diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java index 7e5454ef..6e6ccebb 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java @@ -5,7 +5,10 @@ import lombok.extern.slf4j.Slf4j; import org.jeecg.common.api.dto.DataLogDTO; import org.jeecg.common.api.dto.OnlineAuthDTO; import org.jeecg.common.api.dto.message.*; +import org.jeecg.common.api.vo.Result; import org.jeecg.common.system.vo.*; +import org.jeecg.common.util.SqlInjectionUtil; +import org.jeecg.modules.system.security.DictQueryBlackListHandler; import org.jeecg.modules.system.service.ISysUserService; import org.jeecg.modules.system.service.impl.SysBaseApiImpl; import org.springframework.beans.factory.annotation.Autowired; @@ -30,6 +33,9 @@ public class SystemApiController { @Autowired private ISysUserService sysUserService; + @Autowired + private DictQueryBlackListHandler dictQueryBlackListHandler; + /** * 发送系统消息 @@ -521,6 +527,10 @@ public class SystemApiController { */ @GetMapping("/loadDictItem") public List loadDictItem(@RequestParam("dictCode") String dictCode, @RequestParam("keys") String keys) { + if(!dictQueryBlackListHandler.isPass(dictCode)){ + log.error(dictQueryBlackListHandler.getError()); + return null; + } return sysBaseApi.loadDictItem(dictCode, keys); } @@ -533,6 +543,10 @@ public class SystemApiController { */ @GetMapping("/getDictItems") public List getDictItems(@RequestParam("dictCode") String dictCode) { + if(!dictQueryBlackListHandler.isPass(dictCode)){ + log.error(dictQueryBlackListHandler.getError()); + return null; + } return sysBaseApi.getDictItems(dictCode); } @@ -557,6 +571,10 @@ public class SystemApiController { */ @GetMapping("/loadDictItemByKeyword") public List loadDictItemByKeyword(@RequestParam("dictCode") String dictCode, @RequestParam("keyword") String keyword, @RequestParam(value = "pageSize", required = false) Integer pageSize) { + if(!dictQueryBlackListHandler.isPass(dictCode)){ + log.error(dictQueryBlackListHandler.getError()); + return null; + } return sysBaseApi.loadDictItemByKeyword(dictCode, keyword, pageSize); } @@ -581,6 +599,11 @@ public class SystemApiController { */ @GetMapping("/queryTableDictItemsByCode") List queryTableDictItemsByCode(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code){ + String str = table+","+text+","+code; + if(!dictQueryBlackListHandler.isPass(str)){ + log.error(dictQueryBlackListHandler.getError()); + return null; + } return sysBaseApi.queryTableDictItemsByCode(table, text, code); } @@ -594,6 +617,14 @@ public class SystemApiController { */ @GetMapping("/queryFilterTableDictInfo") List queryFilterTableDictInfo(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("filterSql") String filterSql){ + String str = table+","+text+","+code; + if(!dictQueryBlackListHandler.isPass(str)){ + log.error(dictQueryBlackListHandler.getError()); + return null; + } + String[] arr = new String[]{table, text, code}; + SqlInjectionUtil.filterContent(arr); + SqlInjectionUtil.specialFilterContentForDictSql(filterSql); return sysBaseApi.queryFilterTableDictInfo(table, text, code, filterSql); } @@ -609,6 +640,11 @@ public class SystemApiController { @Deprecated @GetMapping("/queryTableDictByKeys") public List queryTableDictByKeys(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("keyArray") String[] keyArray){ + String str = table+","+text+","+code; + if(!dictQueryBlackListHandler.isPass(str)){ + log.error(dictQueryBlackListHandler.getError()); + return null; + } return sysBaseApi.queryTableDictByKeys(table, text, code, keyArray); } @@ -623,6 +659,13 @@ public class SystemApiController { */ @GetMapping("/translateDictFromTable") public String translateDictFromTable(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("key") String key){ + String str = table+","+text+","+code; + if(!dictQueryBlackListHandler.isPass(str)){ + log.error(dictQueryBlackListHandler.getError()); + return null; + } + String[] arr = new String[]{table, text, code, key}; + SqlInjectionUtil.filterContent(arr); return sysBaseApi.translateDictFromTable(table, text, code, key); } @@ -639,6 +682,11 @@ public class SystemApiController { */ @GetMapping("/translateDictFromTableByKeys") public List translateDictFromTableByKeys(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("keys") String keys) { + String str = table+","+text+","+code; + if(!dictQueryBlackListHandler.isPass(str)){ + log.error(dictQueryBlackListHandler.getError()); + return null; + } return this.sysBaseApi.translateDictFromTableByKeys(table, text, code, keys); } @@ -697,4 +745,23 @@ public class SystemApiController { public void sendAppChatSocket(@RequestParam(name="userId") String userId){ this.sysBaseApi.sendAppChatSocket(userId); } + + + /** + * VUEN-2584【issue】平台sql注入漏洞几个问题 + * 部分特殊函数 可以将查询结果混夹在错误信息中,导致数据库的信息暴露 + * @param e + * @return + */ + @ExceptionHandler(java.sql.SQLException.class) + public Result handleSQLException(Exception e){ + String msg = e.getMessage(); + String extractvalue = "extractvalue"; + String updatexml = "updatexml"; + if(msg!=null && (msg.toLowerCase().indexOf(extractvalue)>=0 || msg.toLowerCase().indexOf(updatexml)>=0)){ + return Result.error("校验失败,sql解析异常!"); + } + return Result.error("校验失败,sql解析异常!" + msg); + } + } diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java index 55ef4ce2..ad9ab89b 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java @@ -23,11 +23,8 @@ import org.jeecg.common.exception.JeecgBootException; import org.jeecg.common.system.api.ISysBaseAPI; import org.jeecg.common.system.query.QueryGenerator; import org.jeecg.common.system.vo.*; -import org.jeecg.common.util.HTMLUtils; -import org.jeecg.common.util.SysAnnmentTypeEnum; -import org.jeecg.common.util.YouBianCodeUtil; +import org.jeecg.common.util.*; import org.jeecg.common.util.dynamic.db.FreemarkerParseFactory; -import org.jeecg.common.util.oConvertUtils; import org.jeecg.modules.message.entity.SysMessageTemplate; import org.jeecg.modules.message.handle.impl.DdSendMsgHandle; import org.jeecg.modules.message.handle.impl.EmailSendMsgHandle; @@ -315,6 +312,9 @@ public class SysBaseApiImpl implements ISysBaseAPI { table = QueryGenerator.getSqlRuleValue(table); } //update-end-author:taoyan date:20200820 for:【Online+系统】字典表加权限控制机制逻辑,想法不错 LOWCOD-799 + String[] arr = new String[]{text, code}; + SqlInjectionUtil.filterContent(arr); + SqlInjectionUtil.specialFilterContentForDictSql(table); return sysDictService.queryTableDictItemsByCode(table, text, code); } diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java index e48ac9d8..37762484 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java @@ -10,7 +10,6 @@ import org.jeecg.common.constant.CommonConstant; import org.jeecg.common.constant.DataBaseConstant; import org.jeecg.common.constant.SymbolConstant; import org.jeecg.common.system.query.QueryGenerator; -import org.jeecg.common.system.util.JwtUtil; import org.jeecg.common.system.util.ResourceUtil; import org.jeecg.common.system.vo.DictModel; import org.jeecg.common.system.vo.DictModelMany; @@ -180,6 +179,9 @@ public class SysDictServiceImpl extends ServiceImpl impl table = arr[0]; filterSql = arr[1]; } + String[] tableAndFields = new String[]{table, text, code}; + SqlInjectionUtil.filterContent(tableAndFields); + SqlInjectionUtil.specialFilterContentForDictSql(filterSql); return sysDictMapper.queryTableDictByKeysAndFilterSql(table, text, code, filterSql, keys); //update-end-author:taoyan date:20220113 for: @dict注解支持 dicttable 设置where条件 } @@ -216,6 +218,9 @@ public class SysDictServiceImpl extends ServiceImpl impl table = arr[0]; filterSql = arr[1]; } + String[] tableAndFields = new String[]{table, text, code}; + SqlInjectionUtil.filterContent(tableAndFields); + SqlInjectionUtil.specialFilterContentForDictSql(filterSql); List dicts = sysDictMapper.queryTableDictByKeysAndFilterSql(table, text, code, filterSql, Arrays.asList(keyArray)); //update-end-author:taoyan date:2022-4-24 for: 下拉搜索组件,表单编辑页面回显下拉搜索的文本的时候,因为表名后配置了条件,导致sql执行失败, List texts = new ArrayList<>(dicts.size());