fix: 修复SQL注入漏洞

3 months ago · 09b0adabc0
parent 05047e4745
commit 09b0adabc0
3 changed files with 93 additions and 0 deletions
--- a/busi-back/busi-back-control/src/main/java/com/huatek/busi/controller/SysConfigController.java
+++ b/busi-back/busi-back-control/src/main/java/com/huatek/busi/controller/SysConfigController.java
@ -2,6 +2,8 @@ package com.huatek.busi.controller;

 import java.util.Map;

+import com.huatek.frame.base.util.SqlEscapeUtil;
+import com.huatek.torch.frame.exception.OwlException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.GetMapping;
@ -85,6 +87,26 @@ public class SysConfigController {
    @KerLog(projectName = "PROJECTNAME", modelName = "SYSCONFIG.MODELNAME", methodName = "SYSCONFIG.METHODNAME.UPDATESYSCONFIG")
    @PostMapping(value = "/updateSysConfig", produces = {"application/json;charset=utf-8"})
    public Map<String, Object> updateSysConfig(String token,@RequestBody SysConfigDTO sysConfigDTO){
+        boolean flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getParamKey());
+        if (flag) {
+            throw new OwlException("参数名包含非法字符!");
+        }
+        flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getParamValue());
+        if (flag) {
+            throw new OwlException("参数值包含非法字符!");
+        }
+        flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getRemark());
+        if (flag) {
+            throw new OwlException("备注包含非法字符!");
+        }
+        flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getId());
+        if (flag) {
+            throw new OwlException("id包含非法字符!");
+        }
+        flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getStatus());
+        if (flag) {
+            throw new OwlException("状态包含非法字符!");
+        }
        int count = sysConfigService.updateSysConfig(sysConfigDTO);
        logger.debug("updateSysConfig: {}", count);
        Map<String, Object> map = ResultUtil.put(ConstantUtil.REQUEST_SUCCESS, "", "");
--- a/frame-base/frame-base-common/src/main/java/com/huatek/frame/base/util/SqlEscapeUtil.java
+++ b/frame-base/frame-base-common/src/main/java/com/huatek/frame/base/util/SqlEscapeUtil.java
@ -0,0 +1,61 @@
+package com.huatek.frame.base.util;
+
+import org.apache.commons.lang3.StringUtils;
+
+
+public class SqlEscapeUtil {
+
+    /**
+     * 转义字符
+     **/
+    public static final String ESCAPE = "/";
+
+    /**
+     * 转义方法
+     *
+     * @param param 待转义字符串
+     * @return String
+     */
+    public static String escape(String param) {
+        if (StringUtils.isNotEmpty(param)) {
+            String temp = param.replaceAll("/", ESCAPE + "/");
+            temp = temp.replaceAll("%", ESCAPE + "%");
+            temp = temp.replaceAll("_", ESCAPE + "_");
+            temp = temp.replaceAll("'", "''");
+            return temp.trim();
+        }
+        return null;
+    }
+
+//    public static void main (String[] args) {
+//        StringBuilder stringBuilder = new StringBuilder();
+//        stringBuilder.append("asd").deleteCharAt(stringBuilder.length() - 1);
+//        System.out.println(stringBuilder.toString());
+//    }
+
+    /**
+     * @param @param  str
+     * @param @return
+     * @return boolean 有true，无false
+     * @author ampsycho.hw
+     * @Title: sqlValidate
+     * @Description: 验证sql是否为违法关键字
+     */
+    public static boolean sqlValidate(String str) {
+        if (StringUtils.isBlank(str)) {
+            return false;
+        }
+        str = str.toLowerCase();// 统一转为小写
+        String badStr = "'|exec|and|or|execute|insert|select|delete|update|drop|%|master|truncate|"
+                + "declare|sitename|net user|xp_cmdshell|like'|exec|execute|insert|create|drop|"
+                + "table|grant|use|group_concat|column_name|information_schema.columns|table_schema|"
+                + "select|delete|update|master|truncate|declare|-- |like|//|%";// 过滤掉的sql关键字，可以手动添加
+        String[] badStrs = badStr.split("\\|");
+        for (int i = 0; i < badStrs.length; i++) {
+            if (str.contains(badStrs[i])) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
--- a/frame-base/frame-base-control/src/main/java/com/huatek/frame/base/model/controller/ModelController.java
+++ b/frame-base/frame-base-control/src/main/java/com/huatek/frame/base/model/controller/ModelController.java
@ -5,6 +5,8 @@ import com.alibaba.fastjson.JSON;
 import com.huatek.frame.base.dto.ModelComponentDataDTO;
 import com.huatek.frame.base.dto.ModelDTO;
 import com.huatek.frame.base.service.ModelService;
+import com.huatek.frame.base.util.SqlEscapeUtil;
+import com.huatek.torch.frame.exception.OwlException;
 import com.huatek.torch.frame.tools.ConstantUtil;
 import com.huatek.torch.frame.tools.ResultUtil;
 import io.swagger.annotations.Api;
@ -123,6 +125,14 @@ public class ModelController {
 	@ApiOperation(value = "部件管理-查询主设备列表")
 	@GetMapping(value="/selectMainEquipmentListByModelType")
 	public  Map<String, Object> selectMainEquipmentListByModelType(@RequestParam(value = "siteId") String siteId, @RequestParam(value = "modelType")  String modelType) {
+		boolean flag = SqlEscapeUtil.sqlValidate(siteId);
+		if (flag) {
+			throw new OwlException("siteId包含非法字符!");
+		}
+		flag = SqlEscapeUtil.sqlValidate(modelType);
+		if (flag) {
+			throw new OwlException("modelType包含非法字符!");
+		}
 		Map<String, Object> map = modelService.selectMainEquipmentListByModelType(siteId, modelType);
 		return map;
 	}