mirror of https://github.com/jeecgboot/jeecg-boot
升级jsqlparser到4.9
JEECG
parent
888a032266
commit
8a82141c95
|
|
@ -117,13 +117,14 @@
|
|||
</dependency>
|
||||
<dependency>
|
||||
<groupId>com.baomidou</groupId>
|
||||
<!--JDK 11+-->
|
||||
<artifactId>mybatis-plus-jsqlparser</artifactId>
|
||||
<!--JDK 8+-->
|
||||
<!--<artifactId>mybatis-plus-jsqlparser-4.9</artifactId>-->
|
||||
<artifactId>mybatis-plus-jsqlparser-4.9</artifactId>
|
||||
<version>${mybatis-plus.version}</version>
|
||||
</dependency>
|
||||
|
||||
<!-- minidao -->
|
||||
<dependency>
|
||||
<groupId>org.jeecgframework.boot3</groupId>
|
||||
<artifactId>minidao-spring-boot-starter-jsqlparser-4.9</artifactId>
|
||||
</dependency>
|
||||
<!-- druid -->
|
||||
<dependency>
|
||||
<groupId>com.alibaba</groupId>
|
||||
|
|
@ -199,8 +200,7 @@
|
|||
<artifactId>java-jwt</artifactId>
|
||||
<version>${java-jwt.version}</version>
|
||||
</dependency>
|
||||
|
||||
<!--shiro-->
|
||||
<!--shiro jakarta-->
|
||||
<dependency>
|
||||
<groupId>org.apache.shiro</groupId>
|
||||
<artifactId>shiro-spring-boot-starter</artifactId>
|
||||
|
|
@ -212,34 +212,6 @@
|
|||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<!-- shiro-redis -->
|
||||
<dependency>
|
||||
<groupId>org.crazycake</groupId>
|
||||
<artifactId>shiro-redis</artifactId>
|
||||
<version>${shiro-redis.version}</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>org.apache.shiro</groupId>
|
||||
<artifactId>shiro-core</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<artifactId>checkstyle</artifactId>
|
||||
<groupId>com.puppycrawl.tools</groupId>
|
||||
</exclusion>
|
||||
<!-- TODO shiro 无法使用 spring boot 3.X 自带的jedis,降版本处理 -->
|
||||
<exclusion>
|
||||
<artifactId>jedis</artifactId>
|
||||
<groupId>redis.clients</groupId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<!-- TODO shiro 无法使用 spring boot 3.X 自带的jedis,降版本处理 -->
|
||||
<dependency>
|
||||
<groupId>redis.clients</groupId>
|
||||
<artifactId>jedis</artifactId>
|
||||
<version>${jedis.version}</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.apache.shiro</groupId>
|
||||
<artifactId>shiro-spring</artifactId>
|
||||
|
|
@ -257,7 +229,6 @@
|
|||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<!-- 引入适配jakarta的依赖包 -->
|
||||
<dependency>
|
||||
<groupId>org.apache.shiro</groupId>
|
||||
<artifactId>shiro-core</artifactId>
|
||||
|
|
@ -276,6 +247,22 @@
|
|||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<!-- shiro-redis -->
|
||||
<dependency>
|
||||
<groupId>org.crazycake</groupId>
|
||||
<artifactId>shiro-redis</artifactId>
|
||||
<version>${shiro-redis.version}</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>org.apache.shiro</groupId>
|
||||
<artifactId>shiro-core</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<artifactId>checkstyle</artifactId>
|
||||
<groupId>com.puppycrawl.tools</groupId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
|
||||
<!-- knife4j -->
|
||||
<!--<dependency>
|
||||
|
|
|
|||
|
|
@ -1,27 +1,19 @@
|
|||
package org.jeecg.config.firewall.SqlInjection.impl;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import net.sf.jsqlparser.JSQLParserException;
|
||||
import net.sf.jsqlparser.parser.CCJSqlParserUtil;
|
||||
import net.sf.jsqlparser.schema.Table;
|
||||
import net.sf.jsqlparser.statement.select.PlainSelect;
|
||||
import net.sf.jsqlparser.statement.select.Select;
|
||||
import org.jeecg.common.constant.SymbolConstant;
|
||||
import org.jeecg.common.exception.JeecgSqlInjectionException;
|
||||
import org.jeecg.common.util.oConvertUtils;
|
||||
//import org.jeecg.common.util.sqlparse.JSqlParserUtils;
|
||||
//import org.jeecg.common.util.sqlparse.vo.SelectSqlInfo;
|
||||
import org.jeecg.config.JeecgBaseConfig;
|
||||
import org.jeecg.config.firewall.SqlInjection.IDictTableWhiteListHandler;
|
||||
import org.jeecg.config.firewall.interceptor.LowCodeModeInterceptor;
|
||||
import org.jeecg.modules.system.entity.SysTableWhiteList;
|
||||
import org.jeecg.modules.system.security.DictQueryBlackListHandler;
|
||||
import org.jeecg.modules.system.service.ISysTableWhiteListService;
|
||||
import org.jeecgframework.minidao.sqlparser.AbstractSqlProcessor;
|
||||
import org.jeecgframework.minidao.sqlparser.impl.JsqlparserSqlProcessor;
|
||||
import org.jeecgframework.minidao.sqlparser.impl.vo.SelectSqlInfo;
|
||||
import org.jeecgframework.minidao.util.MiniDaoUtil;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Component;
|
||||
import org.jeecgframework.minidao.util.MiniDaoUtil;
|
||||
|
||||
import java.net.URLDecoder;
|
||||
import java.util.*;
|
||||
|
|
@ -71,11 +63,9 @@ public class DictTableWhiteListHandlerImpl implements IDictTableWhiteListHandler
|
|||
|
||||
@Override
|
||||
public boolean isPassBySql(String sql) {
|
||||
String tableName = MiniDaoUtil.parseTable(sql);
|
||||
|
||||
List<Map<String, Object>> parsedMap = null;
|
||||
Map<String, SelectSqlInfo> parsedMap = null;
|
||||
try {
|
||||
parsedMap = MiniDaoUtil.parseSqlFields(sql);
|
||||
parsedMap = MiniDaoUtil.parseAllSelectTable(sql);
|
||||
} catch (Exception e) {
|
||||
log.warn("校验sql语句,解析报错:{}", e.getMessage());
|
||||
}
|
||||
|
|
@ -85,17 +75,22 @@ public class DictTableWhiteListHandlerImpl implements IDictTableWhiteListHandler
|
|||
}
|
||||
log.info("获取select sql信息 :{} ", parsedMap);
|
||||
// 遍历当前sql中的所有表名,如果有其中一个表或表的字段不在白名单中,则不通过
|
||||
if (!this.checkWhiteList(tableName, parsedMap.get(0).keySet())) {
|
||||
return false;
|
||||
for (Map.Entry<String, SelectSqlInfo> entry : parsedMap.entrySet()) {
|
||||
SelectSqlInfo sqlInfo = entry.getValue();
|
||||
if (sqlInfo.isSelectAll()) {
|
||||
log.warn("查询语句中包含 * 字段,暂时先通过");
|
||||
continue;
|
||||
}
|
||||
Set<String> queryFields = sqlInfo.getAllRealSelectFields();
|
||||
// 校验表名和字段是否允许查询
|
||||
String tableName = entry.getKey();
|
||||
if (!this.checkWhiteList(tableName, queryFields)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
String sql = "select id,name,page from dual;";
|
||||
System.out.println(MiniDaoUtil.parseSqlFields(sql));
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isPassByDict(String dictCodeString) {
|
||||
if (oConvertUtils.isEmpty(dictCodeString)) {
|
||||
|
|
@ -132,15 +127,13 @@ public class DictTableWhiteListHandlerImpl implements IDictTableWhiteListHandler
|
|||
log.info("字典拼接的查询SQL:{}", sql);
|
||||
try {
|
||||
// 进行SQL解析
|
||||
MiniDaoUtil.parseSqlFields(sql);
|
||||
// JSqlParserUtils.parseSelectSqlInfo(sql);
|
||||
MiniDaoUtil.parseSelectSqlInfo(sql);
|
||||
} catch (Exception e) {
|
||||
// 如果SQL解析失败,则通过字段名和表名进行校验
|
||||
return checkWhiteList(tableName, new HashSet<>(Arrays.asList(fields)));
|
||||
}
|
||||
// 通过SQL解析进行校验,可防止SQL注入
|
||||
return this.isPassBySql(sql);
|
||||
// return true;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>3.4.4</version>
|
||||
<version>3.4.5</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
|
|
@ -55,6 +55,8 @@
|
|||
|
||||
<!-- 积木报表-->
|
||||
<jimureport-spring-boot-starter.version>1.9.4</jimureport-spring-boot-starter.version>
|
||||
<minidao.version>1.10.7</minidao.version>
|
||||
|
||||
<!-- 持久层 -->
|
||||
<mybatis-plus.version>3.5.11</mybatis-plus.version>
|
||||
<dynamic-datasource-spring-boot-starter.version>4.1.3</dynamic-datasource-spring-boot-starter.version>
|
||||
|
|
@ -65,9 +67,9 @@
|
|||
<aliyun-java-sdk-dysmsapi.version>2.1.0</aliyun-java-sdk-dysmsapi.version>
|
||||
<aliyun.oss.version>3.17.3</aliyun.oss.version>
|
||||
<!-- shiro -->
|
||||
<shiro.version>1.12.0</shiro.version>
|
||||
<shiro.version>1.13.0</shiro.version>
|
||||
<shiro-redis.version>3.2.3</shiro-redis.version>
|
||||
<java-jwt.version>3.11.0</java-jwt.version>
|
||||
<shiro-redis.version>3.2.2</shiro-redis.version>
|
||||
<codegenerate.version>1.4.9</codegenerate.version>
|
||||
<autopoi-web.version>1.4.11</autopoi-web.version>
|
||||
<minio.version>8.5.7</minio.version>
|
||||
|
|
@ -384,7 +386,7 @@
|
|||
<dependency>
|
||||
<groupId>org.jeecgframework</groupId>
|
||||
<artifactId>weixin4j</artifactId>
|
||||
<version>2.0.0</version>
|
||||
<version>2.0.4</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<artifactId>commons-beanutils</artifactId>
|
||||
|
|
@ -422,6 +424,10 @@
|
|||
<artifactId>druid</artifactId>
|
||||
<groupId>com.alibaba</groupId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.jeecgframework.boot3</groupId>
|
||||
<artifactId>minidao-spring-boot-starter</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
|
|
@ -435,6 +441,22 @@
|
|||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<!-- minidao -->
|
||||
<dependency>
|
||||
<groupId>org.jeecgframework.boot3</groupId>
|
||||
<artifactId>minidao-spring-boot-starter-jsqlparser-4.9</artifactId>
|
||||
<version>${minidao.version}</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<artifactId>druid</artifactId>
|
||||
<groupId>com.alibaba</groupId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<artifactId>jsqlparser</artifactId>
|
||||
<groupId>com.github.jsqlparser</groupId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<!-- 积木BI大屏和仪表盘 -->
|
||||
<dependency>
|
||||
<groupId>org.jeecgframework.jimureport</groupId>
|
||||
|
|
|
|||
Loading…
Reference in New Issue