From 09b0adabc0d2a21bf29f5e2bd53c8a16c9df97cf Mon Sep 17 00:00:00 2001 From: huangfeng Date: Wed, 2 Apr 2025 10:31:27 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8DSQL=E6=B3=A8=E5=85=A5?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../busi/controller/SysConfigController.java | 22 +++++++ .../huatek/frame/base/util/SqlEscapeUtil.java | 61 +++++++++++++++++++ .../model/controller/ModelController.java | 10 +++ 3 files changed, 93 insertions(+) create mode 100644 frame-base/frame-base-common/src/main/java/com/huatek/frame/base/util/SqlEscapeUtil.java diff --git a/busi-back/busi-back-control/src/main/java/com/huatek/busi/controller/SysConfigController.java b/busi-back/busi-back-control/src/main/java/com/huatek/busi/controller/SysConfigController.java index 2380593..80403ed 100644 --- a/busi-back/busi-back-control/src/main/java/com/huatek/busi/controller/SysConfigController.java +++ b/busi-back/busi-back-control/src/main/java/com/huatek/busi/controller/SysConfigController.java @@ -2,6 +2,8 @@ package com.huatek.busi.controller; import java.util.Map; +import com.huatek.frame.base.util.SqlEscapeUtil; +import com.huatek.torch.frame.exception.OwlException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.web.bind.annotation.GetMapping; @@ -85,6 +87,26 @@ public class SysConfigController { @KerLog(projectName = "PROJECTNAME", modelName = "SYSCONFIG.MODELNAME", methodName = "SYSCONFIG.METHODNAME.UPDATESYSCONFIG") @PostMapping(value = "/updateSysConfig", produces = {"application/json;charset=utf-8"}) public Map updateSysConfig(String token,@RequestBody SysConfigDTO sysConfigDTO){ + boolean flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getParamKey()); + if (flag) { + throw new OwlException("参数名包含非法字符!"); + } + flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getParamValue()); + if (flag) { + throw new OwlException("参数值包含非法字符!"); + } + flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getRemark()); + if (flag) { + throw new OwlException("备注包含非法字符!"); + } + flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getId()); + if (flag) { + throw new OwlException("id包含非法字符!"); + } + flag = SqlEscapeUtil.sqlValidate(sysConfigDTO.getStatus()); + if (flag) { + throw new OwlException("状态包含非法字符!"); + } int count = sysConfigService.updateSysConfig(sysConfigDTO); logger.debug("updateSysConfig: {}", count); Map map = ResultUtil.put(ConstantUtil.REQUEST_SUCCESS, "", ""); diff --git a/frame-base/frame-base-common/src/main/java/com/huatek/frame/base/util/SqlEscapeUtil.java b/frame-base/frame-base-common/src/main/java/com/huatek/frame/base/util/SqlEscapeUtil.java new file mode 100644 index 0000000..8bdbad0 --- /dev/null +++ b/frame-base/frame-base-common/src/main/java/com/huatek/frame/base/util/SqlEscapeUtil.java @@ -0,0 +1,61 @@ +package com.huatek.frame.base.util; + +import org.apache.commons.lang3.StringUtils; + + +public class SqlEscapeUtil { + + /** + * 转义字符 + **/ + public static final String ESCAPE = "/"; + + /** + * 转义方法 + * + * @param param 待转义字符串 + * @return String + */ + public static String escape(String param) { + if (StringUtils.isNotEmpty(param)) { + String temp = param.replaceAll("/", ESCAPE + "/"); + temp = temp.replaceAll("%", ESCAPE + "%"); + temp = temp.replaceAll("_", ESCAPE + "_"); + temp = temp.replaceAll("'", "''"); + return temp.trim(); + } + return null; + } + +// public static void main (String[] args) { +// StringBuilder stringBuilder = new StringBuilder(); +// stringBuilder.append("asd").deleteCharAt(stringBuilder.length() - 1); +// System.out.println(stringBuilder.toString()); +// } + + /** + * @param @param str + * @param @return + * @return boolean 有true,无false + * @author ampsycho.hw + * @Title: sqlValidate + * @Description: 验证sql是否为违法关键字 + */ + public static boolean sqlValidate(String str) { + if (StringUtils.isBlank(str)) { + return false; + } + str = str.toLowerCase();// 统一转为小写 + String badStr = "'|exec|and|or|execute|insert|select|delete|update|drop|%|master|truncate|" + + "declare|sitename|net user|xp_cmdshell|like'|exec|execute|insert|create|drop|" + + "table|grant|use|group_concat|column_name|information_schema.columns|table_schema|" + + "select|delete|update|master|truncate|declare|-- |like|//|%";// 过滤掉的sql关键字,可以手动添加 + String[] badStrs = badStr.split("\\|"); + for (int i = 0; i < badStrs.length; i++) { + if (str.contains(badStrs[i])) { + return true; + } + } + return false; + } +} diff --git a/frame-base/frame-base-control/src/main/java/com/huatek/frame/base/model/controller/ModelController.java b/frame-base/frame-base-control/src/main/java/com/huatek/frame/base/model/controller/ModelController.java index fb2707c..1291903 100644 --- a/frame-base/frame-base-control/src/main/java/com/huatek/frame/base/model/controller/ModelController.java +++ b/frame-base/frame-base-control/src/main/java/com/huatek/frame/base/model/controller/ModelController.java @@ -5,6 +5,8 @@ import com.alibaba.fastjson.JSON; import com.huatek.frame.base.dto.ModelComponentDataDTO; import com.huatek.frame.base.dto.ModelDTO; import com.huatek.frame.base.service.ModelService; +import com.huatek.frame.base.util.SqlEscapeUtil; +import com.huatek.torch.frame.exception.OwlException; import com.huatek.torch.frame.tools.ConstantUtil; import com.huatek.torch.frame.tools.ResultUtil; import io.swagger.annotations.Api; @@ -123,6 +125,14 @@ public class ModelController { @ApiOperation(value = "部件管理-查询主设备列表") @GetMapping(value="/selectMainEquipmentListByModelType") public Map selectMainEquipmentListByModelType(@RequestParam(value = "siteId") String siteId, @RequestParam(value = "modelType") String modelType) { + boolean flag = SqlEscapeUtil.sqlValidate(siteId); + if (flag) { + throw new OwlException("siteId包含非法字符!"); + } + flag = SqlEscapeUtil.sqlValidate(modelType); + if (flag) { + throw new OwlException("modelType包含非法字符!"); + } Map map = modelService.selectMainEquipmentListByModelType(siteId, modelType); return map; }