修复 sql注入漏洞 #4393

zhangdaiscott · zhangdaiscott · commit 0fc374de4745 · 2022-12-23T14:03:22.000+08:00
diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@@ -3,6 +3,7 @@
 import cn.hutool.crypto.SecureUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.exception.JeecgBootException;
+
 import javax.servlet.http.HttpServletRequest;
 import java.lang.reflect.Field;
 import java.util.Set;
@@ -21,7 +22,7 @@ public class SqlInjectionUtil {
 	 * （上线修改值 20200501，同步修改前端的盐值）
 	 */
 	private final static String TABLE_DICT_SIGN_SALT = "20200501";
-	private final static String XSS_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
+	private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
 
 	/**
 	 * 正则 user() 匹配更严谨
@@ -33,7 +34,7 @@ public class SqlInjectionUtil {
 	/**
 	 * sql注释的正则
 	 */
-	private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*.*\\*/");
+	private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*[\\s\\S]*\\*/");
 
 	/**
 	 * 针对表字典进行额外的sign签名校验（增加安全机制）
@@ -167,7 +168,7 @@ public static void filterContent(String[] values, String customXssString) {
 	 */
 	//@Deprecated
 	public static void specialFilterContentForDictSql(String value) {
-		String specialXssStr = " exec |extractvalue|updatexml| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
+		String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
 		String[] xssArr = specialXssStr.split("\\|");
 		if (value == null || "".equals(value)) {
 			return;
@@ -201,7 +202,7 @@ public static void specialFilterContentForDictSql(String value) {
      */
 	//@Deprecated
 	public static void specialFilterContentForOnlineReport(String value) {
-		String specialXssStr = " exec |extractvalue|updatexml| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
+		String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
 		String[] xssArr = specialXssStr.split("\\|");
 		if (value == null || "".equals(value)) {
 			return;
diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
@@ -1,6 +1,5 @@
 package org.jeecg.modules.system.security;
 
-import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.common.util.security.AbstractQueryBlackListHandler;
@@ -52,7 +51,9 @@ protected List<QueryTable> getQueryTableInfo(String dictCodeString) {
      */
     private String getTableName(String str) {
         String[] arr = str.split("\\s+(?i)where\\s+");
-        return arr[0];
+        // sys_user , (sys_user), sys_user%20, %60sys_user%60  issues/4393
+        String reg = "\\s+|\\(|\\)|`";
+        return arr[0].replaceAll(reg, "");
     }
 
 }
