Skip to content

Commit f18ced5

Browse files
zhangdaiscottzhangdaiscott
committed
sql注入检查更加严格,修复/sys/duplicate/check存在sql注入漏洞 #4129 
1 parent d34614c commit f18ced5

File tree

1 file changed

+34
-7
lines changed

1 file changed

+34
-7
lines changed

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java

Lines changed: 34 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
import javax.servlet.http.HttpServletRequest;
77
import java.lang.reflect.Field;
88
import java.util.Set;
9+
import java.util.regex.Matcher;
910
import java.util.regex.Pattern;
1011

1112
/**
@@ -20,7 +21,7 @@ public class SqlInjectionUtil {
2021
* (上线修改值 20200501,同步修改前端的盐值)
2122
*/
2223
private final static String TABLE_DICT_SIGN_SALT = "20200501";
23-
private final static String XSS_STR = "and |exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
24+
private final static String XSS_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
2425

2526
/**
2627
* 正则 user() 匹配更严谨
@@ -29,6 +30,11 @@ public class SqlInjectionUtil {
2930
/**正则 show tables*/
3031
private final static String SHOW_TABLES = "show\\s+tables";
3132

33+
/**
34+
* sql注释的正则
35+
*/
36+
private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*.*\\*/");
37+
3238
/**
3339
* 针对表字典进行额外的sign签名校验(增加安全机制)
3440
* @param dictCode:
@@ -66,10 +72,12 @@ public static void filterContent(String value, String customXssString) {
6672
if (value == null || "".equals(value)) {
6773
return;
6874
}
75+
// 校验sql注释 不允许有sql注释
76+
checkSqlAnnotation(value);
6977
// 统一转为小写
7078
value = value.toLowerCase();
7179
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
72-
value = value.replaceAll("/\\*.*\\*/","");
80+
//value = value.replaceAll("/\\*.*\\*/","");
7381

7482
String[] xssArr = XSS_STR.split("\\|");
7583
for (int i = 0; i < xssArr.length; i++) {
@@ -117,10 +125,12 @@ public static void filterContent(String[] values, String customXssString) {
117125
if (value == null || "".equals(value)) {
118126
return;
119127
}
128+
// 校验sql注释 不允许有sql注释
129+
checkSqlAnnotation(value);
120130
// 统一转为小写
121131
value = value.toLowerCase();
122132
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
123-
value = value.replaceAll("/\\*.*\\*/","");
133+
//value = value.replaceAll("/\\*.*\\*/","");
124134

125135
for (int i = 0; i < xssArr.length; i++) {
126136
if (value.indexOf(xssArr[i]) > -1) {
@@ -157,15 +167,17 @@ public static void filterContent(String[] values, String customXssString) {
157167
*/
158168
//@Deprecated
159169
public static void specialFilterContentForDictSql(String value) {
160-
String specialXssStr = " exec | insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
170+
String specialXssStr = " exec |extractvalue|updatexml| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
161171
String[] xssArr = specialXssStr.split("\\|");
162172
if (value == null || "".equals(value)) {
163173
return;
164174
}
175+
// 校验sql注释 不允许有sql注释
176+
checkSqlAnnotation(value);
165177
// 统一转为小写
166178
value = value.toLowerCase();
167179
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
168-
value = value.replaceAll("/\\*.*\\*/","");
180+
//value = value.replaceAll("/\\*.*\\*/","");
169181

170182
for (int i = 0; i < xssArr.length; i++) {
171183
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
@@ -189,15 +201,17 @@ public static void specialFilterContentForDictSql(String value) {
189201
*/
190202
//@Deprecated
191203
public static void specialFilterContentForOnlineReport(String value) {
192-
String specialXssStr = " exec | insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
204+
String specialXssStr = " exec |extractvalue|updatexml| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
193205
String[] xssArr = specialXssStr.split("\\|");
194206
if (value == null || "".equals(value)) {
195207
return;
196208
}
209+
// 校验sql注释 不允许有sql注释
210+
checkSqlAnnotation(value);
197211
// 统一转为小写
198212
value = value.toLowerCase();
199213
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
200-
value = value.replaceAll("/\\*.*\\*/","");
214+
//value = value.replaceAll("/\\*.*\\*/"," ");
201215

202216
for (int i = 0; i < xssArr.length; i++) {
203217
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
@@ -256,4 +270,17 @@ public static boolean isClassField(Set<String> fieldSet, Class clazz){
256270
}
257271
return true;
258272
}
273+
274+
/**
275+
* 校验是否有sql注释
276+
* @return
277+
*/
278+
public static void checkSqlAnnotation(String str){
279+
Matcher matcher = SQL_ANNOTATION.matcher(str);
280+
if(matcher.find()){
281+
String error = "请注意,值可能存在SQL注入风险---> \\*.*\\";
282+
log.error(error);
283+
throw new RuntimeException(error);
284+
}
285+
}
259286
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy