【issues/4393】解决使用参数tableName=sys_user t&复测，漏洞仍然存在

2023-08-14 15:54:03 +08:00 · 2023-08-14 15:54:03 +08:00 · 20889e8724
parent 751b81c7bf
commit 20889e8724
2 changed files with 17 additions and 4 deletions
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
@ -67,14 +67,14 @@ public abstract class AbstractQueryBlackListHandler {
        }
        for (QueryTable table : list) {
            String name = table.getName();
-            String fieldString = ruleMap.get(name);
+            String fieldRule = ruleMap.get(name);
            // 有没有配置这张表
-            if (fieldString != null) {
-                if ("*".equals(fieldString) || table.isAll()) {
+            if (fieldRule != null) {
+                if ("*".equals(fieldRule) || table.isAll()) {
                    flag = false;
                    log.warn("sql黑名单校验，表【"+name+"】禁止查询");
                    break;
-                } else if (table.existSameField(fieldString)) {
+                } else if (table.existSameField(fieldRule)) {
                    flag = false;
                    break;
                }
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
@ -5,6 +5,8 @@ import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.common.util.security.AbstractQueryBlackListHandler;
 import org.springframework.stereotype.Component;

+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.List;

@ -23,6 +25,17 @@ public class DictQueryBlackListHandler extends AbstractQueryBlackListHandler {

    @Override
    protected List<QueryTable> getQueryTableInfo(String dictCodeString) {
+        //针对转义字符进行解码
+        try {
+            if (dictCodeString.contains("%")) {
+                dictCodeString = URLDecoder.decode(dictCodeString, "UTF-8");
+            }
+        } catch (UnsupportedEncodingException e) {
+            //e.printStackTrace();
+        }
+        dictCodeString = dictCodeString.trim();
+        
+        // 无论什么场景 第二、三个元素一定是表的字段，直接add
        if (dictCodeString != null && dictCodeString.indexOf(SymbolConstant.COMMA) > 0) {
            String[] arr = dictCodeString.split(SymbolConstant.COMMA);
            if (arr.length != 3 && arr.length != 4) {