From f18ced524c9ec13e876bfb74785a1b112cc8b6bb Mon Sep 17 00:00:00 2001
From: zhangdaiscott <zhangdaiscott@163.com>
Date: Wed, 2 Nov 2022 09:53:38 +0800
Subject: [PATCH] =?UTF-8?q?sql=E6=B3=A8=E5=85=A5=E6=A3=80=E6=9F=A5?=
 =?UTF-8?q?=E6=9B=B4=E5=8A=A0=E4=B8=A5=E6=A0=BC=EF=BC=8C=E4=BF=AE=E5=A4=8D?=
 =?UTF-8?q?/sys/duplicate/check=E5=AD=98=E5=9C=A8sql=E6=B3=A8=E5=85=A5?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E=20#4129?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../jeecg/common/util/SqlInjectionUtil.java   | 41 +++++++++++++++----
 1 file changed, 34 insertions(+), 7 deletions(-)

diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
index 99c4caf2..151fa1d7 100644
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@@ -6,6 +6,7 @@ import org.jeecg.common.exception.JeecgBootException;
 import javax.servlet.http.HttpServletRequest;
 import java.lang.reflect.Field;
 import java.util.Set;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
@@ -20,7 +21,7 @@ public class SqlInjectionUtil {
 	 * （上线修改值 20200501，同步修改前端的盐值）
 	 */
 	private final static String TABLE_DICT_SIGN_SALT = "20200501";
-	private final static String XSS_STR = "and |exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
+	private final static String XSS_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
 
 	/**
 	 * 正则 user() 匹配更严谨
@@ -29,6 +30,11 @@ public class SqlInjectionUtil {
     /**正则 show tables*/
 	private final static String SHOW_TABLES = "show\\s+tables";
 
+	/**
+	 * sql注释的正则
+	 */
+	private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*.*\\*/");
+
 	/**
 	 * 针对表字典进行额外的sign签名校验（增加安全机制）
 	 * @param dictCode:
@@ -66,10 +72,12 @@ public class SqlInjectionUtil {
 		if (value == null || "".equals(value)) {
 			return;
 		}
+		// 校验sql注释 不允许有sql注释
+		checkSqlAnnotation(value);
 		// 统一转为小写
 		value = value.toLowerCase();
 		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
-		value = value.replaceAll("/\\*.*\\*/","");
+		//value = value.replaceAll("/\\*.*\\*/","");
 
 		String[] xssArr = XSS_STR.split("\\|");
 		for (int i = 0; i < xssArr.length; i++) {
@@ -117,10 +125,12 @@ public class SqlInjectionUtil {
 			if (value == null || "".equals(value)) {
 				return;
 			}
+			// 校验sql注释 不允许有sql注释
+			checkSqlAnnotation(value);
 			// 统一转为小写
 			value = value.toLowerCase();
 			//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
-			value = value.replaceAll("/\\*.*\\*/","");
+			//value = value.replaceAll("/\\*.*\\*/","");
 
 			for (int i = 0; i < xssArr.length; i++) {
 				if (value.indexOf(xssArr[i]) > -1) {
@@ -157,15 +167,17 @@ public class SqlInjectionUtil {
 	 */
 	//@Deprecated
 	public static void specialFilterContentForDictSql(String value) {
-		String specialXssStr = " exec | insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
+		String specialXssStr = " exec |extractvalue|updatexml| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
 		String[] xssArr = specialXssStr.split("\\|");
 		if (value == null || "".equals(value)) {
 			return;
 		}
+		// 校验sql注释 不允许有sql注释
+		checkSqlAnnotation(value);
 		// 统一转为小写
 		value = value.toLowerCase();
 		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
-		value = value.replaceAll("/\\*.*\\*/","");
+		//value = value.replaceAll("/\\*.*\\*/","");
 
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
@@ -189,15 +201,17 @@ public class SqlInjectionUtil {
      */
 	//@Deprecated
 	public static void specialFilterContentForOnlineReport(String value) {
-		String specialXssStr = " exec | insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
+		String specialXssStr = " exec |extractvalue|updatexml| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
 		String[] xssArr = specialXssStr.split("\\|");
 		if (value == null || "".equals(value)) {
 			return;
 		}
+		// 校验sql注释 不允许有sql注释
+		checkSqlAnnotation(value);
 		// 统一转为小写
 		value = value.toLowerCase();
 		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
-		value = value.replaceAll("/\\*.*\\*/","");
+		//value = value.replaceAll("/\\*.*\\*/"," ");
 
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
@@ -256,4 +270,17 @@ public class SqlInjectionUtil {
 		}
 		return true;
 	}
+
+	/**
+	 * 校验是否有sql注释 
+	 * @return
+	 */
+	public static void checkSqlAnnotation(String str){
+		Matcher matcher = SQL_ANNOTATION.matcher(str);
+		if(matcher.find()){
+			String error = "请注意，值可能存在SQL注入风险---> \\*.*\\";
+			log.error(error);
+			throw new RuntimeException(error);
+		}
+	}
 }