针对字典sql，加入sql注入check和sql黑名单check

3 years ago · 2a99fa2ecb
parent 4a1ed660ca
commit 2a99fa2ecb
3 changed files with 77 additions and 5 deletions
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java
@ -5,7 +5,10 @@ import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.dto.DataLogDTO;
 import org.jeecg.common.api.dto.OnlineAuthDTO;
 import org.jeecg.common.api.dto.message.*;
+import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.system.vo.*;
+import org.jeecg.common.util.SqlInjectionUtil;
+import org.jeecg.modules.system.security.DictQueryBlackListHandler;
 import org.jeecg.modules.system.service.ISysUserService;
 import org.jeecg.modules.system.service.impl.SysBaseApiImpl;
 import org.springframework.beans.factory.annotation.Autowired;
@ -30,6 +33,9 @@ public class SystemApiController {
    @Autowired
    private ISysUserService sysUserService;

+    @Autowired
+    private DictQueryBlackListHandler dictQueryBlackListHandler;
+

    /**
     * 发送系统消息
@ -521,6 +527,10 @@ public class SystemApiController {
     */
    @GetMapping("/loadDictItem")
    public List<String> loadDictItem(@RequestParam("dictCode") String dictCode, @RequestParam("keys") String keys) {
+        if(!dictQueryBlackListHandler.isPass(dictCode)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
        return sysBaseApi.loadDictItem(dictCode, keys);
    }

@ -533,6 +543,10 @@ public class SystemApiController {
     */
    @GetMapping("/getDictItems")
    public List<DictModel> getDictItems(@RequestParam("dictCode") String dictCode) {
+        if(!dictQueryBlackListHandler.isPass(dictCode)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
        return sysBaseApi.getDictItems(dictCode);
    }

@ -557,6 +571,10 @@ public class SystemApiController {
     */
    @GetMapping("/loadDictItemByKeyword")
    public List<DictModel> loadDictItemByKeyword(@RequestParam("dictCode") String dictCode, @RequestParam("keyword") String keyword, @RequestParam(value = "pageSize", required = false) Integer pageSize) {
+        if(!dictQueryBlackListHandler.isPass(dictCode)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
        return sysBaseApi.loadDictItemByKeyword(dictCode, keyword, pageSize);
    }

@ -581,6 +599,11 @@ public class SystemApiController {
     */
    @GetMapping("/queryTableDictItemsByCode")
    List<DictModel> queryTableDictItemsByCode(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code){
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
        return sysBaseApi.queryTableDictItemsByCode(table, text, code);
    }

@ -594,6 +617,14 @@ public class SystemApiController {
     */
    @GetMapping("/queryFilterTableDictInfo")
    List<DictModel> queryFilterTableDictInfo(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("filterSql") String filterSql){
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
+        String[] arr = new String[]{table, text, code};
+        SqlInjectionUtil.filterContent(arr);
+        SqlInjectionUtil.specialFilterContentForDictSql(filterSql);
        return sysBaseApi.queryFilterTableDictInfo(table, text, code, filterSql);
    }

@ -609,6 +640,11 @@ public class SystemApiController {
    @Deprecated
    @GetMapping("/queryTableDictByKeys")
    public List<String> queryTableDictByKeys(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("keyArray") String[] keyArray){
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
        return sysBaseApi.queryTableDictByKeys(table, text, code, keyArray);
    }

@ -623,6 +659,13 @@ public class SystemApiController {
     */
    @GetMapping("/translateDictFromTable")
    public String translateDictFromTable(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("key") String key){
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
+        String[] arr = new String[]{table, text, code, key};
+        SqlInjectionUtil.filterContent(arr);
        return sysBaseApi.translateDictFromTable(table, text, code, key);
    }

@ -639,6 +682,11 @@ public class SystemApiController {
     */
    @GetMapping("/translateDictFromTableByKeys")
    public List<DictModel> translateDictFromTableByKeys(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("keys") String keys) {
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
        return this.sysBaseApi.translateDictFromTableByKeys(table, text, code, keys);
    }

@ -697,4 +745,23 @@ public class SystemApiController {
    public void sendAppChatSocket(@RequestParam(name="userId") String userId){
        this.sysBaseApi.sendAppChatSocket(userId);
    }
+
+
+    /**
+     * VUEN-2584【issue】平台sql注入漏洞几个问题
+     * 部分特殊函数 可以将查询结果混夹在错误信息中，导致数据库的信息暴露
+     * @param e
+     * @return
+     */
+    @ExceptionHandler(java.sql.SQLException.class)
+    public Result<?> handleSQLException(Exception e){
+        String msg = e.getMessage();
+        String extractvalue = "extractvalue";
+        String updatexml = "updatexml";
+        if(msg!=null && (msg.toLowerCase().indexOf(extractvalue)>=0 || msg.toLowerCase().indexOf(updatexml)>=0)){
+            return Result.error("校验失败，sql解析异常！");
+        }
+        return Result.error("校验失败，sql解析异常！" + msg);
+    }
+    
 }
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java
@ -23,11 +23,8 @@ import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.system.query.QueryGenerator;
 import org.jeecg.common.system.vo.*;
-import org.jeecg.common.util.HTMLUtils;
-import org.jeecg.common.util.SysAnnmentTypeEnum;
-import org.jeecg.common.util.YouBianCodeUtil;
+import org.jeecg.common.util.*;
 import org.jeecg.common.util.dynamic.db.FreemarkerParseFactory;
-import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.modules.message.entity.SysMessageTemplate;
 import org.jeecg.modules.message.handle.impl.DdSendMsgHandle;
 import org.jeecg.modules.message.handle.impl.EmailSendMsgHandle;
@ -315,6 +312,9 @@ public class SysBaseApiImpl implements ISysBaseAPI {
 			table = QueryGenerator.getSqlRuleValue(table);
 		}
 		//update-end-author:taoyan date:20200820 for:【Online+系统】字典表加权限控制机制逻辑，想法不错 LOWCOD-799
+		String[] arr = new String[]{text, code};
+		SqlInjectionUtil.filterContent(arr);
+		SqlInjectionUtil.specialFilterContentForDictSql(table);
 		return sysDictService.queryTableDictItemsByCode(table, text, code);
 	}

--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java
@ -10,7 +10,6 @@ import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.DataBaseConstant;
 import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.system.query.QueryGenerator;
-import org.jeecg.common.system.util.JwtUtil;
 import org.jeecg.common.system.util.ResourceUtil;
 import org.jeecg.common.system.vo.DictModel;
 import org.jeecg.common.system.vo.DictModelMany;
@ -180,6 +179,9 @@ public class SysDictServiceImpl extends ServiceImpl<SysDictMapper, SysDict> impl
 			table = arr[0];
 			filterSql = arr[1];
 		}
+		String[] tableAndFields = new String[]{table, text, code};
+		SqlInjectionUtil.filterContent(tableAndFields);
+		SqlInjectionUtil.specialFilterContentForDictSql(filterSql);
 		return sysDictMapper.queryTableDictByKeysAndFilterSql(table, text, code, filterSql, keys);
 		//update-end-author:taoyan date:20220113 for: @dict注解支持 dicttable 设置where条件
 	}
@ -216,6 +218,9 @@ public class SysDictServiceImpl extends ServiceImpl<SysDictMapper, SysDict> impl
 			table = arr[0];
 			filterSql = arr[1];
 		}
+		String[] tableAndFields = new String[]{table, text, code};
+		SqlInjectionUtil.filterContent(tableAndFields);
+		SqlInjectionUtil.specialFilterContentForDictSql(filterSql);
 		List<DictModel> dicts = sysDictMapper.queryTableDictByKeysAndFilterSql(table, text, code, filterSql, Arrays.asList(keyArray));
 		//update-end-author:taoyan date:2022-4-24 for: 下拉搜索组件，表单编辑页面回显下拉搜索的文本的时候，因为表名后配置了条件，导致sql执行失败，
 		List<String> texts = new ArrayList<>(dicts.size());