tenant: admin orders sort whitelist

backend/app/services/order.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	"quyun/v2/app/errorx"
@@ -18,6 +19,7 @@ import (
 	"github.com/samber/lo"
 	"github.com/sirupsen/logrus"
 	"go.ipao.vip/gen"
+	"go.ipao.vip/gen/field"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 
@@ -428,7 +430,47 @@ func (s *order) AdminOrderPage(
 		query = query.Group(tbl.ID)
 	}
 
-	items, total, err := query.Where(conds...).Order(tbl.ID.Desc()).FindByPage(int(filter.Offset()), int(filter.Limit))
+	// 排序白名单：避免把任意字符串拼进 SQL 导致注入或慢查询。
+	// 约定：只允许按以下字段排序；未指定时默认按 id desc。
+	orderBys := make([]field.Expr, 0, 4)
+	allowedAsc := map[string]field.Expr{
+		"id":          tbl.ID.Asc(),
+		"created_at":  tbl.CreatedAt.Asc(),
+		"paid_at":     tbl.PaidAt.Asc(),
+		"amount_paid": tbl.AmountPaid.Asc(),
+	}
+	allowedDesc := map[string]field.Expr{
+		"id":          tbl.ID.Desc(),
+		"created_at":  tbl.CreatedAt.Desc(),
+		"paid_at":     tbl.PaidAt.Desc(),
+		"amount_paid": tbl.AmountPaid.Desc(),
+	}
+	for _, f := range filter.AscFields() {
+		f = strings.TrimSpace(f)
+		if f == "" {
+			continue
+		}
+		if ob, ok := allowedAsc[f]; ok {
+			orderBys = append(orderBys, ob)
+		}
+	}
+	for _, f := range filter.DescFields() {
+		f = strings.TrimSpace(f)
+		if f == "" {
+			continue
+		}
+		if ob, ok := allowedDesc[f]; ok {
+			orderBys = append(orderBys, ob)
+		}
+	}
+	// 默认加上 id desc 作为稳定排序（尤其是 join + group 的场景）。
+	if len(orderBys) == 0 {
+		orderBys = append(orderBys, tbl.ID.Desc())
+	} else {
+		orderBys = append(orderBys, tbl.ID.Desc())
+	}
+
+	items, total, err := query.Where(conds...).Order(orderBys...).FindByPage(int(filter.Offset()), int(filter.Limit))
 	if err != nil {
 		return nil, err
 	}