diff --git a/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java index 38e2606c..2195f66f 100644 --- a/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java +++ b/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java @@ -3,7 +3,9 @@ package org.jeecg.common.util; import cn.hutool.crypto.SecureUtil; import lombok.extern.slf4j.Slf4j; import org.jeecg.common.exception.JeecgBootException; + import javax.servlet.http.HttpServletRequest; +import java.util.regex.Pattern; /** * sql注入处理工具类 @@ -51,6 +53,9 @@ public class SqlInjectionUtil { } // 统一转为小写 value = value.toLowerCase(); + //SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE + value = value.replaceAll("/\\*.*\\*/",""); + String[] xssArr = xssStr.split("\\|"); for (int i = 0; i < xssArr.length; i++) { if (value.indexOf(xssArr[i]) > -1) { @@ -59,6 +64,9 @@ public class SqlInjectionUtil { throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); } } + if(Pattern.matches("show\\s+tables", value)){ + throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); + } return; } @@ -76,6 +84,9 @@ public class SqlInjectionUtil { } // 统一转为小写 value = value.toLowerCase(); + //SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE + value = value.replaceAll("/\\*.*\\*/",""); + for (int i = 0; i < xssArr.length; i++) { if (value.indexOf(xssArr[i]) > -1) { log.error("请注意,存在SQL注入关键词---> {}", xssArr[i]); @@ -83,6 +94,9 @@ public class SqlInjectionUtil { throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); } } + if(Pattern.matches("show\\s+tables", value)){ + throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); + } } return; } @@ -101,6 +115,9 @@ public class SqlInjectionUtil { } // 统一转为小写 value = value.toLowerCase(); + //SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE + value = value.replaceAll("/\\*.*\\*/",""); + for (int i = 0; i < xssArr.length; i++) { if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) { log.error("请注意,存在SQL注入关键词---> {}", xssArr[i]); @@ -108,6 +125,9 @@ public class SqlInjectionUtil { throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); } } + if(Pattern.matches("show\\s+tables", value)){ + throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); + } return; } @@ -126,6 +146,9 @@ public class SqlInjectionUtil { } // 统一转为小写 value = value.toLowerCase(); + //SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE + value = value.replaceAll("/\\*.*\\*/",""); + for (int i = 0; i < xssArr.length; i++) { if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) { log.error("请注意,存在SQL注入关键词---> {}", xssArr[i]); @@ -133,6 +156,10 @@ public class SqlInjectionUtil { throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); } } + + if(Pattern.matches("show\\s+tables", value)){ + throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); + } return; } diff --git a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java index 08f5acb2..610ff7b2 100644 --- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java +++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java @@ -5,6 +5,7 @@ import com.alibaba.fastjson.JSONObject; import lombok.extern.slf4j.Slf4j; import org.jeecg.common.api.vo.Result; import org.jeecg.common.constant.CommonConstant; +import org.jeecg.common.exception.JeecgBootException; import org.jeecg.common.system.api.ISysBaseAPI; import org.jeecg.common.util.CommonUtils; import org.jeecg.common.util.RestUtil; @@ -73,6 +74,12 @@ public class CommonController { Result result = new Result<>(); String savePath = ""; String bizPath = request.getParameter("biz"); + + //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞 + if(bizPath.contains("../") || bizPath.contains("..\\")){ + throw new JeecgBootException("上传目录bizPath,格式非法!"); + } + MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request; MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象 if(oConvertUtils.isEmpty(bizPath)){ diff --git a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java index bf185739..7f383aad 100644 --- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java +++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java @@ -2,6 +2,7 @@ package org.jeecg.modules.system.controller; import lombok.extern.slf4j.Slf4j; import org.jeecg.common.api.vo.Result; +import org.jeecg.common.exception.JeecgBootException; import org.jeecg.common.util.CommonUtils; import org.jeecg.common.util.MinioUtil; import org.jeecg.common.util.oConvertUtils; @@ -34,6 +35,12 @@ public class SysUploadController { public Result uploadMinio(HttpServletRequest request) { Result result = new Result<>(); String bizPath = request.getParameter("biz"); + + //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞 + if(bizPath.contains("../") || bizPath.contains("..\\")){ + throw new JeecgBootException("上传目录bizPath,格式非法!"); + } + if(oConvertUtils.isEmpty(bizPath)){ bizPath = ""; }