1 year ago · dd7bf104e7
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java
@@ -3,6 +3,8 @@ package org.jeecg.common.util.security;
 
				 import lombok.extern.slf4j.Slf4j;
			
 
				 
			
 
				 import java.util.*;
			
 
				+import java.util.regex.Matcher;
			
 
				+import java.util.regex.Pattern;
			
 
				 
			
 
				 /**
			
 
				  * 查询表/字段 黑名单处理
			
@@ -21,6 +23,11 @@ public abstract class AbstractQueryBlackListHandler {
 
				      */
			
 
				     public static Map<String, String> ruleMap = new HashMap<>();
			
 
				 
			
 
				+    /**
			
 
				+     * 以下字符不能出现在表名中或是字段名中
			
 
				+     */
			
 
				+    public static final Pattern ILLEGAL_NAME_REG = Pattern.compile("[-]{2,}");
			
 
				+
			
 
				     static {
			
 
				         ruleMap.put("sys_user", "password,salt");
			
 
				     }
			
@@ -53,7 +60,10 @@ public abstract class AbstractQueryBlackListHandler {
 
				             return true;
			
 
				         }
			
 
				         log.info("--获取sql信息--", list.toString());
			
 
				-        boolean flag = true;
			
 
				+        boolean flag = checkTableAndFieldsName(list);
			
 
				+        if(flag == false){
			
 
				+            return false;
			
 
				+        }
			
 
				         for (QueryTable table : list) {
			
 
				             String name = table.getName();
			
 
				             String fieldString = ruleMap.get(name);
			
@@ -73,6 +83,46 @@ public abstract class AbstractQueryBlackListHandler {
 
				         return flag;
			
 
				     }
			
 
				 
			
 
				+    /**
			
 
				+     * 校验表名和字段名是否有效，或是是否会带些特殊的字符串进行sql注入
			
 
				+     * issues/4983 SQL Injection in 3.5.1 #4983
			
 
				+     * @return
			
 
				+     */
			
 
				+    private boolean checkTableAndFieldsName(List<QueryTable> list){
			
 
				+        boolean flag = true;
			
 
				+        for(QueryTable queryTable: list){
			
 
				+            String tableName = queryTable.getName();
			
 
				+            if(hasSpecialString(tableName)){
			
 
				+                flag = false;
			
 
				+                log.warn("sql黑名单校验，表名【"+tableName+"】包含特殊字符");
			
 
				+                break;
			
 
				+            }
			
 
				+            Set<String> fields = queryTable.getFields();
			
 
				+            for(String name: fields){
			
 
				+                if(hasSpecialString(name)){
			
 
				+                    flag = false;
			
 
				+                    log.warn("sql黑名单校验，字段名【"+name+"】包含特殊字符");
			
 
				+                    break;
			
 
				+                } 
			
 
				+            }
			
 
				+        }
			
 
				+        return flag;
			
 
				+    }
			
 
				+
			
 
				+    /**
			
 
				+     * 是否包含特殊的字符串
			
 
				+     * @param name
			
 
				+     * @return
			
 
				+     */
			
 
				+    private boolean hasSpecialString(String name){
			
 
				+        Matcher m = ILLEGAL_NAME_REG.matcher(name);
			
 
				+        if (m.find()) {
			
 
				+            return true;
			
 
				+        }
			
 
				+        return false;
			
 
				+    }
			
 
				+    
			
 
				+
			
 
				     /**
			
 
				      * 查询的表的信息
			
 
				      */