From 1bdb91325a0233e9ecb44dfb8dfa260c07cf71c9 Mon Sep 17 00:00:00 2001 From: yulichang <570810310@qq.com> Date: Tue, 28 Mar 2023 18:36:40 +0800 Subject: [PATCH] =?UTF-8?q?orderBy=E5=85=BC=E5=AE=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../toolkit/MPJSqlInjectionUtils.java | 61 +++++++++++++++++++ .../yulichang/toolkit/MPJStringUtils.java | 3 +- 2 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJSqlInjectionUtils.java diff --git a/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJSqlInjectionUtils.java b/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJSqlInjectionUtils.java new file mode 100644 index 0000000..4e0c4dc --- /dev/null +++ b/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJSqlInjectionUtils.java @@ -0,0 +1,61 @@ +/* + * Copyright (c) 2011-2022, baomidou (jobob@qq.com). + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.github.yulichang.toolkit; + +import java.util.Objects; +import java.util.regex.Pattern; + +/** + * SQL 注入验证工具类 + * + * @author hubin + * @since 2021-08-15 + */ +@SuppressWarnings("all") +public class MPJSqlInjectionUtils { + /** + * SQL语法检查正则:符合两个关键字(有先后顺序)才算匹配 + */ + private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" + + "\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)", Pattern.CASE_INSENSITIVE); + /** + * 使用'、;或注释截断SQL检查正则 + */ + private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/*|;)", Pattern.CASE_INSENSITIVE); + + /** + * 检查参数是否存在 SQL 注入 + * + * @param value 检查参数 + * @return true 非法 false 合法 + */ + public static boolean check(String value) { + Objects.requireNonNull(value); + // 处理是否包含SQL注释字符 || 检查是否包含SQL注入敏感字符 + return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find(); + } + + /** + * 刪除字段转义符单引号双引号 + * + * @param text 待处理字段 + * @return + */ + public static String removeEscapeCharacter(String text) { + Objects.nonNull(text); + return text.replaceAll("\"", "").replaceAll("'", ""); + } +} diff --git a/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJStringUtils.java b/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJStringUtils.java index 18a597a..0a8b55e 100644 --- a/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJStringUtils.java +++ b/mybatis-plus-join-core/src/main/java/com/github/yulichang/toolkit/MPJStringUtils.java @@ -17,7 +17,6 @@ package com.github.yulichang.toolkit; import com.baomidou.mybatisplus.core.toolkit.ArrayUtils; import com.baomidou.mybatisplus.core.toolkit.StringPool; -import com.baomidou.mybatisplus.core.toolkit.sql.SqlInjectionUtils; import com.baomidou.mybatisplus.core.toolkit.sql.StringEscape; import com.baomidou.mybatisplus.core.toolkit.support.BiIntFunction; @@ -595,7 +594,7 @@ public final class MPJStringUtils { * @param str 字符串 */ public static String sqlInjectionReplaceBlank(String str) { - if (SqlInjectionUtils.check(str)) { + if (MPJSqlInjectionUtils.check(str)) { /** * 过滤sql黑名单字符,存在 SQL 注入,去除空白内容 */