Server:Parser新增maxObjectCount和maxArrayCount限制

TommyLemon · TommyLemon · commit 005bc8584dc5 · 2019-04-25T22:13:45.000+08:00
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractObjectParser.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractObjectParser.java
@@ -99,6 +99,10 @@ public AbstractObjectParser(@NotNull JSONObject request, String parentPath, Stri
 		this.table = Pair.parseEntry(name, true).getKey();
 		this.isTable = zuo.biao.apijson.JSONObject.isTableKey(table);
 
+		this.objectCount = 0;
+		this.arrayCount = 0;
+		this.sqlCount = 0;
+		
 		boolean isEmpty = request.isEmpty();//empty有效 User:{}
 		if (isEmpty) {
 			this.tri = false;
@@ -216,6 +220,9 @@ public boolean isBreakParse() {
 	 */
 	protected Map<String, JSONObject> childMap;
 
+	private int objectCount;
+	private int arrayCount;
+	private int sqlCount;
 	/**解析成员
 	 * response重新赋值
 	 * @return null or this
@@ -266,6 +273,7 @@ public AbstractObjectParser parse() throws Exception {
 				String key;
 				Object value;
 				int index = 0;
+				
 				for (Entry<String, Object> entry : set) {
 					if (isBreakParse()) {
 						break;
@@ -278,7 +286,7 @@ public AbstractObjectParser parse() throws Exception {
 					key = entry.getKey();
 
 					try {
-						if (value instanceof JSONObject && key.startsWith("@") == false  && key.endsWith("@") == false) {//JSONObject，往下一级提取
+						if (value instanceof JSONObject && key.startsWith("@") == false && key.endsWith("@") == false) {//JSONObject，往下一级提取
 							if (childMap != null) {//添加到childMap，最后再解析
 								childMap.put(key, (JSONObject)value);
 							}
@@ -478,6 +486,13 @@ public JSON onChildParse(int index, String key, JSONObject value) throws Excepti
 		boolean isEmpty;
 
 		if (zuo.biao.apijson.JSONObject.isArrayKey(key)) {//APIJSON Array
+			arrayCount ++;
+			
+			int maxArrayCount = parser.getMaxArrayCount();
+			if (arrayCount > maxArrayCount) {
+				throw new IllegalArgumentException(path + " 内 key[]: {} 的数量必须在 0-" + maxArrayCount + " 内 !");
+			}
+			
 			if (isMain) {
 				throw new IllegalArgumentException(parentPath + "/" + key + ":{} 不合法！"
 						+ "数组 []:{} 中第一个 key:{} 必须是主表 TableKey:{} ！不能为 arrayKey[]:{} ！");
@@ -487,6 +502,13 @@ public JSON onChildParse(int index, String key, JSONObject value) throws Excepti
 			isEmpty = child == null || ((JSONArray) child).isEmpty();
 		}
 		else {//APIJSON Object
+			objectCount ++;
+
+			int maxObjectCount = parser.getMaxObjectCount();
+			if (objectCount > maxObjectCount) {
+				throw new IllegalArgumentException(path + " 内 key: {} 的数量必须在 0-" + maxObjectCount + " 内 !");
+			}
+			
 			if (type == TYPE_ITEM && JSONRequest.isTableKey(Pair.parseEntry(key, true).getKey()) == false) {
 				throw new IllegalArgumentException(parentPath + "/" + key + ":{} 不合法！"
 						+ "数组 []:{} 中每个 key:{} 都必须是表 TableKey:{} 或 数组 arrayKey[]:{} ！");
@@ -589,6 +611,12 @@ public AbstractObjectParser setSQLConfig(int count, int page, int position) thro
 		}
 
 		if (sqlConfig == null) {
+			sqlCount ++;
+			int maxSQLCount = parser.getMaxSQLCount();
+			if (sqlCount > maxSQLCount) {
+				throw new IllegalArgumentException(path + " 内生成的 SQL 必须在 0-" + maxSQLCount + " 内 !");
+			}
+			
 			sqlConfig = newSQLConfig();
 		}
 		sqlConfig.setCount(count).setPage(page).setPosition(position);
@@ -598,6 +626,8 @@ public AbstractObjectParser setSQLConfig(int count, int page, int position) thro
 		return this;
 	}
 
+	
+	
 
 	protected SQLConfig sqlConfig = null;//array item复用
 	/**SQL查询，for array item
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractParser.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractParser.java
@@ -239,6 +239,7 @@ public JSONObject parseResponse(String request) {
 		return parseResponse(requestObject);
 	}
 
+	private int depth;
 	/**解析请求json并获取对应结果
 	 * @param request
 	 * @return requestObject
@@ -297,6 +298,7 @@ public JSONObject parseResponse(JSONObject request) {
 		Exception error = null;
 		sqlExecutor = createSQLExecutor();
 		try {
+			depth = 0;
 			requestObject = onObjectParse(request, null, null, null, false);
 		} catch (Exception e) {
 			e.printStackTrace();
@@ -686,7 +688,7 @@ public JSONObject onObjectParse(final JSONObject request
 	 */
 	@Override
 	public JSONArray onArrayParse(JSONObject request, String parentPath, String name, boolean isSubquery) throws Exception {
-		Log.i(TAG, "\n\n\n getArray parentPath = " + parentPath
+		Log.i(TAG, "\n\n\n onArrayParse parentPath = " + parentPath
 				+ "; name = " + name + "; request = " + JSON.toJSONString(request));
 		//不能允许GETS，否则会被通过"[]":{"@role":"ADMIN"},"Table":{},"tag":"Table"绕过权限并能批量查询
 		if (RequestMethod.isGetMethod(requestMethod, false) == false) {
@@ -1025,17 +1027,33 @@ public int getDefaultQueryCount() {
 		return DEFAULT_QUERY_COUNT;
 	}
 	@Override
-	public int getMaxQueryCount() {
-		return MAX_QUERY_COUNT;
-	}
-	@Override
 	public int getMaxQueryPage() {
 		return MAX_QUERY_PAGE;
 	}
 	@Override
+	public int getMaxQueryCount() {
+		return MAX_QUERY_COUNT;
+	}
+	@Override
 	public int getMaxUpdateCount() {
 		return MAX_UPDATE_COUNT;
 	}
+	@Override
+	public int getMaxSQLCount() {
+		return MAX_SQL_COUNT;
+	}
+	@Override
+	public int getMaxObjectCount() {
+		return MAX_OBJECT_COUNT;
+	}
+	@Override
+	public int getMaxArrayCount() {
+		return MAX_ARRAY_COUNT;
+	}
+	@Override
+	public int getMaxQueryDepth() {
+		return MAX_QUERY_DEPTH;
+	}
 
 
 	/**根据路径取值
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Parser.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Parser.java
@@ -26,9 +26,13 @@
 public interface Parser<T> {
 
 	int DEFAULT_QUERY_COUNT = 10;
-	int MAX_QUERY_COUNT = 100;
 	int MAX_QUERY_PAGE = 100;
+	int MAX_QUERY_COUNT = 100;
 	int MAX_UPDATE_COUNT = 10;
+	int MAX_SQL_COUNT = 100;
+	int MAX_OBJECT_COUNT = 3;
+	int MAX_ARRAY_COUNT = 3;
+	int MAX_QUERY_DEPTH = 3;
 	
 	
 	@NotNull
@@ -99,9 +103,13 @@ public interface Parser<T> {
 	ObjectParser createObjectParser(JSONObject request, String parentPath, String name, SQLConfig arrayConfig, boolean isSubquery) throws Exception;
 
 	int getDefaultQueryCount();
-	int getMaxQueryCount();
 	int getMaxQueryPage();
+	int getMaxQueryCount();
 	int getMaxUpdateCount();
+	int getMaxSQLCount();
+	int getMaxObjectCount();
+	int getMaxArrayCount();
+	int getMaxQueryDepth();
 	
 	void putQueryResult(String path, Object result);
 
