处理 CVE-2022-28111，fixed #674

pagehelper · Jun 14, 2022 · 554a524 · 554a524
1 parent e2a67fc
commit 554a524
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 23 deletions.
diff --git a/.travis.yml b/.travis.yml
diff --git a/pom.xml b/pom.xml
@@ -70,7 +70,7 @@
         <dependency>
             <groupId>org.mybatis</groupId>
             <artifactId>mybatis</artifactId>
-            <version>3.5.7</version>
+            <version>3.5.9</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
@@ -81,7 +81,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>19.0</version>
+            <version>31.1-jre</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
@@ -97,14 +97,14 @@
         <dependency>
             <groupId>com.alibaba</groupId>
             <artifactId>druid</artifactId>
-            <version>1.2.8</version>
+            <version>1.2.9</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>org.apache.tomcat</groupId>
             <artifactId>tomcat-jdbc</artifactId>
-            <version>9.0.53</version>
+            <version>10.0.20</version>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>

diff --git a/src/main/java/com/github/pagehelper/Page.java b/src/main/java/com/github/pagehelper/Page.java
@@ -24,6 +24,8 @@
 
 package com.github.pagehelper;
 
+import com.github.pagehelper.util.SqlSafeUtil;
+
 import java.io.Closeable;
 import java.util.ArrayList;
 import java.util.List;
@@ -73,28 +75,28 @@ public class Page<E> extends ArrayList<E> implements Closeable {
     /**
      * 当设置为true的时候，如果pagesize设置为0（或RowBounds的limit=0），就不执行分页，返回全部结果
      */
-    private           Boolean                   pageSizeZero;
+    private Boolean pageSizeZero;
     /**
      * 进行count查询的列名
      */
-    private           String                    countColumn;
+    private String countColumn;
     /**
      * 排序
      */
-    private           String                    orderBy;
+    private String orderBy;
     /**
      * 只增加排序
      */
-    private           boolean                   orderByOnly;
+    private boolean orderByOnly;
     /**
      * sql拦截处理
      */
-    private           BoundSqlInterceptor       boundSqlInterceptor;
+    private BoundSqlInterceptor boundSqlInterceptor;
     private transient BoundSqlInterceptor.Chain chain;
     /**
      * 分页实现类，可以使用 {@link com.github.pagehelper.page.PageAutoDialect} 类中注册的别名，例如 "mysql", "oracle"
      */
-    private           String                    dialectClass;
+    private String dialectClass;
 
     public Page() {
         super();
@@ -247,7 +249,27 @@ public String getOrderBy() {
         return orderBy;
     }
 
+    /**
+     * 设置排序字段，增加 SQL 注入校验，如果需要在 order by 使用函数，可以使用 {@link #setUnsafeOrderBy(String)} 方法
+     *
+     * @param orderBy 排序字段
+     */
     public <E> Page<E> setOrderBy(String orderBy) {
+        if (SqlSafeUtil.check(orderBy)) {
+            throw new PageException("order by [" + orderBy + "] 存在 SQL 注入风险, 如想避免 SQL 注入校验，可以调用 Page.setUnsafeOrderBy");
+        }
+        this.orderBy = orderBy;
+        return (Page<E>) this;
+    }
+
+    /**
+     * 不安全的设置排序方法，如果从前端接收参数，请自行做好注入校验。
+     * <p>
+     * 请不要故意使用该方法注入然后提交漏洞!!!
+     *
+     * @param orderBy 排序字段
+     */
+    public <E> Page<E> setUnsafeOrderBy(String orderBy) {
         this.orderBy = orderBy;
         return (Page<E>) this;
     }

diff --git a/src/main/java/com/github/pagehelper/util/SqlSafeUtil.java b/src/main/java/com/github/pagehelper/util/SqlSafeUtil.java
@@ -0,0 +1,36 @@
+package com.github.pagehelper.util;
+
+import java.util.regex.Pattern;
+
+/**
+ * 更严格的SQL注入检测
+ */
+public class SqlSafeUtil {
+    /**
+     * SQL语法检查正则：符合两个关键字（有先后顺序）才算匹配
+     * <p>
+     * 参考: mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/toolkit/sql/SqlInjectionUtils.java
+     */
+    private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" +
+            ".+(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)", Pattern.CASE_INSENSITIVE);
+    /**
+     * 使用'、;或注释截断SQL检查正则
+     * <p>
+     * 参考: mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/toolkit/sql/SqlInjectionUtils.java
+     */
+    private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/*|;)", Pattern.CASE_INSENSITIVE);
+
+    /**
+     * 检查参数是否存在 SQL 注入
+     *
+     * @param value 检查参数
+     * @return true 非法 false 合法
+     */
+    public static boolean check(String value) {
+        if (value == null) {
+            return false;
+        }
+        // 不允许使用任何函数（不能出现括号），否则无法检测后面这个注入 order by id,if(1=2,1,(sleep(100)));
+        return value.contains("(") || SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find();
+    }
+}