github
/
jeecg-boot
mirror of https://github.com/jeecgboot/jeecg-boot
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

--重构表字典逻辑,深度解决SQL注入漏洞问题(修复导致的bug修复)--

pull/5377/head
zhangdaiscott 2023-09-05 22:59:08 +08:00
parent 44952c79c2
commit 473875a9d2
2 changed files with 65 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/CommonUtils.java
View File

@ -6,6 +6,7 @@ import com.baomidou.dynamic.datasource.spring.boot.autoconfigure.DynamicDataSour
import com.baomidou.mybatisplus.annotation.DbType;
import com.baomidou.mybatisplus.extension.toolkit.JdbcUtils;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang.StringUtils;
import org.jeecg.common.constant.CommonConstant;
import org.jeecg.common.constant.DataBaseConstant;
import org.jeecg.common.constant.ServiceNameConstants;
@ -26,6 +27,7 @@ import java.io.InputStream;
import java.sql.Connection;
import java.sql.DatabaseMetaData;
import java.sql.SQLException;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@ -145,7 +147,7 @@ public class CommonUtils {
* @param bizPath
* @return
*/
public static String uploadLocal(MultipartFile mf,String bizPath,String uploadpath){
public static String uploadLocal(MultipartFile mf, String bizPath, String uploadpath){
try {
//update-begin-author:liusq date:20210809 for: 过滤上传文件类型
FileTypeFilter.fileTypeFilter(mf);
@ -272,7 +274,7 @@ public class CommonUtils {
if(db==null){
return null;
}
DriverManagerDataSource ds = new DriverManagerDataSource ();
DriverManagerDataSource ds = new DriverManagerDataSource();
ds.setDriverClassName(db.getDriverClassName());
ds.setUrl(db.getUrl());
ds.setUsername(db.getUsername());
@ -392,4 +394,47 @@ public class CommonUtils {
return target;
}
/**
* list
* @param list String
* @param separator
* @return
*/
public static String getSplitText(List<String> list, String separator) {
if (null != list && list.size() > 0) {
return StringUtils.join(list, separator);
}
return "";
}
/**
* tableSQL
*
* @param tableSql sys_user where name = '1212'
* @return name = '1212'
*/
public static String getFilterSqlByTableSql(String tableSql) {
if (tableSql.toLowerCase().indexOf(DataBaseConstant.SQL_WHERE) > 0) {
String[] arr = tableSql.split(" (?i)where ");
if (arr != null && oConvertUtils.isNotEmpty(arr[1])) {
return arr[1];
}
}
return "";
}
/**
* table
*
* @param tableSql sys_user where name = '1212'
* @return sys_user
*/
public static String getTableNameByTableSql(String tableSql) {
if (tableSql.toLowerCase().indexOf(DataBaseConstant.SQL_WHERE) > 0) {
String[] arr = tableSql.split(" (?i)where ");
return arr[0].trim();
} else {
return tableSql;
}
}
}

31
jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java
View File

@ -18,6 +18,7 @@ import org.jeecg.common.system.util.ResourceUtil;
import org.jeecg.common.system.vo.DictModel;
import org.jeecg.common.system.vo.DictModelMany;
import org.jeecg.common.system.vo.DictQuery;
import org.jeecg.common.util.CommonUtils;
import org.jeecg.common.util.SqlInjectionUtil;
import org.jeecg.common.util.oConvertUtils;
import org.jeecg.config.mybatis.MybatisPlusSaasConfig;
@ -456,18 +457,18 @@ public class SysDictServiceImpl extends ServiceImpl<SysDictMapper, SysDict> impl
// }
@Override
public List<DictModel> queryLittleTableDictItems(String table, String text, String code, String condition, String keyword, int pageSize) {
public List<DictModel> queryLittleTableDictItems(String tableSql, String text, String code, String condition, String keyword, int pageSize) {
Page<DictModel> page = new Page<DictModel>(1, pageSize);
page.setSearchCount(false);
//为了防止sqljeecg提供了防注入的方法可以在拼接 SQL 语句时自动对参数进行转义避免SQL注入攻击
// 1. 针对采用 ${}写法的表名和字段进行转义和check
table = SqlInjectionUtil.getSqlInjectTableName(table);
String table = SqlInjectionUtil.getSqlInjectTableName(CommonUtils.getTableNameByTableSql(tableSql));
text = SqlInjectionUtil.getSqlInjectField(text);
code = SqlInjectionUtil.getSqlInjectField(code);
// 2. 查询条件SQL (获取条件sql方法含sql注入校验)
String filterSql = getFilterSql(table, text, code, condition, keyword);
String filterSql = getFilterSql(tableSql, text, code, condition, keyword);
// 3. 返回表字典数据
IPage<DictModel> pageList = baseMapper.queryPageTableDictWithFilter(page, table, text, code, filterSql);
@ -475,21 +476,22 @@ public class SysDictServiceImpl extends ServiceImpl<SysDictMapper, SysDict> impl
}
/**
*
* ( )
*
* @param text
* @param code
* @param condition
* @param keyword
* @return
*/
private String getFilterSql(String table, String text, String code, String condition, String keyword){
private String getFilterSql(String tableSql, String text, String code, String condition, String keyword){
String filterSql = "";
String keywordSql = null;
String sqlWhere = "where ";
//【JTC-631】判断如果 table 携带了 where 条件,那么就使用 and 查询,防止报错
if (table.toLowerCase().contains(sqlWhere)) {
sqlWhere = " and ";
if (tableSql.toLowerCase().contains(sqlWhere)) {
sqlWhere = CommonUtils.getFilterSqlByTableSql(tableSql) + " and ";
}
// 下拉搜索组件 支持传入排序信息 查询排序
@ -532,13 +534,16 @@ public class SysDictServiceImpl extends ServiceImpl<SysDictMapper, SysDict> impl
filterSql += " order by " + orderField + " " + orderType;
}
// result.1 返回条件SQL去掉 where 关键词)
final String wherePattern = "(?i)where "; // (?i) 表示不区分大小写
String filterSqlString = filterSql.trim().replaceAll(wherePattern, "");
// result.2 条件SQL进行漏洞 check
// 处理返回条件
// 1.1 返回条件SQL去掉开头的 where
final String wherePrefix = "(?i)where "; // (?i) 表示不区分大小写
String filterSqlString = filterSql.trim().replaceAll(wherePrefix, "");
// 1.2 条件SQL进行漏洞 check
SqlInjectionUtil.specialFilterContentForDictSql(filterSqlString);
// 1.3 判断如何返回条件是 order by开头则前面拼上 1=1
if (oConvertUtils.isNotEmpty(filterSqlString) && filterSqlString.trim().toUpperCase().startsWith("ORDER")) {
filterSqlString = " 1=1 " + filterSqlString;
}
return filterSqlString;
}