From b66fff6c42b4ce1c7e29828ed68e6d9c66a4b391 Mon Sep 17 00:00:00 2001
From: zhangdaiscott <zhangdaiscott@163.com>
Date: Sat, 26 Feb 2022 22:46:52 +0800
Subject: [PATCH] =?UTF-8?q?=E4=B8=A5=E9=87=8D=E5=AE=89=E5=85=A8=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E=E4=BF=AE=E5=A4=8D=201.SQL=E6=B3=A8=E5=85=A5=E6=A3=80?=
 =?UTF-8?q?=E6=B5=8B=E5=AD=98=E5=9C=A8=E7=BB=95=E8=BF=87=E9=A3=8E=E9=99=A9?=
 =?UTF-8?q?=202./upload=E6=8E=A5=E5=8F=A3=E5=AD=98=E5=9C=A8=E4=BB=BB?=
 =?UTF-8?q?=E6=84=8F=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../jeecg/common/util/SqlInjectionUtil.java   | 27 +++++++++++++++++++
 .../system/controller/CommonController.java   |  7 +++++
 .../controller/SysUploadController.java       |  7 +++++
 3 files changed, 41 insertions(+)

diff --git a/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
index 38e2606c..2195f66f 100644
--- a/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@@ -3,7 +3,9 @@ package org.jeecg.common.util;
 import cn.hutool.crypto.SecureUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.exception.JeecgBootException;
+
 import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Pattern;
 
 /**
  * sql注入处理工具类
@@ -51,6 +53,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		String[] xssArr = xssStr.split("\\|");
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1) {
@@ -59,6 +64,9 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}
 
@@ -76,6 +84,9 @@ public class SqlInjectionUtil {
 			}
 			// 统一转为小写
 			value = value.toLowerCase();
+			//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+			value = value.replaceAll("/\\*.*\\*/","");
+
 			for (int i = 0; i < xssArr.length; i++) {
 				if (value.indexOf(xssArr[i]) > -1) {
 					log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@@ -83,6 +94,9 @@ public class SqlInjectionUtil {
 					throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 				}
 			}
+			if(Pattern.matches("show\\s+tables", value)){
+				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+			}
 		}
 		return;
 	}
@@ -101,6 +115,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@@ -108,6 +125,9 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}
 
@@ -126,6 +146,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@@ -133,6 +156,10 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}
 
diff --git a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
index 08f5acb2..610ff7b2 100644
--- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
+++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
@@ -5,6 +5,7 @@ import com.alibaba.fastjson.JSONObject;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.constant.CommonConstant;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.RestUtil;
@@ -73,6 +74,12 @@ public class CommonController {
         Result<?> result = new Result<>();
         String savePath = "";
         String bizPath = request.getParameter("biz");
+
+        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
+        if(bizPath.contains("../") || bizPath.contains("..\\")){
+            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        }
+
         MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
         MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象
         if(oConvertUtils.isEmpty(bizPath)){
diff --git a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
index bf185739..7f383aad 100644
--- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
+++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
@@ -2,6 +2,7 @@ package org.jeecg.modules.system.controller;
 
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.MinioUtil;
 import org.jeecg.common.util.oConvertUtils;
@@ -34,6 +35,12 @@ public class SysUploadController {
     public Result<?> uploadMinio(HttpServletRequest request) {
         Result<?> result = new Result<>();
         String bizPath = request.getParameter("biz");
+
+        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
+        if(bizPath.contains("../") || bizPath.contains("..\\")){
+            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        }
+
         if(oConvertUtils.isEmpty(bizPath)){
             bizPath = "";
         }