修复1处存在SQL注入漏洞问题，再实体类中移除

ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/DataScopeConstants.java

@@ -0,0 +1,39 @@
+package com.ruoyi.common.core.constant;
+
+/**
+ * 数据过滤常量
+ * 
+ * @author lic
+ */
+public class DataScopeConstants
+{
+    /**
+     * 全部数据权限
+     */
+    public static final String DATA_SCOPE_ALL = "1";
+
+    /**
+     * 自定数据权限
+     */
+    public static final String DATA_SCOPE_CUSTOM = "2";
+
+    /**
+     * 部门数据权限
+     */
+    public static final String DATA_SCOPE_DEPT = "3";
+
+    /**
+     * 部门及以下数据权限
+     */
+    public static final String DATA_SCOPE_DEPT_AND_CHILD = "4";
+
+    /**
+     * 仅本人数据权限
+     */
+    public static final String DATA_SCOPE_SELF = "5";
+
+    /**
+     * 数据权限过滤关键字
+     */
+    public static final String DATA_SCOPE = "dataScope";
+}

ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/web/domain/BaseEntity.java

@@ -5,6 +5,8 @@ import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 import com.fasterxml.jackson.annotation.JsonFormat;
+import com.ruoyi.common.core.constant.DataScopeConstants;
+import com.ruoyi.common.core.utils.StringUtils;
 
 /**
  * Entity基类
@@ -109,6 +111,10 @@ public class BaseEntity implements Serializable
 
     public void setParams(Map<String, Object> params)
     {
+        /** 拼接权限sql前先清空params.dataScope参数防止注入 */
+        if(StringUtils.isNotNull(params.get(DataScopeConstants.DATA_SCOPE))){
+            params.remove(DataScopeConstants.DATA_SCOPE);
+        }
         this.params = params;
     }
 }

ruoyi-common/ruoyi-common-datascope/src/main/java/com/ruoyi/common/datascope/aspect/DataScopeAspect.java

@@ -1,6 +1,8 @@
 package com.ruoyi.common.datascope.aspect;
 
 import java.lang.reflect.Method;
+
+import com.ruoyi.common.core.constant.DataScopeConstants;
 import org.aspectj.lang.JoinPoint;
 import org.aspectj.lang.Signature;
 import org.aspectj.lang.annotation.Aspect;
@@ -26,36 +28,6 @@ import com.ruoyi.system.api.model.LoginUser;
 @Component
 public class DataScopeAspect
 {
-    /**
-     * 全部数据权限
-     */
-    public static final String DATA_SCOPE_ALL = "1";
-
-    /**
-     * 自定数据权限
-     */
-    public static final String DATA_SCOPE_CUSTOM = "2";
-
-    /**
-     * 部门数据权限
-     */
-    public static final String DATA_SCOPE_DEPT = "3";
-
-    /**
-     * 部门及以下数据权限
-     */
-    public static final String DATA_SCOPE_DEPT_AND_CHILD = "4";
-
-    /**
-     * 仅本人数据权限
-     */
-    public static final String DATA_SCOPE_SELF = "5";
-
-    /**
-     * 数据权限过滤关键字
-     */
-    public static final String DATA_SCOPE = "dataScope";
-
     @Autowired
     private TokenService tokenService;
 
@@ -68,7 +40,6 @@ public class DataScopeAspect
     @Before("dataScopePointCut()")
     public void doBefore(JoinPoint point) throws Throwable
     {
-        clearDataScope(point);
         handleDataScope(point);
     }
 
@@ -109,28 +80,28 @@ public class DataScopeAspect
         for (SysRole role : user.getRoles())
         {
             String dataScope = role.getDataScope();
-            if (DATA_SCOPE_ALL.equals(dataScope))
+            if (DataScopeConstants.DATA_SCOPE_ALL.equals(dataScope))
             {
                 sqlString = new StringBuilder();
                 break;
             }
-            else if (DATA_SCOPE_CUSTOM.equals(dataScope))
+            else if (DataScopeConstants.DATA_SCOPE_CUSTOM.equals(dataScope))
             {
                 sqlString.append(StringUtils.format(
                         " OR {}.dept_id IN ( SELECT dept_id FROM sys_role_dept WHERE role_id = {} ) ", deptAlias,
                         role.getRoleId()));
             }
-            else if (DATA_SCOPE_DEPT.equals(dataScope))
+            else if (DataScopeConstants.DATA_SCOPE_DEPT.equals(dataScope))
             {
                 sqlString.append(StringUtils.format(" OR {}.dept_id = {} ", deptAlias, user.getDeptId()));
             }
-            else if (DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope))
+            else if (DataScopeConstants.DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope))
             {
                 sqlString.append(StringUtils.format(
                         " OR {}.dept_id IN ( SELECT dept_id FROM sys_dept WHERE dept_id = {} or find_in_set( {} , ancestors ) )",
                         deptAlias, user.getDeptId(), user.getDeptId()));
             }
-            else if (DATA_SCOPE_SELF.equals(dataScope))
+            else if (DataScopeConstants.DATA_SCOPE_SELF.equals(dataScope))
             {
                 if (StringUtils.isNotBlank(userAlias))
                 {
@@ -150,7 +121,7 @@ public class DataScopeAspect
             if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
             {
                 BaseEntity baseEntity = (BaseEntity) params;
-                baseEntity.getParams().put(DATA_SCOPE, " AND (" + sqlString.substring(4) + ")");
+                baseEntity.getParams().put(DataScopeConstants.DATA_SCOPE, " AND (" + sqlString.substring(4) + ")");
             }
         }
     }
@@ -170,17 +141,4 @@ public class DataScopeAspect
         }
         return null;
     }
-
-    /**
-     * 拼接权限sql前先清空params.dataScope参数防止注入
-     */
-    private void clearDataScope(final JoinPoint joinPoint)
-    {
-        Object params = joinPoint.getArgs()[0];
-        if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
-        {
-            BaseEntity baseEntity = (BaseEntity) params;
-            baseEntity.getParams().put(DATA_SCOPE, "");
-        }
-    }
 }