github
/
RuoYi
mirror of https://gitee.com/y_project/RuoYi.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

检查字符,防止注入绕过

pull/74/head
RuoYi 2019-02-28 13:03:02 +08:00
parent 9c50dd8c2d
commit 8a37d2ae24
3 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java
View File

@ -1,7 +1,6 @@
package com.ruoyi.common.page; package com.ruoyi.common.page;
import com.ruoyi.common.utils.StringUtils; import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.sql.SqlUtil;
/** /**
* *
@ -12,14 +11,11 @@ public class PageDomain
{ {
/** 当前记录起始索引 */ /** 当前记录起始索引 */
private Integer pageNum; private Integer pageNum;
/** 每页显示记录数 */ /** 每页显示记录数 */
private Integer pageSize; private Integer pageSize;
/** 排序列 */ /** 排序列 */
private String orderByColumn; private String orderByColumn;
/** 排序的方向 "desc" 或者 "asc". */ /** 排序的方向 "desc" 或者 "asc". */
private String isAsc; private String isAsc;
public String getOrderBy() public String getOrderBy()
@ -58,7 +54,7 @@ public class PageDomain
public void setOrderByColumn(String orderByColumn) public void setOrderByColumn(String orderByColumn)
{ {
this.orderByColumn = SqlUtil.escapeSql(orderByColumn); this.orderByColumn = orderByColumn;
} }
public String getIsAsc() public String getIsAsc()
@ -68,6 +64,6 @@ public class PageDomain
public void setIsAsc(String isAsc) public void setIsAsc(String isAsc)
{ {
this.isAsc = SqlUtil.escapeSql(isAsc); this.isAsc = isAsc;
} }
} }

22
ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
View File

@ -10,15 +10,27 @@ import com.ruoyi.common.utils.StringUtils;
public class SqlUtil public class SqlUtil
{ {
/** /**
* sql * 线
*/ */
public static String escapeSql(String value) public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,]+";
/**
*
*/
public static String escapeOrderBySql(String value)
{ {
if (StringUtils.isNotEmpty(value)) if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value))
{ {
value = value.replaceAll("\\(", ""); return StringUtils.EMPTY;
value = value.replaceAll("\\)", "");
} }
return value; return value;
} }
/**
* order by
*/
public static boolean isValidOrderBySql(String value)
{
return value.matches(SQL_PATTERN);
}
} }

3
ruoyi-framework/src/main/java/com/ruoyi/framework/web/base/BaseController.java
View File

@ -13,6 +13,7 @@ import com.ruoyi.common.page.TableDataInfo;
import com.ruoyi.common.page.TableSupport; import com.ruoyi.common.page.TableSupport;
import com.ruoyi.common.utils.DateUtils; import com.ruoyi.common.utils.DateUtils;
import com.ruoyi.common.utils.StringUtils; import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.sql.SqlUtil;
import com.ruoyi.framework.util.ShiroUtils; import com.ruoyi.framework.util.ShiroUtils;
import com.ruoyi.system.domain.SysUser; import com.ruoyi.system.domain.SysUser;
@ -50,7 +51,7 @@ public class BaseController
Integer pageSize = pageDomain.getPageSize(); Integer pageSize = pageDomain.getPageSize();
if (StringUtils.isNotNull(pageNum) && StringUtils.isNotNull(pageSize)) if (StringUtils.isNotNull(pageNum) && StringUtils.isNotNull(pageSize))
{ {
String orderBy = pageDomain.getOrderBy(); String orderBy = SqlUtil.escapeOrderBySql(pageDomain.getOrderBy());
PageHelper.startPage(pageNum, pageSize, orderBy); PageHelper.startPage(pageNum, pageSize, orderBy);
} }
} }