From 1ca1fd848524e771e15f5cc349a54b88d874ae80 Mon Sep 17 00:00:00 2001 From: wenshao Date: Mon, 26 Aug 2013 00:26:29 +0800 Subject: [PATCH] improve sql wall --- .../sql/visitor/SQLEvalVisitorUtils.java | 1 + .../druid/wall/spi/WallVisitorUtils.java | 15 ++++++-- .../bvt/filter/wall/MySqlWallTest127.java | 36 +++++++++++++++++++ .../filter/wall/WallStatTest_blackList_1.java | 2 +- 4 files changed, 50 insertions(+), 4 deletions(-) create mode 100644 src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest127.java diff --git a/src/main/java/com/alibaba/druid/sql/visitor/SQLEvalVisitorUtils.java b/src/main/java/com/alibaba/druid/sql/visitor/SQLEvalVisitorUtils.java index dba48c20bd..46345b562d 100644 --- a/src/main/java/com/alibaba/druid/sql/visitor/SQLEvalVisitorUtils.java +++ b/src/main/java/com/alibaba/druid/sql/visitor/SQLEvalVisitorUtils.java @@ -91,6 +91,7 @@ import com.alibaba.druid.sql.visitor.functions.Unhex; import com.alibaba.druid.util.HexBin; import com.alibaba.druid.util.JdbcUtils; +import com.alibaba.druid.wall.WallContext; import com.alibaba.druid.wall.spi.WallVisitorUtils; import com.alibaba.druid.wall.spi.WallVisitorUtils.WallConditionContext; import com.alibaba.druid.wall.spi.WallVisitorUtils.WallSelectQueryContext; diff --git a/src/main/java/com/alibaba/druid/wall/spi/WallVisitorUtils.java b/src/main/java/com/alibaba/druid/wall/spi/WallVisitorUtils.java index fae168dad9..8d0260d237 100644 --- a/src/main/java/com/alibaba/druid/wall/spi/WallVisitorUtils.java +++ b/src/main/java/com/alibaba/druid/wall/spi/WallVisitorUtils.java @@ -647,9 +647,9 @@ public static Object getValue(WallVisitor visitor, SQLBinaryOpExpr x) { SQLExpr right = x.getRight(); Object leftResult = getValue(visitor, left); Object rightResult = getValue(visitor, right); - + if (x.getOperator() == SQLBinaryOperator.Like && leftResult instanceof String && leftResult.equals(rightResult)) { - addViolation(visitor, ErrorCode.DoubleConstCondition, "same const like", x); + addViolation(visitor, ErrorCode.SameConstLike, "same const like", x); } if (x.getOperator() == SQLBinaryOperator.Like || x.getOperator() == SQLBinaryOperator.NotLike) { @@ -664,7 +664,16 @@ public static Object getValue(WallVisitor visitor, SQLBinaryOpExpr x) { if (x.getOperator() == SQLBinaryOperator.BooleanAnd) { if (rightResult != null && x.getLeft() instanceof SQLBinaryOpExpr) { SQLBinaryOpExpr leftBinaryOpExpr = (SQLBinaryOpExpr) x.getLeft(); - if (leftBinaryOpExpr.getOperator() == SQLBinaryOperator.BooleanAnd) { + + if (leftBinaryOpExpr.getOperator() != SQLBinaryOperator.BooleanAnd // + && leftBinaryOpExpr.getOperator() != SQLBinaryOperator.BooleanOr // + && leftResult != null // + && visitor != null) { + addViolation(visitor, ErrorCode.DoubleConstCondition, "double const condition", x); + } + + if (leftBinaryOpExpr.getOperator() == SQLBinaryOperator.BooleanAnd // + || leftBinaryOpExpr.getOperator() == SQLBinaryOperator.BooleanOr) { Object leftRightVal = getValue(leftBinaryOpExpr.getRight()); if (leftRightVal != null) { addViolation(visitor, ErrorCode.DoubleConstCondition, "double const condition", x); diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest127.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest127.java new file mode 100644 index 0000000000..2c75965de9 --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest127.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest127 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like '-1079%' OR (8868=8022) AND '%'=''"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallStatTest_blackList_1.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallStatTest_blackList_1.java index 15c2263fa8..ea6631e635 100644 --- a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallStatTest_blackList_1.java +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallStatTest_blackList_1.java @@ -32,7 +32,7 @@ public void testMySql() throws Exception { Assert.assertEquals(0, provider.getBlackListHitCount()); Assert.assertEquals(0, provider.getWhiteListHitCount()); Assert.assertEquals(0, provider.getWhiteList().size()); - Assert.assertEquals(100, provider.getBlackList().size()); + Assert.assertEquals(200, provider.getBlackList().size()); Assert.assertEquals(1001, provider.getCheckCount()); }