- 完善 DynamicFilter Custom 安全问题；

Author: 2881099

FreeSql.DbContext/FreeSql.DbContext.xml

@@ -2543,6 +2543,7 @@ public enum ts_dyfilter_enum01_status { staring, stoped, finished }
 
     public class DynamicFilterMyCustom
     {
+        [DynamicFilterCustom]
         public static string MyRawSql(string value) => value;
 
         public static string TupleIn(string value)

FreeSql.Tests/FreeSql.Tests/Sqlite/Curd/SqliteSelectTest.cs

@@ -553,9 +553,10 @@ void ParseFilter(DynamicFilterLogic logic, DynamicFilterInfo fi, bool isend)
                             if (string.IsNullOrWhiteSpace(fiValueCustomArray[0])) throw new ArgumentException("Custom {静态方法名}不能为空，格式：{静态方法名}{空格}{反射信息}");
                             if (string.IsNullOrWhiteSpace(fiValueCustomArray[1])) throw new ArgumentException("Custom {反射信息}不能为空，格式：{静态方法名}{空格}{反射信息}");
                             var fiValue1Type = Type.GetType(fiValueCustomArray[1]);
-                            if (fiValue1Type == null) throw new ArgumentException($"Custom 找到对应的{{反射信息}}：{fiValueCustomArray[1]}");
+                            if (fiValue1Type == null) throw new ArgumentException($"Custom 找不到对应的{{反射信息}}：{fiValueCustomArray[1]}");
                             var fiValue0Method = fiValue1Type.GetMethod(fiValueCustomArray[0], new Type[] { typeof(string) });
-                            if (fiValue0Method == null) throw new ArgumentException($"Custom 找到对应的{{静态方法名}}：{fiValueCustomArray[0]}");
+                            if (fiValue0Method == null) throw new ArgumentException($"Custom 找不到对应的{{静态方法名}}：{fiValueCustomArray[0]}");
+                            if (MethodIsDynamicFilterCustomAttribute(fiValue0Method) == false) throw new ArgumentException($"Custom 对应的{{静态方法名}}：{fiValueCustomArray[0]} 未设置 [DynamicFilterCustomAttribute] 特性");
                             var fiValue0MethodReturn = fiValue0Method?.Invoke(null, new object[] { fi.Value?.ToString() })?.ToString();
                             exp = Expression.Call(typeof(SqlExt).GetMethod("InternalRawSql", BindingFlags.NonPublic | BindingFlags.Static), Expression.Constant(fiValue0MethodReturn, typeof(string)));
                             break;
@@ -693,6 +694,21 @@ bool IsIgnoreFilter(DynamicFilterInfo testFilter)
                     string.IsNullOrEmpty(testFilter.Value?.ToString());
             }
         }
+        static ConcurrentDictionary<MethodInfo, bool> _dicMethodIsDynamicFilterCustomAttribute = new ConcurrentDictionary<MethodInfo, bool>();
+        static bool MethodIsDynamicFilterCustomAttribute(MethodInfo method) => _dicMethodIsDynamicFilterCustomAttribute.GetOrAdd(method, m =>
+        {
+            object[] attrs = null;
+            try
+            {
+                attrs = m.GetCustomAttributes(false).ToArray(); //.net core 反射存在版本冲突问题，导致该方法异常
+            }
+            catch { }
+
+            var dyattr = attrs?.Where(a => {
+                return ((a as Attribute)?.TypeId as Type)?.Name == "DynamicFilterCustomAttribute";
+            }).FirstOrDefault();
+            return dyattr != null;
+        });
 
         public TSelect DisableGlobalFilter(params string[] name)
         {

FreeSql/FreeSql.xml

@@ -131,10 +131,17 @@ public enum DynamicFilterOperator
         /// {<para></para>
         /// public class DynamicFilterCustom<para></para>
         /// {<para></para>
+        /// [DynamicFilterCustom]<para></para>
         /// public static string RawSql(string value) => value;<para></para>
         /// }<para></para>
         /// }<para></para>
         /// </summary>
         Custom
     }
+
+    /// <summary>
+    /// 授权 DynamicFilter 支持 Custom 自定义解析
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Method)]
+    public class DynamicFilterCustomAttribute : Attribute { }
 }