🐞 fix: 增加代码健壮性及安全性

apis/Admin/SetPermission.js

@@ -49,7 +49,7 @@ class SetPermission extends API {
         let sql = `UPDATE users SET manage = ? WHERE id = ?`;
         let result = await db.query(sql, [manage, userid]);
 
-        if (result.affectedRows !== 1) {
+        if (!result || result.affectedRows !== 1) {
             res.json({
                 ...BaseStdResponse.DATABASE_ERR,
                 endpoint: 5135135

apis/ClockIn/AddAttendanceItems.js

@@ -35,6 +35,20 @@ class AddAttendanceItems extends API {
             return;
         }
 
+        if (radius <= 0 || radius >= 10000000) {
+            return res.json({
+                ...BaseStdResponse.ERR,
+                msg: '打卡半径不在限制范围内！'
+            })
+        }
+
+        if (!this.getTime(begintime, endtime)) {
+            return res.json({
+                ...BaseStdResponse.ERR,
+                msg: '考勤时间不合法！'
+            })
+        }
+
         // 检查 session 是否有效
         if (!await AccessControl.checkSession(uuid, session)) {
             res.json({
@@ -92,7 +106,7 @@ class AddAttendanceItems extends API {
         try {
             const result = await db.query(sql, values);
 
-            if (result.affectedRows !== 1) {
+            if (!result || result.affectedRows !== 1) {
                 res.json({
                     ...BaseStdResponse.DATABASE_ERR,
                     endpoint: 513513
@@ -111,6 +125,14 @@ class AddAttendanceItems extends API {
             });
         }
     }
+
+    getTime(begintime, endtime) {
+        const [bhours, bminutes, bseconds] = begintime.split(':').map(Number);
+        const [ehours, eminutes, eseconds] = endtime.split(':').map(Number);
+        const begin = bhours * 3600 + bminutes * 60 + bseconds;
+        const end = ehours * 3600 + eminutes * 60 + eseconds;
+        return begin < end
+    }
 }
 
 module.exports.AddAttendanceItems = AddAttendanceItems;

apis/ClockIn/AddAttendanceRecord.js

@@ -92,7 +92,7 @@ class AddAttendanceRecord extends API {
         const sqlInsertRecord = 'INSERT INTO kq_records (project_id, uuid, time) VALUES (?, ?, ?)';
         let insertResult = await db.query(sqlInsertRecord, [project_id, uuid, new Date().getTime()]);
 
-        if (insertResult.affectedRows !== 1) {
+        if (!insertResult || insertResult.affectedRows !== 1) {
             return res.json({
                 ...BaseStdResponse.DATABASE_ERR,
                 endpoint: 513513

apis/ClockIn/DeleteAttendanceItem.js

@@ -66,7 +66,7 @@ class DeleteAttendanceItem extends API {
         const sqlDeleteProject = 'DELETE FROM kq_items WHERE id = ?';
         let deleteResult = await db.query(sqlDeleteProject, [project_id]);
 
-        if (deleteResult.affectedRows !== 1) {
+        if (!deleteResult || deleteResult.affectedRows !== 1) {
             res.json({
                 ...BaseStdResponse.DATABASE_ERR,
                 endpoint: 513513

apis/ClockIn/EditAttendanceItems.js

@@ -29,13 +29,26 @@ class EditAttendanceItems extends API {
 
         // 检查必需的参数是否缺失
         if ([uuid, session, id, name, user, day_of_week, loopy, begintime, endtime, position, radius].some(value => value === '' || value === null || value === undefined)) {
-            res.json({
+            return res.json({
                 ...BaseStdResponse.MISSING_PARAMETER,
                 endpoint: 1513123
             });
-            return;
         }
 
+        if (radius <= 0 || radius >= 10000000) {
+            return res.json({
+                ...BaseStdResponse.ERR,
+                msg: '打卡半径不在限制范围内！'
+            })
+        }
+
+        if(!this.getTime(begintime, endtime)) {
+            return res.json({
+                ...BaseStdResponse.ERR,
+                msg: '考勤时间不合法！'
+            })
+        }
+            
         // 检查 session 是否有效
         if (!await AccessControl.checkSession(uuid, session)) {
             res.json({
@@ -115,7 +128,7 @@ class EditAttendanceItems extends API {
             id
         ]);
 
-        if (updateResult.affectedRows !== 1) {
+        if (!updateResult || updateResult.affectedRows !== 1) {
             res.json({
                 ...BaseStdResponse.DATABASE_ERR,
                 endpoint: 513513
@@ -127,6 +140,14 @@ class EditAttendanceItems extends API {
             ...BaseStdResponse.OK
         });
     }
+
+    getTime(begintime, endtime) {
+        const [bhours, bminutes, bseconds] = begintime.split(':').map(Number);
+        const [ehours, eminutes, eseconds] = endtime.split(':').map(Number);
+        const begin = bhours * 3600 + bminutes * 60 + bseconds;
+        const end = ehours * 3600 + eminutes * 60 + eseconds;
+        return begin < end
+    }
 }
 
 module.exports.EditAttendanceItems = EditAttendanceItems;

apis/ClockIn/SupplementRecord.js

@@ -113,7 +113,7 @@ class SupplementRecord extends API {
                 `${userInfo.username}补卡`
             ]);
 
-            if (result.affectedRows !== 1) {
+            if (!result || result.affectedRows !== 1) {
                 return res.json({
                     ...BaseStdResponse.DATABASE_ERR,
                     endpoint: 513514

plugin/DataBase/MySQL.js

@@ -33,7 +33,6 @@ class MySQL {
             return rows;
         } catch (error) {
             this.logger.error(`执行SQL语句时出错：${error.stack}`);
-            throw error;
         }
     }