针对字典sql，加入sql注入check和sql黑名单check

jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java

@@ -5,7 +5,10 @@ import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.dto.DataLogDTO;
 import org.jeecg.common.api.dto.OnlineAuthDTO;
 import org.jeecg.common.api.dto.message.*;
+import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.system.vo.*;
+import org.jeecg.common.util.SqlInjectionUtil;
+import org.jeecg.modules.system.security.DictQueryBlackListHandler;
 import org.jeecg.modules.system.service.ISysUserService;
 import org.jeecg.modules.system.service.impl.SysBaseApiImpl;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -30,6 +33,9 @@ public class SystemApiController {
     @Autowired
     private ISysUserService sysUserService;
 
+    @Autowired
+    private DictQueryBlackListHandler dictQueryBlackListHandler;
+
 
     /**
      * 发送系统消息
@@ -521,6 +527,10 @@ public class SystemApiController {
      */
     @GetMapping("/loadDictItem")
     public List<String> loadDictItem(@RequestParam("dictCode") String dictCode, @RequestParam("keys") String keys) {
+        if(!dictQueryBlackListHandler.isPass(dictCode)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
         return sysBaseApi.loadDictItem(dictCode, keys);
     }
 
@@ -533,6 +543,10 @@ public class SystemApiController {
      */
     @GetMapping("/getDictItems")
     public List<DictModel> getDictItems(@RequestParam("dictCode") String dictCode) {
+        if(!dictQueryBlackListHandler.isPass(dictCode)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
         return sysBaseApi.getDictItems(dictCode);
     }
 
@@ -557,6 +571,10 @@ public class SystemApiController {
      */
     @GetMapping("/loadDictItemByKeyword")
     public List<DictModel> loadDictItemByKeyword(@RequestParam("dictCode") String dictCode, @RequestParam("keyword") String keyword, @RequestParam(value = "pageSize", required = false) Integer pageSize) {
+        if(!dictQueryBlackListHandler.isPass(dictCode)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
         return sysBaseApi.loadDictItemByKeyword(dictCode, keyword, pageSize);
     }
 
@@ -581,6 +599,11 @@ public class SystemApiController {
      */
     @GetMapping("/queryTableDictItemsByCode")
     List<DictModel> queryTableDictItemsByCode(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code){
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
         return sysBaseApi.queryTableDictItemsByCode(table, text, code);
     }
 
@@ -594,6 +617,14 @@ public class SystemApiController {
      */
     @GetMapping("/queryFilterTableDictInfo")
     List<DictModel> queryFilterTableDictInfo(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("filterSql") String filterSql){
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
+        String[] arr = new String[]{table, text, code};
+        SqlInjectionUtil.filterContent(arr);
+        SqlInjectionUtil.specialFilterContentForDictSql(filterSql);
         return sysBaseApi.queryFilterTableDictInfo(table, text, code, filterSql);
     }
 
@@ -609,6 +640,11 @@ public class SystemApiController {
     @Deprecated
     @GetMapping("/queryTableDictByKeys")
     public List<String> queryTableDictByKeys(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("keyArray") String[] keyArray){
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
         return sysBaseApi.queryTableDictByKeys(table, text, code, keyArray);
     }
 
@@ -623,6 +659,13 @@ public class SystemApiController {
      */
     @GetMapping("/translateDictFromTable")
     public String translateDictFromTable(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("key") String key){
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
+        String[] arr = new String[]{table, text, code, key};
+        SqlInjectionUtil.filterContent(arr);
         return sysBaseApi.translateDictFromTable(table, text, code, key);
     }
 
@@ -639,6 +682,11 @@ public class SystemApiController {
      */
     @GetMapping("/translateDictFromTableByKeys")
     public List<DictModel> translateDictFromTableByKeys(@RequestParam("table") String table, @RequestParam("text") String text, @RequestParam("code") String code, @RequestParam("keys") String keys) {
+        String str = table+","+text+","+code;
+        if(!dictQueryBlackListHandler.isPass(str)){
+            log.error(dictQueryBlackListHandler.getError());
+            return null;
+        }
         return this.sysBaseApi.translateDictFromTableByKeys(table, text, code, keys);
     }
 
@@ -697,4 +745,23 @@ public class SystemApiController {
     public void sendAppChatSocket(@RequestParam(name="userId") String userId){
         this.sysBaseApi.sendAppChatSocket(userId);
     }
+
+
+    /**
+     * VUEN-2584【issue】平台sql注入漏洞几个问题
+     * 部分特殊函数 可以将查询结果混夹在错误信息中，导致数据库的信息暴露
+     * @param e
+     * @return
+     */
+    @ExceptionHandler(java.sql.SQLException.class)
+    public Result<?> handleSQLException(Exception e){
+        String msg = e.getMessage();
+        String extractvalue = "extractvalue";
+        String updatexml = "updatexml";
+        if(msg!=null && (msg.toLowerCase().indexOf(extractvalue)>=0 || msg.toLowerCase().indexOf(updatexml)>=0)){
+            return Result.error("校验失败，sql解析异常！");
+        }
+        return Result.error("校验失败，sql解析异常！" + msg);
+    }
+    
 }

jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java

@@ -23,11 +23,8 @@ import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.system.query.QueryGenerator;
 import org.jeecg.common.system.vo.*;
-import org.jeecg.common.util.HTMLUtils;
+import org.jeecg.common.util.*;
-import org.jeecg.common.util.SysAnnmentTypeEnum;
-import org.jeecg.common.util.YouBianCodeUtil;
 import org.jeecg.common.util.dynamic.db.FreemarkerParseFactory;
-import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.modules.message.entity.SysMessageTemplate;
 import org.jeecg.modules.message.handle.impl.DdSendMsgHandle;
 import org.jeecg.modules.message.handle.impl.EmailSendMsgHandle;
@@ -315,6 +312,9 @@ public class SysBaseApiImpl implements ISysBaseAPI {
 			table = QueryGenerator.getSqlRuleValue(table);
 		}
 		//update-end-author:taoyan date:20200820 for:【Online+系统】字典表加权限控制机制逻辑，想法不错 LOWCOD-799
+		String[] arr = new String[]{text, code};
+		SqlInjectionUtil.filterContent(arr);
+		SqlInjectionUtil.specialFilterContentForDictSql(table);
 		return sysDictService.queryTableDictItemsByCode(table, text, code);
 	}
 

jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java

@@ -10,7 +10,6 @@ import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.DataBaseConstant;
 import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.system.query.QueryGenerator;
-import org.jeecg.common.system.util.JwtUtil;
 import org.jeecg.common.system.util.ResourceUtil;
 import org.jeecg.common.system.vo.DictModel;
 import org.jeecg.common.system.vo.DictModelMany;
@@ -180,6 +179,9 @@ public class SysDictServiceImpl extends ServiceImpl<SysDictMapper, SysDict> impl
 			table = arr[0];
 			filterSql = arr[1];
 		}
+		String[] tableAndFields = new String[]{table, text, code};
+		SqlInjectionUtil.filterContent(tableAndFields);
+		SqlInjectionUtil.specialFilterContentForDictSql(filterSql);
 		return sysDictMapper.queryTableDictByKeysAndFilterSql(table, text, code, filterSql, keys);
 		//update-end-author:taoyan date:20220113 for: @dict注解支持 dicttable 设置where条件
 	}
@@ -216,6 +218,9 @@ public class SysDictServiceImpl extends ServiceImpl<SysDictMapper, SysDict> impl
 			table = arr[0];
 			filterSql = arr[1];
 		}
+		String[] tableAndFields = new String[]{table, text, code};
+		SqlInjectionUtil.filterContent(tableAndFields);
+		SqlInjectionUtil.specialFilterContentForDictSql(filterSql);
 		List<DictModel> dicts = sysDictMapper.queryTableDictByKeysAndFilterSql(table, text, code, filterSql, Arrays.asList(keyArray));
 		//update-end-author:taoyan date:2022-4-24 for: 下拉搜索组件，表单编辑页面回显下拉搜索的文本的时候，因为表名后配置了条件，导致sql执行失败，
 		List<String> texts = new ArrayList<>(dicts.size());