github
/
jeecg-boot
mirror of https://github.com/jeecgboot/jeecg-boot
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

issues/4128 sql injection

pull/4246/merge
zhangdaiscott 2022-11-06 17:36:48 +08:00
parent 8632a835c2
commit 4a1ed660ca
1 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDictController.java
View File

@ -309,7 +309,7 @@ public class SysDictController {
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
@RequestMapping(value = "/loadTreeData", method = RequestMethod.GET) @RequestMapping(value = "/loadTreeData", method = RequestMethod.GET)
public Result<List<TreeSelectModel>> loadTreeData(@RequestParam(name="pid") String pid,@RequestParam(name="pidField") String pidField, public Result<List<TreeSelectModel>> loadTreeData(@RequestParam(name="pid",required = false) String pid,@RequestParam(name="pidField") String pidField,
@RequestParam(name="tableName") String tbname, @RequestParam(name="tableName") String tbname,
@RequestParam(name="text") String text, @RequestParam(name="text") String text,
@RequestParam(name="code") String code, @RequestParam(name="code") String code,
@ -348,6 +348,11 @@ public class SysDictController {
// SQL注入漏洞 sign签名校验 // SQL注入漏洞 sign签名校验
String dictCode = query.getTable()+","+query.getText()+","+query.getCode(); String dictCode = query.getTable()+","+query.getText()+","+query.getCode();
SqlInjectionUtil.filterContent(dictCode); SqlInjectionUtil.filterContent(dictCode);
//update-begin-author:taoyan date:2022-11-4 for: issues/4128 sql injection
if(!dictQueryBlackListHandler.isPass(dictCode)){
return res.error500(dictQueryBlackListHandler.getError());
}
//update-end-author:taoyan date:2022-11-4 for: issues/4128 sql injection
List<DictModel> ls = this.sysDictService.queryDictTablePageList(query,pageSize,pageNo); List<DictModel> ls = this.sysDictService.queryDictTablePageList(query,pageSize,pageNo);
res.setResult(ls); res.setResult(ls);
res.setSuccess(true); res.setSuccess(true);
@ -617,4 +622,21 @@ public class SysDictController {
} }
} }
/**
* VUEN-2584issuesql
*
* @param e
* @return
*/
@ExceptionHandler(java.sql.SQLException.class)
public Result<?> handleSQLException(Exception e){
String msg = e.getMessage();
String extractvalue = "extractvalue";
String updatexml = "updatexml";
if(msg!=null && (msg.toLowerCase().indexOf(extractvalue)>=0 || msg.toLowerCase().indexOf(updatexml)>=0)){
return Result.error("校验失败sql解析异常");
}
return Result.error("校验失败sql解析异常" + msg);
}
} }