From ca1218f792369ed3c8196e796b1940b33ed6469b Mon Sep 17 00:00:00 2001
From: zhangdaiscott <zhangdaiscott@163.com>
Date: Thu, 13 Apr 2023 09:42:46 +0800
Subject: [PATCH] =?UTF-8?q?sys/duplicate/check=20SQL=E6=B3=A8=E5=85=A5=20#?=
 =?UTF-8?q?4737?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../org/jeecg/common/util/SqlInjectionUtil.java     | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
index 604c6de4..723e1ce4 100644
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@@ -30,6 +30,11 @@ public class SqlInjectionUtil {
     /**正则 show tables*/
 	private final static String SHOW_TABLES = "show\\s+tables";
 
+	/**
+	 * sleep函数
+	 */
+	private final static Pattern FUN_SLEEP = Pattern.compile("sleep\\([\\d\\.]*\\)");
+
 	/**
 	 * sql注释的正则
 	 */
@@ -282,5 +287,13 @@ public class SqlInjectionUtil {
 			log.error(error);
 			throw new RuntimeException(error);
 		}
+		
+		// issues/4737 sys/duplicate/check SQL注入 #4737
+		Matcher sleepMatcher = FUN_SLEEP.matcher(str);
+		if(sleepMatcher.find()){
+			String error = "请注意，值可能存在SQL注入风险---> sleep";
+			log.error(error);
+			throw new RuntimeException(error);
+		}
 	}
 }