntityMaintenance.GetDbColumnName<T>(nowPagerInput.Field);//防止注入，类中只要不存在属性名就会报错
-            orderStr = $"{prefix}{iSqlBuilder.GetTranslationColumnName(dbColumnName)} {(nowPagerInput.Order == nowPagerInput.DescStr ? "Desc" : "Asc")}";
+            orderStr = $"{prefix}{iSqlBuilder.GetTranslationColumnName(orderByDbName)} {(string.IsNullOrEmpty(nowPagerInput.Order) || nowPagerInput.Order.Equals(nowPagerInput.DescStr, StringComparison.OrdinalIgnoreCase) ? "Desc" : "Asc")}";
         }
         return queryable.OrderByIF(!string.IsNullOrWhiteSpace(orderStr), orderStr);
     }

Web/src/views/system/stressTest/index.vue

@@ -166,13 +166,20 @@ onMounted(async () => {
 // 获取接口分组列表
 const getApiGroupList = async () => {
 	try {
-		const html = await request(`/index.html`, { method: 'get' }).then(({ data }) => data);
+		const response = await request('/swagger-resources', { method: 'get' });
-		const prefixText = "var configObject = JSON.parse('";
+		return response.data
-		const jsonStr = html
+			.filter((resource: { name: string; url: string }) => !resource.url.toLowerCase().includes('all%20groups'))
-			.substring(html.indexOf(prefixText) + prefixText.length, html.indexOf('var oauthConfigObject = JSON.parse('))
+			.map((resource: { name: string; url: string }) => {
-			?.trim()
+				const rawUrl = resource.url || '';
-			.replace("');", '');
+				let fixedUrl = rawUrl.startsWith('//') ? rawUrl.substring(1) : rawUrl;
-		return JSON.parse(jsonStr).urls;
+				if (!fixedUrl.startsWith('/') && !fixedUrl.includes('://')) {
+					fixedUrl = '/' + fixedUrl;
+				}
+				return {
+					name: decodeURIComponent(resource.name || ''),
+					url: fixedUrl,
+				};
+			});
 	} catch {
 		return [];
 	}
@@ -181,10 +188,10 @@ const getApiGroupList = async () => {
 // 获取所有接口列表
 const getApiList = (keywords: string | undefined) => {
 	const emojiPattern =
-		/[\u{1F600}-\u{1F64F}\u{1F300}-\u{1F5FF}\u{1F680}-\u{1F6FF}\u{1F700}-\u{1F77F}\u{1F780}-\u{1F7FF}\u{1F800}-\u{1F8FF}\u{1F900}-\u{1F9FF}\u{1FA00}-\u{1FA6F}\u{1FA70}-\u{1FAFF}\u{2600}-\u{26FF}\u{2700}-\u{27BF}]/gu;
+		/[\u{2139}\u{2B05}-\u{2B07}\u{1F600}-\u{1F64F}\u{1F300}-\u{1F5FF}\u{1F680}-\u{1F6FF}\u{1F700}-\u{1F77F}\u{1F780}-\u{1F7FF}\u{1F800}-\u{1F8FF}\u{1F900}-\u{1F9FF}\u{1FA00}-\u{1FA6F}\u{1FA70}-\u{1FAFF}\u{2600}-\u{26FF}\u{2700}-\u{27BF}]/gu;
 	return request(state.swaggerUrl, { method: 'get' }).then(({ data }) => {
 		const pathMap = data.paths;
-		const result = data.tags.map((e: any) => ({ path: e.name, summary: e.description.replaceAll(emojiPattern, ''), children: [] }));
+		const result = data.tags.map((e: any) => ({ path: e.name, summary: e.description?.replaceAll(emojiPattern, '') || e.name, children: [] }));
 		Object.keys(pathMap).map((path) => {
 			const method = Object.keys(pathMap[path])[0];
 			const apiInfo = pathMap[path][method];