【issues/4393】解决使用参数tableName=sys_user t&复测，漏洞仍然存在

2025-09-09 05:59:16 +00:00 · 2023-08-14 15:54:03 +08:00
parent 751b81c7bf
commit 20889e8724
2 changed files with 17 additions and 4 deletions
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
@@ -67,14 +67,14 @@ public abstract class AbstractQueryBlackListHandler {
        }
        for (QueryTable table : list) {
            String name = table.getName();
-            String fieldString = ruleMap.get(name);
+            String fieldRule = ruleMap.get(name);
            // 有没有配置这张表
-            if (fieldString != null) {
-                if ("*".equals(fieldString) || table.isAll()) {
+            if (fieldRule != null) {
+                if ("*".equals(fieldRule) || table.isAll()) {
                    flag = false;
                    log.warn("sql黑名单校验，表【"+name+"】禁止查询");
                    break;
-                } else if (table.existSameField(fieldString)) {
+                } else if (table.existSameField(fieldRule)) {
                    flag = false;
                    break;
                }