fix: 修复两个 SQL 注入漏洞

[safe1ine]

What this PR does / why we need it?

monkeycode 发现了 1panel 的两个 SQL 注入漏洞，修复之。

WithOrderBy 和 WithOrderRuleBy 函数将用户传入的 orderBy 参数通过 fmt.Sprintf 直接拼接到 SQL ORDER BY 子句中，未做任何合法性校验，攻击者可以构造恶意 orderBy 值实现 SQL 注入。受影响的接口包括但不限于：

• POST /api/v2/backups/record/size -- SearchForSize.OrderBy 无 validate 标签，可传入任意值
• POST /api/v2/websites/ssl/search -- WebsiteSSLSearch.OrderBy 虽有 oneof=expire_date 校验标签，但 handler 使用 CheckBind 而非 CheckBindAndValidate，导致校验未生效

Summary of your change

1. agent/app/repo/common.go: 在 WithOrderBy 和 WithOrderRuleBy 中新增正则校验 ^[a-zA-Z_][a-zA-Z0-9_]*$，确保 orderBy 只包含合法的列名字符（字母、数字、下划线）。不合法时回退到默认值 created_at。此修复覆盖了所有调用这两个函数的模块（cronjob、website、database、snapshot、clam 等）。

2. agent/app/api/v2/website_ssl.go: 将 PageWebsiteSSL handler 中的 helper.CheckBind 改为 helper.CheckBindAndValidate，使 WebsiteSSLSearch 结构体上的 validate:"required,oneof=expire_date" 标签生效，从 DTO 层限制 orderBy 的合法值。

Please indicate you've done the following:

• Made sure tests are passing and test coverage is added if needed.
• Made sure commit message follow the rule of Conventional Commits specification.
• Considered the docs impact and opened a new docs issue or PR with docs changes if needed.

[f2c-ci-robot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[f2c-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ssongliu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[safe1ine]

@MonkeyCode-AI review 一下

[MonkeyCode-AI]

MonkeyCode-AI 正在分析任务...

[MonkeyCode-AI]

我是 MonkeyCode AI 编程助手，你可以在 GitHub 仓库的 PR 中 at @MonkeyCode-AI 来呼唤我。

任务执行细节请参考: https://monkeycode-ai.com/tasks/public?id=a3bb76b1-8edd-44bd-aec5-6cfddf95c2f1

代码审查结果

修复点覆盖了 ORDER BY 拼接与 DTO 校验缺失两个入口，能有效阻断已知 SQL 注入路径，但当前列名正则校验可能引入兼容性/可用性回退风险，建议补充白名单与可观测性。

✨ 代码亮点

• 在 repo 层为所有 WithOrderBy/WithOrderRuleBy 调用点提供统一兜底校验，修复面广
• 将 PageWebsiteSSL 从 CheckBind 切换到 CheckBindAndValidate，使 DTO 校验标签真正生效

[wanghe-fit2cloud]

感谢支持，上述修改会跟随 v2.1.0 正式版本一起发布。