remove sql inject pattern (--) to ignore match single --, due misjudg…

…ing jwt (#85)
dromara · Apr 2, 2021 · d1dd341 · d1dd341
1 parent b0d61f1
commit d1dd341
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/core/src/main/java/com/usthe/sureness/security/XssSqlUtil.java b/core/src/main/java/com/usthe/sureness/security/XssSqlUtil.java
@@ -17,7 +17,7 @@ public class XssSqlUtil {
     private static final String STR_JS = "javascript:";
     private static final String STR_VB = "vbscript:";
     private static final String STR_ON = "onload(.*?)=";
-    private static final String SQL = "('.+--)|(--)|(%7C)";
+    private static final String SQL = "('.+--)|(%7C)";
 
     private static final Pattern SCRIPT1_PATTERN = Pattern.compile(STR_SCRIPT1, Pattern.CASE_INSENSITIVE);
     private static final Pattern SCRIPT2_PATTERN = Pattern.compile(STR_SCRIPT2, Pattern.CASE_INSENSITIVE);

diff --git a/core/src/test/java/com/usthe/sureness/security/XssSqlUtilTest.java b/core/src/test/java/com/usthe/sureness/security/XssSqlUtilTest.java
@@ -0,0 +1,27 @@
+package com.usthe.sureness.security;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * @author tomsun28
+ * @date 2021/4/2 21:38
+ */
+class XssSqlUtilTest {
+
+    @Test
+    void stripXss() {
+        String xssTmp = "cc<script>is a book</script>BB";
+        assertEquals("ccBB", XssSqlUtil.stripXss(xssTmp));
+    }
+
+    @Test
+    void stripSqlInjection() {
+        String jwtTmp = "good is girl--boy";
+        assertEquals(jwtTmp, XssSqlUtil.stripSqlInjection(jwtTmp));
+        String sqlInject = "select * from tableDb where d = 'sds' -- update";
+        assertNotEquals(sqlInject, XssSqlUtil.stripSqlInjection(sqlInject));
+        assertEquals("select * from tableDb where d =  update", XssSqlUtil.stripSqlInjection(sqlInject));
+    }
+}