diff --git a/src/main/java/com/alibaba/druid/sql/visitor/ParameterizedOutputVisitorUtils.java b/src/main/java/com/alibaba/druid/sql/visitor/ParameterizedOutputVisitorUtils.java index 40a1b023fc..4c676171ff 100644 --- a/src/main/java/com/alibaba/druid/sql/visitor/ParameterizedOutputVisitorUtils.java +++ b/src/main/java/com/alibaba/druid/sql/visitor/ParameterizedOutputVisitorUtils.java @@ -32,6 +32,7 @@ import com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr; import com.alibaba.druid.sql.ast.statement.SQLAssignItem; import com.alibaba.druid.sql.ast.statement.SQLColumnDefinition; +import com.alibaba.druid.sql.ast.statement.SQLSelectOrderByItem; import com.alibaba.druid.sql.dialect.db2.visitor.DB2ParameterizedOutputVisitor; import com.alibaba.druid.sql.dialect.mysql.visitor.MySqlParameterizedOutputVisitor; import com.alibaba.druid.sql.dialect.oracle.visitor.OracleParameterizedOutputVisitor; @@ -158,6 +159,7 @@ public static boolean checkParameterize(SQLObject x) { || parent instanceof SQLColumnDefinition // || parent instanceof SQLServerTop // || parent instanceof SQLAssignItem // + || parent instanceof SQLSelectOrderByItem // ) { return false; } diff --git a/src/main/java/com/alibaba/druid/sql/visitor/SQLEvalVisitorUtils.java b/src/main/java/com/alibaba/druid/sql/visitor/SQLEvalVisitorUtils.java index 8ccf8f0cb4..dba48c20bd 100644 --- a/src/main/java/com/alibaba/druid/sql/visitor/SQLEvalVisitorUtils.java +++ b/src/main/java/com/alibaba/druid/sql/visitor/SQLEvalVisitorUtils.java @@ -555,7 +555,7 @@ public static boolean visit(SQLEvalVisitor visitor, SQLMethodInvokeExpr x) { char ch = (char) intValue; x.putAttribute(EVAL_VALUE, Character.toString(ch)); } - } else if ("CURRENT_USER".equals(methodName)) { + } else if ("current_user".equals(methodName)) { x.putAttribute(EVAL_VALUE, "CURRENT_USER"); } return false; diff --git a/src/main/java/com/alibaba/druid/support/json/JSONWriter.java b/src/main/java/com/alibaba/druid/support/json/JSONWriter.java index d8c1f30bb2..3a9bfb085a 100644 --- a/src/main/java/com/alibaba/druid/support/json/JSONWriter.java +++ b/src/main/java/com/alibaba/druid/support/json/JSONWriter.java @@ -213,6 +213,15 @@ public void writeString(String text) { write("\\\\"); } else if (c == '\t') { write("\\t"); + } else if (c < 16) { + write("\\u000"); + write(Integer.toHexString(c)); + } else if (c < 32) { + write("\\u00"); + write(Integer.toHexString(c)); + } else if (c >= 0x7f && c <= 0xA0) { + write("\\u00"); + write(Integer.toHexString(c)); } else { write(c); } diff --git a/src/main/java/com/alibaba/druid/wall/WallFilter.java b/src/main/java/com/alibaba/druid/wall/WallFilter.java index 68568984ba..279032cc58 100644 --- a/src/main/java/com/alibaba/druid/wall/WallFilter.java +++ b/src/main/java/com/alibaba/druid/wall/WallFilter.java @@ -129,7 +129,7 @@ public synchronized void init(DataSourceProxy dataSource) { } else { throw new IllegalStateException("dbType not support : " + dbType + ", url " + dataSource.getUrl()); } - + provider.setName(dataSource.getName()); this.inited = true; @@ -364,6 +364,9 @@ public boolean statement_execute(FilterChain chain, StatementProxy statement, St setSqlStatAttribute(statement); } return firstResult; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { if (originalContext != null) { WallContext.setContext(originalContext); @@ -385,6 +388,9 @@ public boolean statement_execute(FilterChain chain, StatementProxy statement, St setSqlStatAttribute(statement); } return firstResult; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -404,6 +410,9 @@ public boolean statement_execute(FilterChain chain, StatementProxy statement, St setSqlStatAttribute(statement); } return firstResult; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -423,6 +432,9 @@ public boolean statement_execute(FilterChain chain, StatementProxy statement, St setSqlStatAttribute(statement); } return firstResult; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -443,6 +455,9 @@ public int[] statement_executeBatch(FilterChain chain, StatementProxy statement) } return updateCounts; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -455,6 +470,9 @@ public ResultSetProxy statement_executeQuery(FilterChain chain, StatementProxy s try { sql = check(sql); return chain.statement_executeQuery(statement, sql); + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -468,6 +486,9 @@ public int statement_executeUpdate(FilterChain chain, StatementProxy statement, int updateCount = chain.statement_executeUpdate(statement, sql); statExecuteUpdate(updateCount); return updateCount; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -482,6 +503,9 @@ public int statement_executeUpdate(FilterChain chain, StatementProxy statement, int updateCount = chain.statement_executeUpdate(statement, sql, autoGeneratedKeys); statExecuteUpdate(updateCount); return updateCount; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -496,6 +520,9 @@ public int statement_executeUpdate(FilterChain chain, StatementProxy statement, int updateCount = chain.statement_executeUpdate(statement, sql, columnIndexes); statExecuteUpdate(updateCount); return updateCount; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -520,6 +547,9 @@ public int statement_executeUpdate(FilterChain chain, StatementProxy statement, int updateCount = chain.statement_executeUpdate(statement, sql, columnNames); statExecuteUpdate(updateCount); return updateCount; + } catch (SQLException ex) { + incrementExecuteErrorCount(); + throw ex; } finally { WallContext.clearContext(); } @@ -527,33 +557,48 @@ public int statement_executeUpdate(FilterChain chain, StatementProxy statement, @Override public boolean preparedStatement_execute(FilterChain chain, PreparedStatementProxy statement) throws SQLException { - boolean firstResult = chain.preparedStatement_execute(statement); + try { + boolean firstResult = chain.preparedStatement_execute(statement); - if (!firstResult) { - WallSqlStat sqlStat = (WallSqlStat) statement.getAttribute(ATTR_SQL_STAT); - int updateCount = statement.getUpdateCount(); - if (sqlStat != null) { - provider.addUpdateCount(sqlStat, updateCount); + if (!firstResult) { + WallSqlStat sqlStat = (WallSqlStat) statement.getAttribute(ATTR_SQL_STAT); + int updateCount = statement.getUpdateCount(); + if (sqlStat != null) { + provider.addUpdateCount(sqlStat, updateCount); + } } - } - return firstResult; + return firstResult; + } catch (SQLException ex) { + incrementExecuteErrorCount(statement); + throw ex; + } } @Override public ResultSetProxy preparedStatement_executeQuery(FilterChain chain, PreparedStatementProxy statement) throws SQLException { - return chain.preparedStatement_executeQuery(statement); + try { + return chain.preparedStatement_executeQuery(statement); + } catch (SQLException ex) { + incrementExecuteErrorCount(statement); + throw ex; + } } @Override public int preparedStatement_executeUpdate(FilterChain chain, PreparedStatementProxy statement) throws SQLException { - int updateCount = chain.preparedStatement_executeUpdate(statement); - WallSqlStat sqlStat = (WallSqlStat) statement.getAttribute(ATTR_SQL_STAT); - if (sqlStat != null) { - provider.addUpdateCount(sqlStat, updateCount); + try { + int updateCount = chain.preparedStatement_executeUpdate(statement); + WallSqlStat sqlStat = (WallSqlStat) statement.getAttribute(ATTR_SQL_STAT); + if (sqlStat != null) { + provider.addUpdateCount(sqlStat, updateCount); + } + return updateCount; + } catch (SQLException ex) { + incrementExecuteErrorCount(statement); + throw ex; } - return updateCount; } public void setSqlStatAttribute(StatementProxy stmt) { @@ -585,6 +630,27 @@ public void statExecuteUpdate(int updateCount) { provider.addUpdateCount(sqlStat, updateCount); } } + + public void incrementExecuteErrorCount(PreparedStatementProxy statement) { + WallSqlStat sqlStat = (WallSqlStat) statement.getAttribute(ATTR_SQL_STAT); + if (sqlStat != null) { + sqlStat.incrementAndGetExecuteErrorCount(); + } + } + + public void incrementExecuteErrorCount() { + WallContext context = WallContext.current(); + if (context == null) { + return; + } + + WallSqlStat sqlStat = context.getSqlStat(); + if (sqlStat == null) { + return; + } + + sqlStat.incrementAndGetExecuteErrorCount(); + } public String check(String sql) throws SQLException { WallCheckResult checkResult = provider.check(sql); diff --git a/src/main/java/com/alibaba/druid/wall/WallProvider.java b/src/main/java/com/alibaba/druid/wall/WallProvider.java index 56c70a2c97..14708f8e4f 100644 --- a/src/main/java/com/alibaba/druid/wall/WallProvider.java +++ b/src/main/java/com/alibaba/druid/wall/WallProvider.java @@ -64,7 +64,7 @@ public abstract class WallProvider { private LRUCache blackList; private LRUCache blackMergedList; - private int blackSqlMaxSize = 100; // 1k + private int blackSqlMaxSize = 200; // 1k protected final WallConfig config; diff --git a/src/main/java/com/alibaba/druid/wall/WallSqlStat.java b/src/main/java/com/alibaba/druid/wall/WallSqlStat.java index 3dd850c4fc..5f64bef122 100644 --- a/src/main/java/com/alibaba/druid/wall/WallSqlStat.java +++ b/src/main/java/com/alibaba/druid/wall/WallSqlStat.java @@ -25,15 +25,19 @@ public class WallSqlStat { private volatile long executeCount; + private volatile long executeErrorCount; private volatile long fetchRowCount; private volatile long updateCount; - final static AtomicLongFieldUpdater executeCountUpdater = AtomicLongFieldUpdater.newUpdater(WallSqlStat.class, - "executeCount"); - final static AtomicLongFieldUpdater fetchRowCountUpdater = AtomicLongFieldUpdater.newUpdater(WallSqlStat.class, - "fetchRowCount"); - final static AtomicLongFieldUpdater updateCountUpdater = AtomicLongFieldUpdater.newUpdater(WallSqlStat.class, - "updateCount"); + final static AtomicLongFieldUpdater executeCountUpdater = AtomicLongFieldUpdater.newUpdater(WallSqlStat.class, + "executeCount"); + final static AtomicLongFieldUpdater executeErrorCountUpdater = AtomicLongFieldUpdater.newUpdater(WallSqlStat.class, + "executeErrorCount"); + + final static AtomicLongFieldUpdater fetchRowCountUpdater = AtomicLongFieldUpdater.newUpdater(WallSqlStat.class, + "fetchRowCount"); + final static AtomicLongFieldUpdater updateCountUpdater = AtomicLongFieldUpdater.newUpdater(WallSqlStat.class, + "updateCount"); private final Map tableStats; private final List violations; @@ -79,12 +83,16 @@ public long incrementAndGetExecuteCount() { return executeCountUpdater.incrementAndGet(this); } + public long incrementAndGetExecuteErrorCount() { + return executeErrorCountUpdater.incrementAndGet(this); + } + public long getExecuteCount() { return executeCount; } - public long incrementAndGetFetchRowCount() { - return fetchRowCountUpdater.incrementAndGet(this); + public long getExecuteErrorCount() { + return executeErrorCount; } public long addAndFetchRowCount(long delta) { @@ -123,6 +131,7 @@ public WallSqlStatValue getStatValue(boolean reset) { final WallSqlStatValue statValue = new WallSqlStatValue(); statValue.setExecuteCount(get(this, executeCountUpdater, reset)); + statValue.setExecuteErrorCount(get(this, executeErrorCountUpdater, reset)); statValue.setFetchRowCount(get(this, fetchRowCountUpdater, reset)); statValue.setUpdateCount(get(this, updateCountUpdater, reset)); statValue.setSyntaxError(this.syntaxError); diff --git a/src/main/java/com/alibaba/druid/wall/WallSqlStatValue.java b/src/main/java/com/alibaba/druid/wall/WallSqlStatValue.java index 733f9ab52b..e1c2d534ba 100644 --- a/src/main/java/com/alibaba/druid/wall/WallSqlStatValue.java +++ b/src/main/java/com/alibaba/druid/wall/WallSqlStatValue.java @@ -38,6 +38,9 @@ public class WallSqlStatValue { @MField(aggregate = AggregateType.Sum) private long executeCount; + @MField(aggregate = AggregateType.Sum) + private long executeErrorCount; + @MField(aggregate = AggregateType.Sum) private long fetchRowCount; @@ -118,6 +121,14 @@ public void setViolationMessage(String violationMessage) { this.violationMessage = violationMessage; } + public long getExecuteErrorCount() { + return executeErrorCount; + } + + public void setExecuteErrorCount(long executeErrorCount) { + this.executeErrorCount = executeErrorCount; + } + public Map toMap() { Map sqlStatMap = new LinkedHashMap(); sqlStatMap.put("sql", sql); @@ -125,6 +136,10 @@ public Map toMap() { sqlStatMap.put("sample", sqlSample); } sqlStatMap.put("executeCount", getExecuteCount()); + + if (executeErrorCount > 0) { + sqlStatMap.put("executeErrorCount", executeErrorCount); + } if (fetchRowCount > 0) { sqlStatMap.put("fetchRowCount", fetchRowCount); diff --git a/src/main/java/com/alibaba/druid/wall/spi/WallVisitorUtils.java b/src/main/java/com/alibaba/druid/wall/spi/WallVisitorUtils.java index ccd83b9cc4..fae168dad9 100644 --- a/src/main/java/com/alibaba/druid/wall/spi/WallVisitorUtils.java +++ b/src/main/java/com/alibaba/druid/wall/spi/WallVisitorUtils.java @@ -15,6 +15,8 @@ */ package com.alibaba.druid.wall.spi; +import static com.alibaba.druid.sql.visitor.SQLEvalVisitor.EVAL_VALUE; + import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; @@ -211,6 +213,10 @@ public static void checkSelelct(WallVisitor visitor, SQLSelectQueryBlock x) { SQLExpr where = x.getWhere(); if (where != null) { + if (queryBlockFromIsNull(visitor, x, false)) { + addViolation(visitor, ErrorCode.EmptyQueryHasCondition, "empty select has condition", x); + } + where.setParent(x); checkCondition(visitor, x.getWhere()); @@ -641,6 +647,10 @@ public static Object getValue(WallVisitor visitor, SQLBinaryOpExpr x) { SQLExpr right = x.getRight(); Object leftResult = getValue(visitor, left); Object rightResult = getValue(visitor, right); + + if (x.getOperator() == SQLBinaryOperator.Like && leftResult instanceof String && leftResult.equals(rightResult)) { + addViolation(visitor, ErrorCode.DoubleConstCondition, "same const like", x); + } if (x.getOperator() == SQLBinaryOperator.Like || x.getOperator() == SQLBinaryOperator.NotLike) { WallContext context = WallContext.current(); @@ -652,8 +662,14 @@ public static Object getValue(WallVisitor visitor, SQLBinaryOpExpr x) { } if (x.getOperator() == SQLBinaryOperator.BooleanAnd) { - if (Boolean.FALSE == leftResult || Boolean.FALSE == rightResult) { - return false; + if (rightResult != null && x.getLeft() instanceof SQLBinaryOpExpr) { + SQLBinaryOpExpr leftBinaryOpExpr = (SQLBinaryOpExpr) x.getLeft(); + if (leftBinaryOpExpr.getOperator() == SQLBinaryOperator.BooleanAnd) { + Object leftRightVal = getValue(leftBinaryOpExpr.getRight()); + if (leftRightVal != null) { + addViolation(visitor, ErrorCode.DoubleConstCondition, "double const condition", x); + } + } } if (leftResult == Boolean.TRUE) { @@ -680,6 +696,10 @@ public static Object getValue(WallVisitor visitor, SQLBinaryOpExpr x) { if (Boolean.TRUE == leftResult && Boolean.TRUE == rightResult) { return true; } + + if (Boolean.FALSE == leftResult || Boolean.FALSE == rightResult) { + return false; + } } String dbType = null; @@ -944,6 +964,10 @@ public static Object getValue(SQLExpr x) { } public static Object getValue(WallVisitor visitor, SQLExpr x) { + if (x != null && x.getAttributes().containsKey(EVAL_VALUE)) { + return x.getAttribute(EVAL_VALUE); + } + if (x instanceof SQLBinaryOpExpr) { return getValue(visitor, (SQLBinaryOpExpr) x); } @@ -978,17 +1002,17 @@ public static Object getValue(WallVisitor visitor, SQLExpr x) { } if (x instanceof SQLMethodInvokeExpr // - || x instanceof SQLBetweenExpr // - || x instanceof SQLInListExpr // - || x instanceof SQLUnaryExpr // - ) { + || x instanceof SQLBetweenExpr // + || x instanceof SQLInListExpr // + || x instanceof SQLUnaryExpr // + ) { String dbType = null; if (visitor != null) { dbType = visitor.getDbType(); } return SQLEvalVisitorUtils.eval(dbType, x, Collections.emptyList(), false); } - + return null; } @@ -1495,6 +1519,10 @@ public static void checkUnion(WallVisitor visitor, SQLUnionQuery x) { } public static boolean queryBlockFromIsNull(WallVisitor visitor, SQLSelectQuery query) { + return queryBlockFromIsNull(visitor, query, true); + } + + public static boolean queryBlockFromIsNull(WallVisitor visitor, SQLSelectQuery query, boolean checkSelectConst) { if (query instanceof SQLSelectQueryBlock) { SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) query; SQLTableSource from = queryBlock.getFrom(); @@ -1526,15 +1554,17 @@ public static boolean queryBlockFromIsNull(WallVisitor visitor, SQLSelectQuery q } } - boolean allIsConst = true; - for (SQLSelectItem item : queryBlock.getSelectList()) { - if (getValue(visitor, item.getExpr()) == null) { - allIsConst = false; - break; + if (checkSelectConst) { + boolean allIsConst = true; + for (SQLSelectItem item : queryBlock.getSelectList()) { + if (getValue(visitor, item.getExpr()) == null) { + allIsConst = false; + break; + } + } + if (allIsConst) { + return true; } - } - if (allIsConst) { - return true; } } diff --git a/src/main/java/com/alibaba/druid/wall/violation/ErrorCode.java b/src/main/java/com/alibaba/druid/wall/violation/ErrorCode.java index 2f16bafbe3..bbdd51a9d2 100644 --- a/src/main/java/com/alibaba/druid/wall/violation/ErrorCode.java +++ b/src/main/java/com/alibaba/druid/wall/violation/ErrorCode.java @@ -60,6 +60,9 @@ public interface ErrorCode { public final static int BITWISE = 2103; public final static int NONE_CONDITION = 2104; public final static int LIKE_NUMBER = 2105; + public final static int EmptyQueryHasCondition = 2106; + public final static int DoubleConstCondition = 2107; + public final static int SameConstLike = 2108; public final static int NOT_PARAMETERIZED = 2200; public final static int MULTI_TENANT = 2201; diff --git a/src/main/resources/META-INF/druid/wall/mysql/deny-function.txt b/src/main/resources/META-INF/druid/wall/mysql/deny-function.txt index d6cb53d346..fbe8b75ba9 100644 --- a/src/main/resources/META-INF/druid/wall/mysql/deny-function.txt +++ b/src/main/resources/META-INF/druid/wall/mysql/deny-function.txt @@ -9,4 +9,7 @@ benchmark current_user sleep extractvalue -updatexml \ No newline at end of file +updatexml +xmltype +receive_message +pg_sleep \ No newline at end of file diff --git a/src/main/resources/META-INF/druid/wall/postgres/deny-function.txt b/src/main/resources/META-INF/druid/wall/postgres/deny-function.txt index 829b333277..e2adb8acaf 100644 --- a/src/main/resources/META-INF/druid/wall/postgres/deny-function.txt +++ b/src/main/resources/META-INF/druid/wall/postgres/deny-function.txt @@ -17,4 +17,5 @@ pg_postmaster_start_time pg_trigger_depth session_user user -version \ No newline at end of file +version +pg_sleep \ No newline at end of file diff --git a/src/main/resources/support/http/resources/wall.html b/src/main/resources/support/http/resources/wall.html index f4840d16f8..8bc76cb505 100644 --- a/src/main/resources/support/http/resources/wall.html +++ b/src/main/resources/support/http/resources/wall.html @@ -132,6 +132,7 @@

SQL Stat - White List

SQL Sample ExecuteCount + ExecuteErrorCount FetchRowCount UpdateCount @@ -147,6 +148,7 @@

SQL Stat - Black List

TableNumber SQL Sample + violationMessage ExecuteCount FetchRowCount UpdateCount @@ -250,7 +252,7 @@

SQL Stat - Black List

var white = whiteList[i]; html += ""; html += ""+ (i+1) +""; - html += "" + white.sql + ""; + html += '' + white.sql + ""; if (white.sample === undefined) { html += ""; @@ -258,12 +260,18 @@

SQL Stat - Black List

html += '' + white.sample + ""; } - + if (white.executeCount === undefined) { html += ""; } else { html += "" + white.executeCount + ""; } + + if (white.executeErrorCount === undefined) { + html += ""; + } else { + html += "" + white.executeErrorCount + ""; + } if (white.fetchRowCount === undefined) { html += ""; @@ -288,7 +296,7 @@

SQL Stat - Black List

var black = blackList[i]; html += ""; html += ""+ (i+1) +""; - html += "" + black.sql + ""; + html += '' + black.sql + ""; if (black.sample === undefined) { html += ""; @@ -296,6 +304,12 @@

SQL Stat - Black List

html += '' + black.sample + ""; } + + if (black.violationMessage === undefined) { + html += ""; + } else { + html += "" + black.violationMessage + ""; + } if (black.executeCount === undefined) { html += ""; diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest119.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest119.java new file mode 100644 index 0000000000..eeda029630 --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest119.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest119 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like 'admin' AND 5376=3420 AND 'XSDD'='XSDD'"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest120.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest120.java new file mode 100644 index 0000000000..e017161e09 --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest120.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest120 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like 'admin%' AND SLEEP(5) AND '%'=''"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest121.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest121.java new file mode 100644 index 0000000000..a04c63235b --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest121.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest121 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like 'admin%' AND (SELECT 6384 FROM(SELECT COUNT(*),CONCAT(0x3a64686c3a,(SELECT (CASE WHEN (3252 = 3252) THEN 1 ELSE 0 END)),0x3a766f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'=''"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest122.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest122.java new file mode 100644 index 0000000000..89f376d439 --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest122.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest122 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like 'admin%' AND 4667=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(115)||CHR(114)||CHR(110)||CHR(58)||(SELECT (CASE WHEN (4667=4667) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(106)||CHR(112)||CHR(122)||CHR(58)||CHR(62))) FROM DUAL) AND '%'=''"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest123.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest123.java new file mode 100644 index 0000000000..7634654859 --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest123.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest123 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like 'admin'||(SELECT 'tLrl' FROM DUAL WHERE 3240=3240 AND 5014=3795 )||''"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest124.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest124.java new file mode 100644 index 0000000000..b68ff89433 --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest124.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest124 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like 'admin' AND 5859=5666 AND 'Cuqo' LIKE 'Cuqo'"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest125.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest125.java new file mode 100644 index 0000000000..17c3758518 --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest125.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest125 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like 'admin' AND 5963=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(105)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (5963=5963) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(117)+CHAR(107)+CHAR(114)+CHAR(58))) AND 'bSho' LIKE 'bSho'"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest126.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest126.java new file mode 100644 index 0000000000..c8a4859153 --- /dev/null +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/MySqlWallTest126.java @@ -0,0 +1,36 @@ +/* + * Copyright 1999-2011 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.alibaba.druid.bvt.filter.wall; + +import junit.framework.TestCase; + +import org.junit.Assert; + +import com.alibaba.druid.wall.WallProvider; +import com.alibaba.druid.wall.spi.MySqlWallProvider; + +public class MySqlWallTest126 extends TestCase { + + public void test_false() throws Exception { + WallProvider provider = new MySqlWallProvider(); + provider.getConfig().setCommentAllow(false); + + String sql = "SELECT name, '******' password, createTime from user where name like 'admin'+(SELECT 'NtTK' WHERE 8000=8000 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL#'"; + + Assert.assertFalse(provider.checkValid(sql)); + } + +} diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/SQLServerWallTest_0.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/SQLServerWallTest_0.java index bebf81a380..71456fc4e2 100644 --- a/src/test/java/com/alibaba/druid/bvt/filter/wall/SQLServerWallTest_0.java +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/SQLServerWallTest_0.java @@ -118,7 +118,11 @@ public void test_true3() throws Exception { public void test_true4() throws Exception { WallProvider provider = initWallProvider(); { - String sql = "SELECT tableid, chnname FROM r_temptable INNER JOIN sys_func_pwr ss ON r_temptable.tableid = ss.mainid INNER JOIN sys_func_pwr sys ON ss.parentid = sys.funcid WHERE (ismaintable = 1) and 1=1 and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 550) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 551) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 391) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 552) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 393) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 396) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 4628) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 4836) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 394) AND (functype = 8) AND (Closed = 0))) and ss.funcid <> 4298 and ss.funcid <> 7441 AND (ss.funcid IN (SELECT DISTINCT funcid FROM sys_func_pwr WHERE (functype = 8) AND (Closed = 0) )) ORDER BY sys.sortflag ,ss.sortflag "; + String sql = "SELECT tableid, chnname "// + + "FROM r_temptable "// + + "INNER JOIN sys_func_pwr ss ON r_temptable.tableid = ss.mainid "// + + "INNER JOIN sys_func_pwr sys ON ss.parentid = sys.funcid " // + + "WHERE (ismaintable = 1) and 1=1 and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 550) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 551) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 391) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 552) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 393) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 396) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 4628) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 4836) AND (functype = 8) AND (Closed = 0))) and (r_temptable.tableid NOT IN (SELECT DISTINCT mainid FROM sys_func_pwr WHERE (parentid = 394) AND (functype = 8) AND (Closed = 0))) and ss.funcid <> 4298 and ss.funcid <> 7441 AND (ss.funcid IN (SELECT DISTINCT funcid FROM sys_func_pwr WHERE (functype = 8) AND (Closed = 0) )) ORDER BY sys.sortflag ,ss.sortflag "; Assert.assertTrue(provider.checkValid(sql)); } } diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest.java index 429254249b..afe9c560e2 100644 --- a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest.java +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest.java @@ -27,7 +27,7 @@ * */ public class WallSelectWhereTest extends TestCase { - private String sql = "SELECT F1, F2 WHERE 1 = 1"; + private String sql = "SELECT F1, F2 from t WHERE 1 = 1"; public void testMySql() throws Exception { Assert.assertTrue(WallUtils.isValidateMySql(sql)); diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest0.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest0.java index 1b2ef8290a..cd21ea8523 100644 --- a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest0.java +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest0.java @@ -27,7 +27,7 @@ * */ public class WallSelectWhereTest0 extends TestCase { - private String sql = "SELECT F1, F2 WHERE 1 = 1 OR F1 = ?"; + private String sql = "SELECT F1, F2 from t WHERE 1 = 1 OR F1 = ?"; public void testMySql() throws Exception { Assert.assertTrue(WallUtils.isValidateMySql(sql)); diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest1.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest1.java index 1cb1491442..81ce62924b 100644 --- a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest1.java +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest1.java @@ -29,18 +29,18 @@ public class WallSelectWhereTest1 extends TestCase { public void testMySql_true() throws Exception { - Assert.assertTrue(WallUtils.isValidateMySql("SELECT F1, F2 WHERE 1 = 1 OR FID = ?")); + Assert.assertTrue(WallUtils.isValidateMySql("SELECT F1, F2 from t WHERE 1 = 1 OR FID = ?")); } public void testORACLE_true() throws Exception { - Assert.assertTrue(WallUtils.isValidateOracle("SELECT F1, F2 WHERE 1 = 1 OR FID = ?")); + Assert.assertTrue(WallUtils.isValidateOracle("SELECT F1, F2 from t WHERE 1 = 1 OR FID = ?")); } public void testMySql_false() throws Exception { - Assert.assertFalse(WallUtils.isValidateMySql("SELECT F1, F2 WHERE FID = ? OR 1 = 1")); + Assert.assertFalse(WallUtils.isValidateMySql("SELECT F1, F2 from t WHERE FID = ? OR 1 = 1")); } public void testORACLE_false() throws Exception { - Assert.assertFalse(WallUtils.isValidateOracle("SELECT F1, F2 WHERE FID = ? OR 1 = 1")); + Assert.assertFalse(WallUtils.isValidateOracle("SELECT F1, F2 from t WHERE FID = ? OR 1 = 1")); } } diff --git a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest2.java b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest2.java index 0948e63cbe..84d6ddbc4e 100644 --- a/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest2.java +++ b/src/test/java/com/alibaba/druid/bvt/filter/wall/WallSelectWhereTest2.java @@ -27,7 +27,7 @@ * */ public class WallSelectWhereTest2 extends TestCase { - private String sql = "SELECT F1, F2 WHERE 1 = 1 AND FID = ?"; + private String sql = "SELECT F1, F2 from t WHERE 1 = 1 AND FID = ?"; public void testMySql() throws Exception { Assert.assertTrue(WallUtils.isValidateMySql(sql));