修复 sql注入漏洞 #4393

3 years ago · 0fc374de47
parent f94c5e1f3f
commit 0fc374de47
2 changed files with 8 additions and 6 deletions
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@ -3,6 +3,7 @@ package org.jeecg.common.util;
 import cn.hutool.crypto.SecureUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.exception.JeecgBootException;
 import javax.servlet.http.HttpServletRequest;
 import java.lang.reflect.Field;
 import java.util.Set;
@ -21,7 +22,7 @@ public class SqlInjectionUtil {
 	 * （上线修改值 20200501，同步修改前端的盐值）
 	 */
 	private final static String TABLE_DICT_SIGN_SALT = "20200501";
-	private final static String XSS_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
+	private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
 	/**
 	 * 正则 user() 匹配更严谨
@ -33,7 +34,7 @@ public class SqlInjectionUtil {
 	/**
 	 * sql注释的正则
 	 */
-	private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*.*\\*/");
+	private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*[\\s\\S]*\\*/");
 	/**
 	 * 针对表字典进行额外的sign签名校验（增加安全机制）
@ -167,7 +168,7 @@ public class SqlInjectionUtil {
 	 */
 	//@Deprecated
 	public static void specialFilterContentForDictSql(String value) {
-		String specialXssStr = " exec |extractvalue|updatexml| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
+		String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
 		String[] xssArr = specialXssStr.split("\\|");
 		if (value == null || "".equals(value)) {
 			return;
@ -201,7 +202,7 @@ public class SqlInjectionUtil {
     */
 	//@Deprecated
 	public static void specialFilterContentForOnlineReport(String value) {
-		String specialXssStr = " exec |extractvalue|updatexml| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
+		String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
 		String[] xssArr = specialXssStr.split("\\|");
 		if (value == null || "".equals(value)) {
 			return;
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
@ -1,6 +1,5 @@
 package org.jeecg.modules.system.security;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.common.util.security.AbstractQueryBlackListHandler;
@ -52,7 +51,9 @@ public class DictQueryBlackListHandler extends AbstractQueryBlackListHandler {
     */
    private String getTableName(String str) {
        String[] arr = str.split("\\s+(?i)where\\s+");
-        return arr[0];
+        // sys_user , (sys_user), sys_user%20, %60sys_user%60  issues/4393
        String reg = "\\s+|\\(|\\)|`";
        return arr[0].replaceAll(reg, "");
    }
 }