修复v3.8.0 存在绕过sql黑名单限制sql注入漏洞 #8335

修复minidao `getQueryTableInfo`无法解析带括号的表名、增加数据库名解析能力
2025-05-27 18:40:34 +08:00 · 2025-05-27 18:40:34 +08:00 · ddf0f61ae5
parent 4042579167
commit ddf0f61ae5
3 changed files with 71 additions and 3 deletions
--- a/jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@ -5,6 +5,7 @@ import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.exception.JeecgSqlInjectionException;
+
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Matcher;
@ -16,7 +17,13 @@ import java.util.regex.Pattern;
 * @author zhoujf
 */
@Slf4j
-public class SqlInjectionUtil {	
+public class SqlInjectionUtil {
+
+	/**
+	 * sql注入黑名单数据库名
+	 */
+	public final static String XSS_STR_TABLE = "peformance_schema|information_schema";
+
 	/**
 	 * 默认—sql注入关键词
 	 */
@ -167,7 +174,28 @@ public class SqlInjectionUtil {
 		}
 		return false;
 	}
-	
+
+	/**
+	 * 判断是否存在SQL注入关键词字符串
+	 *
+	 * @param keyword
+	 * @return
+	 */
+	@SuppressWarnings("AlibabaUndefineMagicConstant")
+	private static boolean isExistSqlInjectTableKeyword(String sql, String keyword) {
+		// 需要匹配的，sql注入关键词
+		String[] matchingTexts = new String[]{"`" + keyword, "(" + keyword, "(`" + keyword};
+		for (String matchingText : matchingTexts) {
+			String[] checkTexts = new String[]{" " + matchingText, "from" + matchingText};
+			for (String checkText : checkTexts) {
+				if (sql.contains(checkText)) {
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * sql注入过滤处理，遇到注入关键字抛异常
 	 * 
@ -208,6 +236,14 @@ public class SqlInjectionUtil {
 				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
 			}
 		}
+		String[] xssTableArr = XSS_STR_TABLE.split("\\|");
+		for (String xssTableStr : xssTableArr) {
+            if (isExistSqlInjectTableKeyword(value, xssTableStr)) {
+                log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, xssTableStr);
+                log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+                throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+            }
+        }

 		// 三、SQL注入检测存在绕过风险 (正则校验)
 		for (String regularOriginal : XSS_REGULAR_STR_ARRAY) {
@ -244,6 +280,14 @@ public class SqlInjectionUtil {
 				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
 			}
 		}
+		String[] xssTableArr = XSS_STR_TABLE.split("\\|");
+		for (String xssTableStr : xssTableArr) {
+			if (isExistSqlInjectTableKeyword(value, xssTableStr)) {
+				log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, xssTableStr);
+				log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+			}
+		}

 		// 三、SQL注入检测存在绕过风险 (正则校验)
 		for (String regularOriginal : XSS_REGULAR_STR_ARRAY) {
--- a/jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
+++ b/jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
@ -3,6 +3,8 @@ package org.jeecg.common.util.security;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.StringUtils;
 import org.jeecg.common.exception.JeecgSqlInjectionException;
+import org.jeecg.common.util.SqlInjectionUtil;
+import org.jeecg.common.util.oConvertUtils;

 import java.util.*;
 import java.util.regex.Matcher;
@ -66,6 +68,8 @@ public abstract class AbstractQueryBlackListHandler {
        if(flag == false){
            return false;
        }
+        Set<String> xssTableSet = new HashSet<>(Arrays.asList(SqlInjectionUtil.XSS_STR_TABLE.split("\\|")));
+
        for (QueryTable table : list) {
            String name = table.getName();
            String fieldRule = ruleMap.get(name);
@ -81,6 +85,16 @@ public abstract class AbstractQueryBlackListHandler {
                }

            }
+            // 判断是否调用了黑名单数据库
+            String dbName = table.getDbName();
+            if (oConvertUtils.isNotEmpty(dbName)) {
+                dbName = dbName.toLowerCase().trim();
+                if (xssTableSet.contains(dbName)) {
+                    flag = false;
+                    log.warn("sql黑名单校验，数据库【" + dbName + "】禁止查询");
+                    break;
+                }
+            }
        }

        // 返回黑名单校验结果（不合法直接抛出异常）
@ -135,6 +149,8 @@ public abstract class AbstractQueryBlackListHandler {
     * 查询的表的信息
     */
    protected class QueryTable {
+        //数据库名
+        private String dbName;
        //表名
        private String name;
        //表的别名
@ -158,6 +174,14 @@ public abstract class AbstractQueryBlackListHandler {
            this.fields.add(field);
        }

+        public String getDbName() {
+            return dbName;
+        }
+
+        public void setDbName(String dbName) {
+            this.dbName = dbName;
+        }
+
        public String getName() {
            return name;
        }
--- a/jeecg-boot/pom.xml
+++ b/jeecg-boot/pom.xml
@ -57,7 +57,7 @@

 		<!-- 积木报表-->
 		<jimureport-spring-boot-starter.version>1.9.5.1</jimureport-spring-boot-starter.version>
-		<minidao.version>1.10.7</minidao.version>
+		<minidao.version>1.10.10</minidao.version>
 		<!-- 持久层 -->
 		<mybatis-plus.version>3.5.3.2</mybatis-plus.version>
 		<dynamic-datasource-spring-boot-starter.version>4.1.3</dynamic-datasource-spring-boot-starter.version>