Skip to content

F
fgqyxxlr
Commit 8a37d2ae by RuoYi
Options

检查字符,防止注入绕过

parent 9c50dd8c
Showing with 21 additions and 12 deletions
ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java
package com.ruoyi.common.page; package com.ruoyi.common.page;
import com.ruoyi.common.utils.StringUtils; import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.sql.SqlUtil;
/** /**
* 分页数据 * 分页数据
...@@ -12,14 +11,11 @@ public class PageDomain ...@@ -12,14 +11,11 @@ public class PageDomain
{ {
/** 当前记录起始索引 */ /** 当前记录起始索引 */
private Integer pageNum; private Integer pageNum;
/** 每页显示记录数 */ /** 每页显示记录数 */
private Integer pageSize; private Integer pageSize;
/** 排序列 */ /** 排序列 */
private String orderByColumn; private String orderByColumn;
/** 排序的方向 "desc" 或者 "asc". */ /** 排序的方向 "desc" 或者 "asc". */
private String isAsc; private String isAsc;
public String getOrderBy() public String getOrderBy()
...@@ -58,7 +54,7 @@ public class PageDomain ...@@ -58,7 +54,7 @@ public class PageDomain
public void setOrderByColumn(String orderByColumn) public void setOrderByColumn(String orderByColumn)
{ {
this.orderByColumn = SqlUtil.escapeSql(orderByColumn); this.orderByColumn = orderByColumn;
} }
public String getIsAsc() public String getIsAsc()
...@@ -68,6 +64,6 @@ public class PageDomain ...@@ -68,6 +64,6 @@ public class PageDomain
public void setIsAsc(String isAsc) public void setIsAsc(String isAsc)
{ {
this.isAsc = SqlUtil.escapeSql(isAsc); this.isAsc = isAsc;
} }
} }
ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
...@@ -10,15 +10,27 @@ import com.ruoyi.common.utils.StringUtils; ...@@ -10,15 +10,27 @@ import com.ruoyi.common.utils.StringUtils;
public class SqlUtil public class SqlUtil
{ {
/** /**
* 防止sql注入 替换危险字符 * 仅支持字母、数字、下划线、空格、逗号(支持多个字段排序)
*/ */
public static String escapeSql(String value) public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,]+";
/**
* 检查字符,防止注入绕过
*/
public static String escapeOrderBySql(String value)
{ {
if (StringUtils.isNotEmpty(value)) if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value))
{ {
value = value.replaceAll("\\(", ""); return StringUtils.EMPTY;
value = value.replaceAll("\\)", "");
} }
return value; return value;
} }
/**
* 验证 order by 语法是否符合规范
*/
public static boolean isValidOrderBySql(String value)
{
return value.matches(SQL_PATTERN);
}
} }
ruoyi-framework/src/main/java/com/ruoyi/framework/web/base/BaseController.java
...@@ -13,6 +13,7 @@ import com.ruoyi.common.page.TableDataInfo; ...@@ -13,6 +13,7 @@ import com.ruoyi.common.page.TableDataInfo;
import com.ruoyi.common.page.TableSupport; import com.ruoyi.common.page.TableSupport;
import com.ruoyi.common.utils.DateUtils; import com.ruoyi.common.utils.DateUtils;
import com.ruoyi.common.utils.StringUtils; import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.sql.SqlUtil;
import com.ruoyi.framework.util.ShiroUtils; import com.ruoyi.framework.util.ShiroUtils;
import com.ruoyi.system.domain.SysUser; import com.ruoyi.system.domain.SysUser;
...@@ -50,7 +51,7 @@ public class BaseController ...@@ -50,7 +51,7 @@ public class BaseController
Integer pageSize = pageDomain.getPageSize(); Integer pageSize = pageDomain.getPageSize();
if (StringUtils.isNotNull(pageNum) && StringUtils.isNotNull(pageSize)) if (StringUtils.isNotNull(pageNum) && StringUtils.isNotNull(pageSize))
{ {
String orderBy = pageDomain.getOrderBy(); String orderBy = SqlUtil.escapeOrderBySql(pageDomain.getOrderBy());
PageHelper.startPage(pageNum, pageSize, orderBy); PageHelper.startPage(pageNum, pageSize, orderBy);
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment