github
/
jeecg-boot
mirror of https://github.com/jeecgboot/jeecg-boot
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

sys/duplicate/check SQL注入 #4737

pull/4825/head
zhangdaiscott 2023-04-13 09:42:46 +08:00
parent 8ed2da601b
commit ca1218f792
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
View File

@ -30,6 +30,11 @@ public class SqlInjectionUtil {
/**正则 show tables*/ /**正则 show tables*/
private final static String SHOW_TABLES = "show\\s+tables"; private final static String SHOW_TABLES = "show\\s+tables";
/**
* sleep
*/
private final static Pattern FUN_SLEEP = Pattern.compile("sleep\\([\\d\\.]*\\)");
/** /**
* sql * sql
*/ */
@ -282,5 +287,13 @@ public class SqlInjectionUtil {
log.error(error); log.error(error);
throw new RuntimeException(error); throw new RuntimeException(error);
} }
// issues/4737 sys/duplicate/check SQL注入 #4737
Matcher sleepMatcher = FUN_SLEEP.matcher(str);
if(sleepMatcher.find()){
String error = "请注意值可能存在SQL注入风险---> sleep";
log.error(error);
throw new RuntimeException(error);
}
} }
} }