升级jsqlparser到4.9

2025-05-08 16:47:46 +08:00 · 2025-05-08 16:47:46 +08:00 · 8a82141c95
parent 888a032266
commit 8a82141c95
3 changed files with 66 additions and 64 deletions
--- a/jeecg-boot/jeecg-boot-base-core/pom.xml
+++ b/jeecg-boot/jeecg-boot-base-core/pom.xml
@ -117,13 +117,14 @@
 		</dependency>
 		<dependency>
 			<groupId>com.baomidou</groupId>
-			<!--JDK 11+-->
+			<artifactId>mybatis-plus-jsqlparser-4.9</artifactId>
 			<artifactId>mybatis-plus-jsqlparser</artifactId>
 			<!--JDK 8+-->
 			<!--<artifactId>mybatis-plus-jsqlparser-4.9</artifactId>-->
 			<version>${mybatis-plus.version}</version>
 		</dependency>
-
+		<!-- minidao -->
 		<dependency>
 			<groupId>org.jeecgframework.boot3</groupId>
 			<artifactId>minidao-spring-boot-starter-jsqlparser-4.9</artifactId>
 		</dependency>
 		<!-- druid -->
 		<dependency>
 			<groupId>com.alibaba</groupId>
@ -199,8 +200,7 @@
 			<artifactId>java-jwt</artifactId>
 			<version>${java-jwt.version}</version>
 		</dependency>
-
+		<!--shiro jakarta-->
 		<!--shiro-->
 		<dependency>
 			<groupId>org.apache.shiro</groupId>
 			<artifactId>shiro-spring-boot-starter</artifactId>
@ -212,34 +212,6 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
 		<!-- shiro-redis -->
 		<dependency>
 			<groupId>org.crazycake</groupId>
 			<artifactId>shiro-redis</artifactId>
 			<version>${shiro-redis.version}</version>
 			<exclusions>
 				<exclusion>
 					<groupId>org.apache.shiro</groupId>
 					<artifactId>shiro-core</artifactId>
 				</exclusion>
 				<exclusion>
 					<artifactId>checkstyle</artifactId>
 					<groupId>com.puppycrawl.tools</groupId>
 				</exclusion>
 				<!-- TODO shiro 无法使用 spring boot 3.X 自带的jedis，降版本处理 -->
 				<exclusion>
 					<artifactId>jedis</artifactId>
 					<groupId>redis.clients</groupId>
 				</exclusion>
 			</exclusions>
 		</dependency>
 		<!-- TODO shiro 无法使用 spring boot 3.X 自带的jedis，降版本处理 -->
 		<dependency>
 			<groupId>redis.clients</groupId>
 			<artifactId>jedis</artifactId>
 			<version>${jedis.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.shiro</groupId>
 			<artifactId>shiro-spring</artifactId>
@ -257,7 +229,6 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
 		<!-- 引入适配jakarta的依赖包 -->
 		<dependency>
 			<groupId>org.apache.shiro</groupId>
 			<artifactId>shiro-core</artifactId>
@ -276,6 +247,22 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
 		<!-- shiro-redis -->
 		<dependency>
 			<groupId>org.crazycake</groupId>
 			<artifactId>shiro-redis</artifactId>
 			<version>${shiro-redis.version}</version>
 			<exclusions>
 				<exclusion>
 					<groupId>org.apache.shiro</groupId>
 					<artifactId>shiro-core</artifactId>
 				</exclusion>
 				<exclusion>
 					<artifactId>checkstyle</artifactId>
 					<groupId>com.puppycrawl.tools</groupId>
 				</exclusion>
 			</exclusions>
 		</dependency>
 		<!-- knife4j -->
 		<!--<dependency>
--- a/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/config/firewall/SqlInjection/impl/DictTableWhiteListHandlerImpl.java
+++ b/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/config/firewall/SqlInjection/impl/DictTableWhiteListHandlerImpl.java
@ -1,27 +1,19 @@
 package org.jeecg.config.firewall.SqlInjection.impl;
 import lombok.extern.slf4j.Slf4j;
 import net.sf.jsqlparser.JSQLParserException;
 import net.sf.jsqlparser.parser.CCJSqlParserUtil;
 import net.sf.jsqlparser.schema.Table;
 import net.sf.jsqlparser.statement.select.PlainSelect;
 import net.sf.jsqlparser.statement.select.Select;
 import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.exception.JeecgSqlInjectionException;
 import org.jeecg.common.util.oConvertUtils;
 //import org.jeecg.common.util.sqlparse.JSqlParserUtils;
 //import org.jeecg.common.util.sqlparse.vo.SelectSqlInfo;
 import org.jeecg.config.JeecgBaseConfig;
 import org.jeecg.config.firewall.SqlInjection.IDictTableWhiteListHandler;
 import org.jeecg.config.firewall.interceptor.LowCodeModeInterceptor;
 import org.jeecg.modules.system.entity.SysTableWhiteList;
 import org.jeecg.modules.system.security.DictQueryBlackListHandler;
 import org.jeecg.modules.system.service.ISysTableWhiteListService;
-import org.jeecgframework.minidao.sqlparser.AbstractSqlProcessor;
+import org.jeecgframework.minidao.sqlparser.impl.vo.SelectSqlInfo;
-import org.jeecgframework.minidao.sqlparser.impl.JsqlparserSqlProcessor;
+import org.jeecgframework.minidao.util.MiniDaoUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import org.jeecgframework.minidao.util.MiniDaoUtil;
 import java.net.URLDecoder;
 import java.util.*;
@ -71,11 +63,9 @@ public class DictTableWhiteListHandlerImpl implements IDictTableWhiteListHandler
    @Override
    public boolean isPassBySql(String sql) {
-        String tableName = MiniDaoUtil.parseTable(sql);
+        Map<String, SelectSqlInfo> parsedMap = null;
        List<Map<String, Object>> parsedMap = null;
        try {
-            parsedMap = MiniDaoUtil.parseSqlFields(sql);
+            parsedMap = MiniDaoUtil.parseAllSelectTable(sql);
        } catch (Exception e) {
            log.warn("校验sql语句，解析报错：{}", e.getMessage());
        }
@ -85,17 +75,22 @@ public class DictTableWhiteListHandlerImpl implements IDictTableWhiteListHandler
        }
        log.info("获取select sql信息 ：{} ", parsedMap);
        // 遍历当前sql中的所有表名，如果有其中一个表或表的字段不在白名单中，则不通过
-        if (!this.checkWhiteList(tableName, parsedMap.get(0).keySet())) {
+        for (Map.Entry<String, SelectSqlInfo> entry : parsedMap.entrySet()) {
-            return false;
+            SelectSqlInfo sqlInfo = entry.getValue();
            if (sqlInfo.isSelectAll()) {
                log.warn("查询语句中包含 * 字段，暂时先通过");
                continue;
            }
            Set<String> queryFields = sqlInfo.getAllRealSelectFields();
            // 校验表名和字段是否允许查询
            String tableName = entry.getKey();
            if (!this.checkWhiteList(tableName, queryFields)) {
                return false;
            }
        }
        return true;
    }
    public static void main(String[] args) {
        String sql = "select id,name,page from dual;";
        System.out.println(MiniDaoUtil.parseSqlFields(sql));
    }
    @Override
    public boolean isPassByDict(String dictCodeString) {
        if (oConvertUtils.isEmpty(dictCodeString)) {
@ -132,15 +127,13 @@ public class DictTableWhiteListHandlerImpl implements IDictTableWhiteListHandler
        log.info("字典拼接的查询SQL：{}", sql);
        try {
            // 进行SQL解析
-            MiniDaoUtil.parseSqlFields(sql);
+            MiniDaoUtil.parseSelectSqlInfo(sql);
 //            JSqlParserUtils.parseSelectSqlInfo(sql);
        } catch (Exception e) {
            // 如果SQL解析失败，则通过字段名和表名进行校验
            return checkWhiteList(tableName, new HashSet<>(Arrays.asList(fields)));
        }
        // 通过SQL解析进行校验，可防止SQL注入
        return this.isPassBySql(sql);
 //        return true;
    }
    /**
--- a/jeecg-boot/pom.xml
+++ b/jeecg-boot/pom.xml
@ -23,7 +23,7 @@
  	<parent>
 	    <groupId>org.springframework.boot</groupId>
 	    <artifactId>spring-boot-starter-parent</artifactId>
-	    <version>3.4.4</version>
+	    <version>3.4.5</version>
 	    <relativePath/>
 	</parent>
@ -55,6 +55,8 @@
 		<!-- 积木报表-->
 		<jimureport-spring-boot-starter.version>1.9.4</jimureport-spring-boot-starter.version>
 		<minidao.version>1.10.7</minidao.version>
 		<!-- 持久层 -->
 		<mybatis-plus.version>3.5.11</mybatis-plus.version>
 		<dynamic-datasource-spring-boot-starter.version>4.1.3</dynamic-datasource-spring-boot-starter.version>
@ -65,9 +67,9 @@
 		<aliyun-java-sdk-dysmsapi.version>2.1.0</aliyun-java-sdk-dysmsapi.version>
 		<aliyun.oss.version>3.17.3</aliyun.oss.version>
 		<!-- shiro -->
-		<shiro.version>1.12.0</shiro.version>
+		<shiro.version>1.13.0</shiro.version>
 		<shiro-redis.version>3.2.3</shiro-redis.version>
 		<java-jwt.version>3.11.0</java-jwt.version>
 		<shiro-redis.version>3.2.2</shiro-redis.version>
 		<codegenerate.version>1.4.9</codegenerate.version>
 		<autopoi-web.version>1.4.11</autopoi-web.version>
 		<minio.version>8.5.7</minio.version>
@ -384,7 +386,7 @@
 			<dependency>
 				<groupId>org.jeecgframework</groupId>
 				<artifactId>weixin4j</artifactId>
-				<version>2.0.0</version>
+				<version>2.0.4</version>
 				<exclusions>
 					<exclusion>
 						<artifactId>commons-beanutils</artifactId>
@ -422,6 +424,10 @@
 						<artifactId>druid</artifactId>
 						<groupId>com.alibaba</groupId>
 					</exclusion>
 					<exclusion>
 						<groupId>org.jeecgframework.boot3</groupId>
 						<artifactId>minidao-spring-boot-starter</artifactId>
 					</exclusion>
 				</exclusions>
 			</dependency>
 			<dependency>
@ -435,6 +441,22 @@
 					</exclusion>
 				</exclusions>
 			</dependency>
 			<!-- minidao -->
 			<dependency>
 				<groupId>org.jeecgframework.boot3</groupId>
 				<artifactId>minidao-spring-boot-starter-jsqlparser-4.9</artifactId>
 				<version>${minidao.version}</version>
 				<exclusions>
 					<exclusion>
 						<artifactId>druid</artifactId>
 						<groupId>com.alibaba</groupId>
 					</exclusion>
 					<exclusion>
 						<artifactId>jsqlparser</artifactId>
 						<groupId>com.github.jsqlparser</groupId>
 					</exclusion>
 				</exclusions>
 			</dependency>
            <!-- 积木BI大屏和仪表盘 -->
            <dependency>
                <groupId>org.jeecgframework.jimureport</groupId>