pengjunjie/JeecgBoot
1
0
Fork 1
mirror of https://github.com/jeecgboot/JeecgBoot.git synced 2026-01-03 20:35:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

严重安全漏洞修复

Browse Source 
1.SQL注入检测存在绕过风险
2./upload接口存在任意文件上传漏洞
This commit is contained in:
zhangdaiscott
2022-02-26 22:46:52 +08:00
parent 912369181d
commit 6f3f2b90c8
3 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
View File

@ -3,7 +3,9 @@ package org.jeecg.common.util;
import cn.hutool.crypto.SecureUtil;
import lombok.extern.slf4j.Slf4j;
import org.jeecg.common.exception.JeecgBootException;
import javax.servlet.http.HttpServletRequest;
import java.util.regex.Pattern;
/**
* sql注入处理工具类
@ -51,6 +53,9 @@ public class SqlInjectionUtil {
}
// 统一转为小写
value = value.toLowerCase();
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
value = value.replaceAll("/\\*.*\\*/","");
String[] xssArr = xssStr.split("\\|");
for (int i = 0; i < xssArr.length; i++) {
if (value.indexOf(xssArr[i]) > -1) {
@ -59,6 +64,9 @@ public class SqlInjectionUtil {
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
}
}
if(Pattern.matches("show\\s+tables", value)){
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
}
return;
}
@ -76,6 +84,9 @@ public class SqlInjectionUtil {
}
// 统一转为小写
value = value.toLowerCase();
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
value = value.replaceAll("/\\*.*\\*/","");
for (int i = 0; i < xssArr.length; i++) {
if (value.indexOf(xssArr[i]) > -1) {
log.error("请注意存在SQL注入关键词---> {}", xssArr[i]);
@ -83,6 +94,9 @@ public class SqlInjectionUtil {
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
}
}
if(Pattern.matches("show\\s+tables", value)){
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
}
}
return;
}
@ -101,6 +115,9 @@ public class SqlInjectionUtil {
}
// 统一转为小写
value = value.toLowerCase();
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
value = value.replaceAll("/\\*.*\\*/","");
for (int i = 0; i < xssArr.length; i++) {
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
log.error("请注意存在SQL注入关键词---> {}", xssArr[i]);
@ -108,6 +125,9 @@ public class SqlInjectionUtil {
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
}
}
if(Pattern.matches("show\\s+tables", value)){
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
}
return;
}
@ -126,6 +146,9 @@ public class SqlInjectionUtil {
}
// 统一转为小写
value = value.toLowerCase();
//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
value = value.replaceAll("/\\*.*\\*/","");
for (int i = 0; i < xssArr.length; i++) {
if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
log.error("请注意存在SQL注入关键词---> {}", xssArr[i]);
@ -133,6 +156,10 @@ public class SqlInjectionUtil {
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
}
}
if(Pattern.matches("show\\s+tables", value)){
throw new RuntimeException("请注意值可能存在SQL注入风险!--->" + value);
}
return;
}