From 1a5b024df65f503488c19e95bdbdaa1b30014e7b Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期四, 06 一月 2022 14:50:56 +0800
Subject: [PATCH] 定时任务目标字符串验证包名白名单
---
ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java | 31 ++++++++++++++++++++++++++++---
1 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
index b8aeaa1..71a7ae1 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
@@ -1,5 +1,6 @@
package com.ruoyi.common.utils.sql;
+import com.ruoyi.common.exception.UtilException;
import com.ruoyi.common.utils.StringUtils;
/**
@@ -10,9 +11,14 @@
public class SqlUtil
{
/**
- * 仅支持字母、数字、下划线、空格、逗号(支持多个字段排序)
+ * 定义常用的 sql关键字
*/
- public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,]+";
+ public static String SQL_REGEX = "select |insert |delete |update |drop |count |exec |chr |mid |master |truncate |char |and |declare ";
+
+ /**
+ * 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序)
+ */
+ public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,\\.]+";
/**
* 检查字符,防止注入绕过
@@ -21,7 +27,7 @@
{
if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value))
{
- return StringUtils.EMPTY;
+ throw new UtilException("参数不符合规范,不能进行查询");
}
return value;
}
@@ -33,4 +39,23 @@
{
return value.matches(SQL_PATTERN);
}
+
+ /**
+ * SQL关键字检查
+ */
+ public static void filterKeyword(String value)
+ {
+ if (StringUtils.isEmpty(value))
+ {
+ return;
+ }
+ String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
+ for (int i = 0; i < sqlKeywords.length; i++)
+ {
+ if (StringUtils.indexOfIgnoreCase(value, sqlKeywords[i]) > -1)
+ {
+ throw new UtilException("参数存在SQL注入风险");
+ }
+ }
+ }
}
--
Gitblit v1.9.2