jeecg/jeecg-boot
1
0
Fork 0
mirror of https://github.com/jeecgboot/jeecg-boot.git synced 2025-09-09 05:49:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

---重构表字典逻辑,深度解决SQL注入漏洞问题,新旧版本都可以参考此修改合并---

Browse Source 
(重点针对表名和字段进行单独check处理,更严格的格式要求,可能会导致一些特殊字典用法出问题,请根据自己业务做灵活调整)
org\jeecg\common\exception\JeecgSqlInjectionException.java(+)
org\jeecg\common\exception\JeecgBootExceptionHandler.java

org\jeecg\common\util\security\AbstractQueryBlackListHandler.java
org\jeecg\common\util\SqlInjectionUtil.java
org\jeecg\modules\system\controller\DuplicateCheckController.java
org\jeecg\modules\system\mapper\xml\SysDictMapper.xml
org\jeecg\modules\system\mapper\SysDictMapper.java
org\jeecg\modules\system\service\impl\SysDictServiceImpl.java
org\jeecg\modules\system\service\ISysDictService.java
This commit is contained in:
zhangdaiscott
2023-09-03 20:07:58 +08:00
parent 58aebdbba4
commit 44952c79c2
9 changed files with 493 additions and 314 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgBootExceptionHandler.java
View File

@@ -1,6 +1,7 @@
package org.jeecg.common.exception;
import cn.hutool.core.util.ObjectUtil;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.UnauthorizedException;
import org.jeecg.common.api.vo.Result;
@@ -16,8 +17,6 @@ import org.springframework.web.bind.annotation.RestControllerAdvice;
import org.springframework.web.multipart.MaxUploadSizeExceededException;
import org.springframework.web.servlet.NoHandlerFoundException;
import lombok.extern.slf4j.Slf4j;
/**
* 异常处理器
*
@@ -133,4 +132,24 @@ public class JeecgBootExceptionHandler {
return Result.error("Redis 连接异常!");
}
/**
* SQL注入风险全局异常处理
*
* @param exception
* @return
*/
@ExceptionHandler(JeecgSqlInjectionException.class)
public Result<?> handleSQLException(Exception exception) {
String msg = exception.getMessage().toLowerCase();
final String extractvalue = "extractvalue";
final String updatexml = "updatexml";
boolean hasSensitiveInformation = msg.indexOf(extractvalue) >= 0 || msg.indexOf(updatexml) >= 0;
if (msg != null && hasSensitiveInformation) {
log.error("校验失败存在SQL注入风险{}", msg);
return Result.error("校验失败存在SQL注入风险");
}
return Result.error("校验失败存在SQL注入风险" + msg);
}
}

23
jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgSqlInjectionException.java Normal file
View File

@@ -0,0 +1,23 @@
package org.jeecg.common.exception;
/**
* @Description: jeecg-boot自定义SQL注入异常
* @author: jeecg-boot
*/
public class JeecgSqlInjectionException extends RuntimeException {
private static final long serialVersionUID = 1L;
public JeecgSqlInjectionException(String message){
super(message);
}
public JeecgSqlInjectionException(Throwable cause)
{
super(cause);
}
public JeecgSqlInjectionException(String message, Throwable cause)
{
super(message,cause);
}
}

98
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
View File

@@ -2,7 +2,10 @@ package org.jeecg.common.util;
import cn.hutool.crypto.SecureUtil;
import lombok.extern.slf4j.Slf4j;
import org.jeecg.common.constant.SymbolConstant;
import org.jeecg.common.exception.JeecgBootException;
import org.jeecg.common.exception.JeecgSqlInjectionException;
import javax.servlet.http.HttpServletRequest;
import java.lang.reflect.Field;
import java.util.Set;
@@ -47,7 +50,7 @@ public class SqlInjectionUtil {
* @param request:
* @Return: void
*/
public static void checkDictTableSign(String dictCode, String sign, HttpServletRequest request) {
private static void checkDictTableSign(String dictCode, String sign, HttpServletRequest request) {
//表字典SQL注入漏洞,签名校验
String accessToken = request.getHeader("X-Access-Token");
String signStr = dictCode + SqlInjectionUtil.TABLE_DICT_SIGN_SALT + accessToken;
@@ -60,11 +63,72 @@ public class SqlInjectionUtil {
}
/**
* 返回查询表名
* <p>
* sql注入过滤处理遇到注入关键字抛异常
* @param value
*
* @param table
*/
public static void filterContent(String value) {
filterContent(value, null);
private static Pattern tableNamePattern = Pattern.compile("^[a-zA-Z][a-zA-Z0-9_]{0,63}$");
public static String getSqlInjectTableName(String table) {
table = table.trim();
/**
* 检验表名是否合法
*
* 表名只能由字母、数字和下划线组成。
* 表名必须以字母开头。
* 表名长度通常有限制,例如最多为 64 个字符。
*/
boolean isValidTableName = tableNamePattern.matcher(table).matches();
if (!isValidTableName) {
String errorMsg = "表名不合法存在SQL注入风险!--->" + table;
log.error(errorMsg);
throw new JeecgSqlInjectionException(errorMsg);
}
//进一步验证是否存在SQL注入风险
filterContent(table);
return table;
}
/**
* 返回查询字段
* <p>
* sql注入过滤处理遇到注入关键字抛异常
*
* @param field
*/
static final Pattern fieldPattern = Pattern.compile("^[a-zA-Z0-9_]+$");
public static String getSqlInjectField(String field) {
field = field.trim();
if (field.contains(SymbolConstant.COMMA)) {
return getSqlInjectField(field.split(SymbolConstant.COMMA));
}
/**
* 校验表字段是否有效
*
* 字段定义只能是是字母 数字 下划线的组合(不允许有空格、转义字符串等)
*/
boolean isValidField = fieldPattern.matcher(field).matches();
if (!isValidField) {
String errorMsg = "字段不合法存在SQL注入风险!--->" + field;
log.error(errorMsg);
throw new JeecgSqlInjectionException(errorMsg);
}
//进一步验证是否存在SQL注入风险
filterContent(field);
return field;
}
public static String getSqlInjectField(String... fields) {
for (String s : fields) {
getSqlInjectField(s);
}
return String.join(SymbolConstant.COMMA, fields);
}
/**
@@ -89,7 +153,7 @@ public class SqlInjectionUtil {
if (value.indexOf(xssArr[i]) > -1) {
log.error("请注意存在SQL注入关键词---> {}", xssArr[i]);
log.error("请注意值可能存在SQL注入风险!---> {}", value);
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
}
//update-begin-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的还需要额外的校验比如 单引号
@@ -99,13 +163,13 @@ public class SqlInjectionUtil {
if (value.indexOf(xssArr2[i]) > -1) {
log.error("请注意存在SQL注入关键词---> {}", xssArr2[i]);
log.error("请注意值可能存在SQL注入风险!---> {}", value);
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
}
}
//update-end-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的还需要额外的校验比如 单引号
if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
return;
}
@@ -114,7 +178,7 @@ public class SqlInjectionUtil {
* sql注入过滤处理遇到注入关键字抛异常
* @param values
*/
public static void filterContent(String[] values) {
public static void filterContent(String... values) {
filterContent(values, null);
}
@@ -141,7 +205,7 @@ public class SqlInjectionUtil {
if (value.indexOf(xssArr[i]) > -1) {
log.error("请注意存在SQL注入关键词---> {}", xssArr[i]);
log.error("请注意值可能存在SQL注入风险!---> {}", value);
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
}
//update-begin-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的还需要额外的校验比如 单引号
@@ -151,13 +215,13 @@ public class SqlInjectionUtil {
if (value.indexOf(xssArr2[i]) > -1) {
log.error("请注意存在SQL注入关键词---> {}", xssArr2[i]);
log.error("请注意值可能存在SQL注入风险!---> {}", value);
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
}
}
//update-end-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的还需要额外的校验比如 单引号
if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
}
return;
@@ -188,11 +252,11 @@ public class SqlInjectionUtil {
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
log.error("请注意存在SQL注入关键词---> {}", xssArr[i]);
log.error("请注意值可能存在SQL注入风险!---> {}", value);
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
}
if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
return;
}
@@ -222,12 +286,12 @@ public class SqlInjectionUtil {
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
log.error("请注意存在SQL注入关键词---> {}", xssArr[i]);
log.error("请注意值可能存在SQL注入风险!---> {}", value);
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
}
if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
throw new JeecgSqlInjectionException("请注意值可能存在SQL注入风险!--->" + value);
}
return;
}
@@ -285,7 +349,7 @@ public class SqlInjectionUtil {
if(matcher.find()){
String error = "请注意值可能存在SQL注入风险---> \\*.*\\";
log.error(error);
throw new RuntimeException(error);
throw new JeecgSqlInjectionException(error);
}
// issues/4737 sys/duplicate/check SQL注入 #4737
@@ -293,7 +357,7 @@ public class SqlInjectionUtil {
if(sleepMatcher.find()){
String error = "请注意值可能存在SQL注入风险---> sleep";
log.error(error);
throw new RuntimeException(error);
throw new JeecgSqlInjectionException(error);
}
}
}

7
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
View File

@@ -2,6 +2,7 @@ package org.jeecg.common.util.security;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang.StringUtils;
import org.jeecg.common.exception.JeecgSqlInjectionException;
import java.util.*;
import java.util.regex.Matcher;
@@ -81,6 +82,12 @@ public abstract class AbstractQueryBlackListHandler {
}
}
// 返回黑名单校验结果(不合法直接抛出异常)
if(!flag){
log.error(this.getError());
throw new JeecgSqlInjectionException(this.getError());
}
return flag;
}