From 0fc374de4745eac52620eeb8caf6a7b76127529a Mon Sep 17 00:00:00 2001 From: zhangdaiscott Date: Fri, 23 Dec 2022 14:03:22 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20sql=E6=B3=A8=E5=85=A5?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=20#4393?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/org/jeecg/common/util/SqlInjectionUtil.java | 9 +++++---- .../system/security/DictQueryBlackListHandler.java | 5 +++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java index 151fa1d7..5f327c99 100644 --- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java +++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java @@ -3,6 +3,7 @@ package org.jeecg.common.util; import cn.hutool.crypto.SecureUtil; import lombok.extern.slf4j.Slf4j; import org.jeecg.common.exception.JeecgBootException; + import javax.servlet.http.HttpServletRequest; import java.lang.reflect.Field; import java.util.Set; @@ -21,7 +22,7 @@ public class SqlInjectionUtil { * (上线修改值 20200501,同步修改前端的盐值) */ private final static String TABLE_DICT_SIGN_SALT = "20200501"; - private final static String XSS_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()"; + private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()"; /** * 正则 user() 匹配更严谨 @@ -33,7 +34,7 @@ public class SqlInjectionUtil { /** * sql注释的正则 */ - private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*.*\\*/"); + private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*[\\s\\S]*\\*/"); /** * 针对表字典进行额外的sign签名校验(增加安全机制) @@ -167,7 +168,7 @@ public class SqlInjectionUtil { */ //@Deprecated public static void specialFilterContentForDictSql(String value) { - String specialXssStr = " exec |extractvalue|updatexml| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()"; + String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()"; String[] xssArr = specialXssStr.split("\\|"); if (value == null || "".equals(value)) { return; @@ -201,7 +202,7 @@ public class SqlInjectionUtil { */ //@Deprecated public static void specialFilterContentForOnlineReport(String value) { - String specialXssStr = " exec |extractvalue|updatexml| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()"; + String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()"; String[] xssArr = specialXssStr.split("\\|"); if (value == null || "".equals(value)) { return; diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java index 53f2e7c1..d3c76699 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java @@ -1,6 +1,5 @@ package org.jeecg.modules.system.security; -import org.jeecg.common.constant.CommonConstant; import org.jeecg.common.constant.SymbolConstant; import org.jeecg.common.util.oConvertUtils; import org.jeecg.common.util.security.AbstractQueryBlackListHandler; @@ -52,7 +51,9 @@ public class DictQueryBlackListHandler extends AbstractQueryBlackListHandler { */ private String getTableName(String str) { String[] arr = str.split("\\s+(?i)where\\s+"); - return arr[0]; + // sys_user , (sys_user), sys_user%20, %60sys_user%60 issues/4393 + String reg = "\\s+|\\(|\\)|`"; + return arr[0].replaceAll(reg, ""); } }