Skip to content

Commit

Permalink
sql注入检查更加严格,修复/sys/duplicate/check存在sql注入漏洞 jeecgboot#4129
Browse files Browse the repository at this point in the history
  • Loading branch information
@zhangdaiscott
zhangdaiscott committed Nov 2, 2022
1 parent ba1fc18 commit 83899da
Showing 1 changed file with 34 additions and 7 deletions.
41 changes: 34 additions & 7 deletions jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import javax.servlet.http.HttpServletRequest;
import java.lang.reflect.Field;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
Expand All @@ -20,7 +21,7 @@ public class SqlInjectionUtil {
* (上线修改值 20200501,同步修改前端的盐值)
*/
private final static String TABLE_DICT_SIGN_SALT = "20200501";
private final static String XSS_STR = "and |exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
private final static String XSS_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";

/**
* 正则 user() 匹配更严谨
Expand All @@ -29,6 +30,11 @@ public class SqlInjectionUtil {
/**正则 show tables*/
private final static String SHOW_TABLES = "show\\s+tables";

/**
* sql注释的正则
*/
private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*.*\\*/");

/**
* 针对表字典进行额外的sign签名校验(增加安全机制)
* @param dictCode:
Expand Down Expand Up @@ -66,10 +72,12 @@ public static void filterContent(String value, String customXssString) {
if (value == null || "".equals(value)) {
return;
}
// 校验sql注释 不允许有sql注释
checkSqlAnnotation(value);
// 统一转为小写
value = value.toLowerCase();
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
value = value.replaceAll("/\\*.*\\*/","");
//value = value.replaceAll("/\\*.*\\*/","");

String[] xssArr = XSS_STR.split("\\|");
for (int i = 0; i < xssArr.length; i++) {
Expand Down Expand Up @@ -117,10 +125,12 @@ public static void filterContent(String[] values, String customXssString) {
if (value == null || "".equals(value)) {
return;
}
// 校验sql注释 不允许有sql注释
checkSqlAnnotation(value);
// 统一转为小写
value = value.toLowerCase();
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
value = value.replaceAll("/\\*.*\\*/","");
//value = value.replaceAll("/\\*.*\\*/","");

for (int i = 0; i < xssArr.length; i++) {
if (value.indexOf(xssArr[i]) > -1) {
Expand Down Expand Up @@ -157,15 +167,17 @@ public static void filterContent(String[] values, String customXssString) {
*/
//@Deprecated
public static void specialFilterContentForDictSql(String value) {
String specialXssStr = " exec | insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
String specialXssStr = " exec |extractvalue|updatexml| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
String[] xssArr = specialXssStr.split("\\|");
if (value == null || "".equals(value)) {
return;
}
// 校验sql注释 不允许有sql注释
checkSqlAnnotation(value);
// 统一转为小写
value = value.toLowerCase();
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
value = value.replaceAll("/\\*.*\\*/","");
//value = value.replaceAll("/\\*.*\\*/","");

for (int i = 0; i < xssArr.length; i++) {
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
Expand All @@ -189,15 +201,17 @@ public static void specialFilterContentForDictSql(String value) {
*/
//@Deprecated
public static void specialFilterContentForOnlineReport(String value) {
String specialXssStr = " exec | insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
String specialXssStr = " exec |extractvalue|updatexml| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
String[] xssArr = specialXssStr.split("\\|");
if (value == null || "".equals(value)) {
return;
}
// 校验sql注释 不允许有sql注释
checkSqlAnnotation(value);
// 统一转为小写
value = value.toLowerCase();
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
value = value.replaceAll("/\\*.*\\*/","");
//value = value.replaceAll("/\\*.*\\*/"," ");

for (int i = 0; i < xssArr.length; i++) {
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
Expand Down Expand Up @@ -256,4 +270,17 @@ public static boolean isClassField(Set<String> fieldSet, Class clazz){
}
return true;
}

/**
* 校验是否有sql注释
* @return
*/
public static void checkSqlAnnotation(String str){
Matcher matcher = SQL_ANNOTATION.matcher(str);
if(matcher.find()){
String error = "请注意,值可能存在SQL注入风险---> \\*.*\\";
log.error(error);
throw new RuntimeException(error);
}
}
}

0 comments on commit 83899da

Please sign in to comment.