代码生成创建表检查关键字,防止注入风险

pull/358/head
RuoYi 3 years ago
parent c78758e32d
commit 452da5caeb

@ -10,6 +10,11 @@ import com.ruoyi.common.utils.StringUtils;
*/
public class SqlUtil
{
/**
* sql
*/
public static String SQL_REGEX = "select |insert |delete |update |drop |count |exec |chr |mid |master |truncate |char |and |declare ";
/**
* 线
*/
@ -34,4 +39,23 @@ public class SqlUtil
{
return value.matches(SQL_PATTERN);
}
/**
* SQL
*/
public static void filterKeyword(String value)
{
if (StringUtils.isEmpty(value))
{
return;
}
String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
for (int i = 0; i < sqlKeywords.length; i++)
{
if (StringUtils.indexOfIgnoreCase(value, sqlKeywords[i]) > -1)
{
throw new BaseException("参数存在SQL注入风险");
}
}
}
}

@ -31,6 +31,7 @@ import com.ruoyi.common.core.text.Convert;
import com.ruoyi.common.enums.BusinessType;
import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.security.PermissionUtils;
import com.ruoyi.common.utils.sql.SqlUtil;
import com.ruoyi.generator.domain.GenTable;
import com.ruoyi.generator.domain.GenTableColumn;
import com.ruoyi.generator.service.IGenTableColumnService;
@ -196,31 +197,33 @@ public class GenController extends BaseController
@ResponseBody
public AjaxResult create(String sql)
{
List<SQLStatement> sqlStatements = SQLUtils.parseStatements(sql, DbType.mysql);
List<String> tableNames = new ArrayList<>();
for (SQLStatement sqlStatement : sqlStatements)
try
{
if (sqlStatement instanceof MySqlCreateTableStatement)
SqlUtil.filterKeyword(sql);
List<SQLStatement> sqlStatements = SQLUtils.parseStatements(sql, DbType.mysql);
List<String> tableNames = new ArrayList<>();
for (SQLStatement sqlStatement : sqlStatements)
{
MySqlCreateTableStatement createTableStatement = (MySqlCreateTableStatement) sqlStatement;
String tableName = createTableStatement.getTableName();
tableName = tableName.replaceAll("`", "");
int msg = genTableService.createTable(createTableStatement.toString());
if (msg == 0)
if (sqlStatement instanceof MySqlCreateTableStatement)
{
tableNames.add(tableName);
MySqlCreateTableStatement createTableStatement = (MySqlCreateTableStatement) sqlStatement;
if (genTableService.createTable(createTableStatement.toString()))
{
String tableName = createTableStatement.getTableName().replaceAll("`", "");
tableNames.add(tableName);
}
}
}
else
{
return AjaxResult.error("请输入建表语句");
}
List<GenTable> tableList = genTableService.selectDbTableListByNames(tableNames.toArray(new String[tableNames.size()]));
String operName = Convert.toStr(PermissionUtils.getPrincipalProperty("loginName"));
genTableService.importGenTable(tableList, operName);
return AjaxResult.success();
}
catch (Exception e)
{
logger.error(e.getMessage(), e);
return AjaxResult.error("创建表结构异常" + e.getMessage());
}
List<GenTable> tableList = genTableService.selectDbTableListByNames((tableNames.toArray(new String[tableNames.size()])));
String operName = Convert.toStr(PermissionUtils.getPrincipalProperty("loginName"));
genTableService.importGenTable(tableList, operName);
return AjaxResult.success();
}
/**

@ -72,7 +72,7 @@ public interface IGenTableService
* @param sql
* @return
*/
public int createTable(String sql);
public boolean createTable(String sql);
/**
*

@ -157,9 +157,9 @@ public class GenTableServiceImpl implements IGenTableService
* @return
*/
@Override
public int createTable(String sql)
public boolean createTable(String sql)
{
return genTableMapper.createTable(sql);
return genTableMapper.createTable(sql) == 0;
}
/**

Loading…
Cancel
Save