Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
pig_冷冷
Pig
提交
38e06950
Pig
项目概览
pig_冷冷
/
Pig
上一次同步 12 个月
通知
3
Star
1
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
Pig
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
38e06950
编写于
6月 25, 2019
作者:
pig_冷冷
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
🔒
修复安全问题 fix #IYBLJ Page作为入参的sql注入问题
上级
e7ef26df
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
149 addition
and
0 deletion
+149
-0
pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/mybatis/SqlFilterArgumentResolver.java
...ud/pig/common/core/mybatis/SqlFilterArgumentResolver.java
+111
-0
pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/mybatis/WebMvcConfig.java
...a/com/pig4cloud/pig/common/core/mybatis/WebMvcConfig.java
+38
-0
未找到文件。
pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/mybatis/SqlFilterArgumentResolver.java
0 → 100644
浏览文件 @
38e06950
/*
* Copyright (c) 2018-2025, lengleng All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* Neither the name of the pig4cloud.com developer nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
* Author: lengleng (wangiegie@gmail.com)
*/
package
com.pig4cloud.pig.common.core.mybatis
;
import
cn.hutool.core.util.ArrayUtil
;
import
cn.hutool.core.util.StrUtil
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.pig4cloud.pig.common.core.exception.CheckedException
;
import
lombok.extern.slf4j.Slf4j
;
import
org.springframework.core.MethodParameter
;
import
org.springframework.web.bind.support.WebDataBinderFactory
;
import
org.springframework.web.context.request.NativeWebRequest
;
import
org.springframework.web.method.support.HandlerMethodArgumentResolver
;
import
org.springframework.web.method.support.ModelAndViewContainer
;
import
javax.servlet.http.HttpServletRequest
;
/**
* @author lengleng
* @date 2019-06-24
* <p>
* 解决Mybatis Plus Order By SQL注入问题
*/
@Slf4j
public
class
SqlFilterArgumentResolver
implements
HandlerMethodArgumentResolver
{
private
final
static
String
[]
KEYWORDS
=
{
"master"
,
"truncate"
,
"insert"
,
"select"
,
"delete"
,
"update"
,
"declare"
,
"alter"
,
"drop"
,
"sleep"
};
/**
* 判断Controller是否包含page 参数
*
* @param parameter 参数
* @return 是否过滤
*/
@Override
public
boolean
supportsParameter
(
MethodParameter
parameter
)
{
return
parameter
.
getParameterType
().
equals
(
Page
.
class
);
}
/**
* @param parameter 入参集合
* @param mavContainer model 和 view
* @param webRequest web相关
* @param binderFactory 入参解析
* @return 检查后新的page对象
* <p>
* page 只支持查询 GET .如需解析POST获取请求报文体处理
*/
@Override
public
Object
resolveArgument
(
MethodParameter
parameter
,
ModelAndViewContainer
mavContainer
,
NativeWebRequest
webRequest
,
WebDataBinderFactory
binderFactory
)
{
HttpServletRequest
request
=
webRequest
.
getNativeRequest
(
HttpServletRequest
.
class
);
String
[]
ascs
=
request
.
getParameterValues
(
"ascs"
);
String
[]
descs
=
request
.
getParameterValues
(
"descs"
);
String
current
=
request
.
getParameter
(
"current"
);
String
size
=
request
.
getParameter
(
"size"
);
Page
page
=
new
Page
();
if
(
StrUtil
.
isNotBlank
(
current
))
{
page
.
setCurrent
(
Long
.
parseLong
(
current
));
}
if
(
StrUtil
.
isNotBlank
(
size
))
{
page
.
setCurrent
(
Long
.
parseLong
(
size
));
}
page
.
setAsc
(
sqlInject
(
ascs
));
page
.
setDesc
(
sqlInject
(
descs
));
return
page
;
}
/**
* SQL注入过滤
*
* @param str 待验证的字符串
*/
public
static
String
[]
sqlInject
(
String
[]
str
)
{
if
(
ArrayUtil
.
isEmpty
(
str
))
{
return
null
;
}
//转换成小写
String
inStr
=
ArrayUtil
.
join
(
str
,
StrUtil
.
COMMA
).
toLowerCase
();
//判断是否包含非法字符
for
(
String
keyword
:
KEYWORDS
)
{
if
(
inStr
.
contains
(
keyword
))
{
log
.
error
(
"查询包含非法字符 {}"
,
keyword
);
throw
new
CheckedException
(
keyword
+
"包含非法字符"
);
}
}
return
str
;
}
}
pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/mybatis/WebMvcConfig.java
0 → 100644
浏览文件 @
38e06950
/*
* Copyright (c) 2018-2025, lengleng All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* Neither the name of the pig4cloud.com developer nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
* Author: lengleng (wangiegie@gmail.com)
*/
package
com.pig4cloud.pig.common.core.mybatis
;
import
org.springframework.context.annotation.Configuration
;
import
org.springframework.web.method.support.HandlerMethodArgumentResolver
;
import
org.springframework.web.servlet.config.annotation.WebMvcConfigurer
;
import
java.util.List
;
/**
* @author lengleng
* @date 2019-06-24
* <p>
* 注入自自定义SQL 过滤
*/
@Configuration
public
class
WebMvcConfig
implements
WebMvcConfigurer
{
@Override
public
void
addArgumentResolvers
(
List
<
HandlerMethodArgumentResolver
>
argumentResolvers
)
{
argumentResolvers
.
add
(
new
SqlFilterArgumentResolver
());
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录