-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(curd): 重构排序字段处理,预防 SQL 注入问题
- Loading branch information
Showing
13 changed files
with
274 additions
and
229 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
...tarter-data-core/src/main/java/top/continew/starter/data/core/util/SqlInjectionUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
/* | ||
* Copyright (c) 2022-present Charles7c Authors. All Rights Reserved. | ||
* <p> | ||
* Licensed under the GNU LESSER GENERAL PUBLIC LICENSE 3.0; | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* <p> | ||
* http://www.gnu.org/licenses/lgpl.html | ||
* <p> | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package top.continew.starter.data.core.util; | ||
|
||
import java.util.Objects; | ||
import java.util.regex.Pattern; | ||
|
||
/** | ||
* SQL 注入验证工具类 | ||
* | ||
* @author hubin | ||
* @since 2.5.2 | ||
*/ | ||
public class SqlInjectionUtils { | ||
|
||
/** | ||
* SQL语法检查正则:符合两个关键字(有先后顺序)才算匹配 | ||
*/ | ||
private static final Pattern SQL_SYNTAX_PATTERN = Pattern | ||
.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" + "\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)|(and|or)\\s+.*", Pattern.CASE_INSENSITIVE); | ||
|
||
/** | ||
* 使用'、;或注释截断SQL检查正则 | ||
*/ | ||
private static final Pattern SQL_COMMENT_PATTERN = Pattern | ||
.compile("'.*(or|union|--|#|/\\*|;)", Pattern.CASE_INSENSITIVE); | ||
|
||
/** | ||
* 检查参数是否存在 SQL 注入 | ||
* | ||
* @param value 检查参数 | ||
* @return true:非法;false:合法 | ||
*/ | ||
public static boolean check(String value) { | ||
Objects.requireNonNull(value); | ||
// 处理是否包含 SQL 注释字符 || 检查是否包含 SQ L注入敏感字符 | ||
return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
73 changes: 73 additions & 0 deletions
73
...-crud-core/src/main/java/top/continew/starter/extension/crud/model/resp/BasePageResp.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
/* | ||
* Copyright (c) 2022-present Charles7c Authors. All Rights Reserved. | ||
* <p> | ||
* Licensed under the GNU LESSER GENERAL PUBLIC LICENSE 3.0; | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* <p> | ||
* http://www.gnu.org/licenses/lgpl.html | ||
* <p> | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package top.continew.starter.extension.crud.model.resp; | ||
|
||
import io.swagger.v3.oas.annotations.media.Schema; | ||
|
||
import java.io.Serial; | ||
import java.io.Serializable; | ||
import java.util.List; | ||
|
||
/** | ||
* 分页信息 | ||
* | ||
* @param <T> 列表数据类型 | ||
* @author Charles7c | ||
* @since 2.5.2 | ||
*/ | ||
@Schema(description = "分页信息") | ||
public class BasePageResp<T> implements Serializable { | ||
|
||
@Serial | ||
private static final long serialVersionUID = 1L; | ||
|
||
/** | ||
* 列表数据 | ||
*/ | ||
@Schema(description = "列表数据") | ||
private List<T> list; | ||
|
||
/** | ||
* 总记录数 | ||
*/ | ||
@Schema(description = "总记录数", example = "10") | ||
private long total; | ||
|
||
public BasePageResp() { | ||
} | ||
|
||
public BasePageResp(final List<T> list, final long total) { | ||
this.list = list; | ||
this.total = total; | ||
} | ||
|
||
public List<T> getList() { | ||
return list; | ||
} | ||
|
||
public void setList(List<T> list) { | ||
this.list = list; | ||
} | ||
|
||
public long getTotal() { | ||
return total; | ||
} | ||
|
||
public void setTotal(long total) { | ||
this.total = total; | ||
} | ||
} |
Oops, something went wrong.