From 554a524af2d2b30d09505516adc412468a84d8fa Mon Sep 17 00:00:00 2001 From: abel533 Date: Tue, 14 Jun 2022 22:56:47 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A4=84=E7=90=86=20CVE-2022-28111=EF=BC=8Cfix?= =?UTF-8?q?ed=20#674?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .travis.yml | 13 ------- pom.xml | 8 ++--- src/main/java/com/github/pagehelper/Page.java | 34 ++++++++++++++---- .../github/pagehelper/util/SqlSafeUtil.java | 36 +++++++++++++++++++ 4 files changed, 68 insertions(+), 23 deletions(-) delete mode 100644 .travis.yml create mode 100644 src/main/java/com/github/pagehelper/util/SqlSafeUtil.java diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 66e9f40a..00000000 --- a/.travis.yml +++ /dev/null @@ -1,13 +0,0 @@ -language: java - -sudo: false - -dist: precise - -jdk: - - oraclejdk8 - -cache: - directories: - - .autoconf - - $HOME/.m2 \ No newline at end of file diff --git a/pom.xml b/pom.xml index c6b0e321..9fbaea7d 100644 --- a/pom.xml +++ b/pom.xml @@ -70,7 +70,7 @@ org.mybatis mybatis - 3.5.7 + 3.5.9 compile true @@ -81,7 +81,7 @@ com.google.guava guava - 19.0 + 31.1-jre compile true @@ -97,14 +97,14 @@ com.alibaba druid - 1.2.8 + 1.2.9 compile true org.apache.tomcat tomcat-jdbc - 9.0.53 + 10.0.20 compile true diff --git a/src/main/java/com/github/pagehelper/Page.java b/src/main/java/com/github/pagehelper/Page.java index b189bcea..c70599bf 100644 --- a/src/main/java/com/github/pagehelper/Page.java +++ b/src/main/java/com/github/pagehelper/Page.java @@ -24,6 +24,8 @@ package com.github.pagehelper; +import com.github.pagehelper.util.SqlSafeUtil; + import java.io.Closeable; import java.util.ArrayList; import java.util.List; @@ -73,28 +75,28 @@ public class Page extends ArrayList implements Closeable { /** * 当设置为true的时候,如果pagesize设置为0(或RowBounds的limit=0),就不执行分页,返回全部结果 */ - private Boolean pageSizeZero; + private Boolean pageSizeZero; /** * 进行count查询的列名 */ - private String countColumn; + private String countColumn; /** * 排序 */ - private String orderBy; + private String orderBy; /** * 只增加排序 */ - private boolean orderByOnly; + private boolean orderByOnly; /** * sql拦截处理 */ - private BoundSqlInterceptor boundSqlInterceptor; + private BoundSqlInterceptor boundSqlInterceptor; private transient BoundSqlInterceptor.Chain chain; /** * 分页实现类,可以使用 {@link com.github.pagehelper.page.PageAutoDialect} 类中注册的别名,例如 "mysql", "oracle" */ - private String dialectClass; + private String dialectClass; public Page() { super(); @@ -247,7 +249,27 @@ public String getOrderBy() { return orderBy; } + /** + * 设置排序字段,增加 SQL 注入校验,如果需要在 order by 使用函数,可以使用 {@link #setUnsafeOrderBy(String)} 方法 + * + * @param orderBy 排序字段 + */ public Page setOrderBy(String orderBy) { + if (SqlSafeUtil.check(orderBy)) { + throw new PageException("order by [" + orderBy + "] 存在 SQL 注入风险, 如想避免 SQL 注入校验,可以调用 Page.setUnsafeOrderBy"); + } + this.orderBy = orderBy; + return (Page) this; + } + + /** + * 不安全的设置排序方法,如果从前端接收参数,请自行做好注入校验。 + *

+ * 请不要故意使用该方法注入然后提交漏洞!!! + * + * @param orderBy 排序字段 + */ + public Page setUnsafeOrderBy(String orderBy) { this.orderBy = orderBy; return (Page) this; } diff --git a/src/main/java/com/github/pagehelper/util/SqlSafeUtil.java b/src/main/java/com/github/pagehelper/util/SqlSafeUtil.java new file mode 100644 index 00000000..4384da00 --- /dev/null +++ b/src/main/java/com/github/pagehelper/util/SqlSafeUtil.java @@ -0,0 +1,36 @@ +package com.github.pagehelper.util; + +import java.util.regex.Pattern; + +/** + * 更严格的SQL注入检测 + */ +public class SqlSafeUtil { + /** + * SQL语法检查正则:符合两个关键字(有先后顺序)才算匹配 + *

+ * 参考: mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/toolkit/sql/SqlInjectionUtils.java + */ + private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" + + ".+(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)", Pattern.CASE_INSENSITIVE); + /** + * 使用'、;或注释截断SQL检查正则 + *

+ * 参考: mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/toolkit/sql/SqlInjectionUtils.java + */ + private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/*|;)", Pattern.CASE_INSENSITIVE); + + /** + * 检查参数是否存在 SQL 注入 + * + * @param value 检查参数 + * @return true 非法 false 合法 + */ + public static boolean check(String value) { + if (value == null) { + return false; + } + // 不允许使用任何函数(不能出现括号),否则无法检测后面这个注入 order by id,if(1=2,1,(sleep(100))); + return value.contains("(") || SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find(); + } +}