sys/duplicate/check SQL注入 #4737

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java

@@ -30,6 +30,11 @@ public class SqlInjectionUtil {
     /**正则 show tables*/
 	private final static String SHOW_TABLES = "show\\s+tables";
 
+	/**
+	 * sleep函数
+	 */
+	private final static Pattern FUN_SLEEP = Pattern.compile("sleep\\([\\d\\.]*\\)");
+
 	/**
 	 * sql注释的正则
 	 */
@@ -282,5 +287,13 @@ public class SqlInjectionUtil {
 			log.error(error);
 			throw new RuntimeException(error);
 		}
+		
+		// issues/4737 sys/duplicate/check SQL注入 #4737
+		Matcher sleepMatcher = FUN_SLEEP.matcher(str);
+		if(sleepMatcher.find()){
+			String error = "请注意，值可能存在SQL注入风险---> sleep";
+			log.error(error);
+			throw new RuntimeException(error);
+		}
 	}
 }