Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2022-45207]这里有几处没有换成预编译,但个人建议修复 #4127

Closed
azraelxuemo opened this issue Oct 25, 2022 · 6 comments

Comments

@azraelxuemo
Copy link

azraelxuemo commented Oct 25, 2022

java提供了原生的预编译sql语句,这样可以防止sql注入问题

queryListWithPermission

下图没有进行预编译处理,建议换成#{},虽然项目现在没有使用这条语句,但不排除以后的可能,建议修复
截屏2022-10-25 10 48 22

updateNullByEmptyString

下图也使用的是${}
截屏2022-10-25 10 51 52
但实际上是写死的,但为了安全考虑,建议也换乘#{}
截屏2022-10-25 10 52 35

selectLogicDeleted

这里也建议换乘#{}
截屏2022-10-25 11 20 57

queryFilterTableDictInfo

截屏2022-10-25 14 52 32

queryTableDictItemsByCodeAndFilter

截屏2022-10-25 14 53 37

queryTableDictTextByKey

截屏2022-10-25 14 54 35

queryTreeList

截屏2022-10-25 15 13 33

queryTableDictWithFilter

截屏2022-10-25 15 39 16

queryAllTableDictItems

截屏2022-10-25 15 40 55

queryTableDictByKeysAndFilterSql

截屏2022-10-25 15 43 20

@zhangdaiscott
Copy link
Member

这里面有一些是必须这么写的,比如字典动态查询,虽然写法存在漏洞安全。我们在方法调用的地方已经加入了checksql注入逻辑。
针对一些可以优化的我们会处理

@azraelxuemo
Copy link
Author

azraelxuemo commented Oct 30, 2022 via email

@zhangdaiscott
Copy link
Member

updateNullByEmptyString
selectLogicDeleted

@sjlei
Copy link

sjlei commented Nov 2, 2022

selectLogicDeleted

selectLogicDeleted里写的${ew.customSqlSegment}是MyBatisPlus提供的构造器,实际输出的就是带#的参数,不存在注入风险,可放心使用。

image

@azraelxuemo
Copy link
Author

okok,了解嘞

@zhangdaiscott
Copy link
Member

可以改的,已经提交

@azraelxuemo azraelxuemo changed the title 这里有几处没有换成预编译,但个人建议修复 [CVE-2022-45207]这里有几处没有换成预编译,但个人建议修复 Dec 7, 2022
XKC1025 pushed a commit to XKC1025/jeecg-boot that referenced this issue Mar 13, 2023
XKC1025 pushed a commit to XKC1025/jeecg-boot that referenced this issue Mar 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants