【issues/4393】解决使用参数tableName=sys_user t&复测，漏洞仍然存在

1 year ago · 0bc7e0967d
1 changed files with 7 additions and 3 deletions
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
@ -1,6 +1,5 @@
 package org.jeecg.modules.system.security;

-import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.common.util.security.AbstractQueryBlackListHandler;
@ -52,9 +51,14 @@ public class DictQueryBlackListHandler extends AbstractQueryBlackListHandler {
     */
    private String getTableName(String str) {
        String[] arr = str.split("\\s+(?i)where\\s+");
-        // sys_user , (sys_user), sys_user%20, %60sys_user%60  issues/4393
+        String tableName = arr[0];
+        //【20230814】解决使用参数tableName=sys_user t&复测，漏洞仍然存在
+        if (tableName.contains(" ")) {
+            tableName = tableName.substring(0, tableName.indexOf(" "));
+        }
+        //【issues/4393】 sys_user , (sys_user), sys_user%20, %60sys_user%60
        String reg = "\\s+|\\(|\\)|`";
-        return arr[0].replaceAll(reg, "");
+        return tableName.replaceAll(reg, "");
    }

 }