严重安全漏洞修复

1.SQL注入检测存在绕过风险 2./upload接口存在任意文件上传漏洞
2022-02-26 22:46:52 +08:00 · 2022-02-26 22:46:52 +08:00 · b66fff6c42
parent 2be616ee49
commit b66fff6c42
3 changed files with 41 additions and 0 deletions
--- a/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@ -3,7 +3,9 @@ package org.jeecg.common.util;
 import cn.hutool.crypto.SecureUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.exception.JeecgBootException;
+
 import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Pattern;

 /**
 * sql注入处理工具类
@ -51,6 +53,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		String[] xssArr = xssStr.split("\\|");
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1) {
@ -59,6 +64,9 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}

@ -76,6 +84,9 @@ public class SqlInjectionUtil {
 			}
 			// 统一转为小写
 			value = value.toLowerCase();
+			//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+			value = value.replaceAll("/\\*.*\\*/","");
+
 			for (int i = 0; i < xssArr.length; i++) {
 				if (value.indexOf(xssArr[i]) > -1) {
 					log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@ -83,6 +94,9 @@ public class SqlInjectionUtil {
 					throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 				}
 			}
+			if(Pattern.matches("show\\s+tables", value)){
+				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+			}
 		}
 		return;
 	}
@ -101,6 +115,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@ -108,6 +125,9 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}

@ -126,6 +146,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@ -133,6 +156,10 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}

--- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
+++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
@ -5,6 +5,7 @@ import com.alibaba.fastjson.JSONObject;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.constant.CommonConstant;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.RestUtil;
@ -73,6 +74,12 @@ public class CommonController {
        Result<?> result = new Result<>();
        String savePath = "";
        String bizPath = request.getParameter("biz");
+
+        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
+        if(bizPath.contains("../") || bizPath.contains("..\\")){
+            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        }
+
        MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
        MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象
        if(oConvertUtils.isEmpty(bizPath)){
--- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
+++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
@ -2,6 +2,7 @@ package org.jeecg.modules.system.controller;

 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.MinioUtil;
 import org.jeecg.common.util.oConvertUtils;
@ -34,6 +35,12 @@ public class SysUploadController {
    public Result<?> uploadMinio(HttpServletRequest request) {
        Result<?> result = new Result<>();
        String bizPath = request.getParameter("biz");
+
+        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
+        if(bizPath.contains("../") || bizPath.contains("..\\")){
+            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        }
+
        if(oConvertUtils.isEmpty(bizPath)){
            bizPath = "";
        }