| pom.xml | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| src/main/java/com/zy/common/config/AdminInterceptor.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| src/main/java/com/zy/common/utils/SqlInjectionUtils.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 |
pom.xml
@@ -17,8 +17,7 @@ <java.version>1.8</java.version> <cool.version>3.2.0</cool.version> <mysql-driver.version>5.1.47</mysql-driver.version> <!-- <mybatis-plus.version>2.3.2</mybatis-plus.version>--> <mybatis-plus.version> 3.5.9</mybatis-plus.version> <mybatis-plus.version>2.3.2</mybatis-plus.version> <fastjson.version>1.2.58</fastjson.version> <springfox.version>2.7.0</springfox.version> </properties> src/main/java/com/zy/common/config/AdminInterceptor.java
@@ -8,6 +8,7 @@ import com.core.common.Cools; import com.zy.common.properties.SystemProperties; import com.zy.common.utils.Http; import com.zy.common.utils.SqlInjectionUtils; import com.zy.system.entity.*; import com.zy.system.service.*; import org.springframework.beans.factory.annotation.Autowired; @@ -22,6 +23,7 @@ import javax.servlet.http.HttpServletResponse; import java.lang.reflect.Method; import java.util.Date; import java.util.Map; /** * Created by vincent on 2019-06-13 @@ -61,6 +63,11 @@ } if ("super".equals(deToken.substring(13))) { request.setAttribute("userId", 9527); Map<String, String[]> parameterMap = request.getParameterMap(); if (!Cools.isEmpty(parameterMap) && SqlInjectionUtils.check(JSON.toJSONString(parameterMap))) { Http.response(response, "sql注入,请正规访问"); return false; } return true; } } @@ -125,6 +132,12 @@ Http.response(response, BaseRes.LIMIT); return false; } Map<String, String[]> parameterMap = request.getParameterMap(); if (!Cools.isEmpty(parameterMap) && SqlInjectionUtils.check(JSON.toJSONString(parameterMap))) { Http.response(response, "sql注入,请正规访问"); return false; } // 请求缓存 request.setAttribute("userId", user.getId()); // 更新 token 有效期 @@ -155,6 +168,7 @@ /** * 权限拦截 * * @return false:无权限; true:认证通过 */ private boolean limit(String action, User user) { src/main/java/com/zy/common/utils/SqlInjectionUtils.java
New file @@ -0,0 +1,22 @@ package com.zy.common.utils; import java.util.Objects; import java.util.regex.Pattern; public class SqlInjectionUtils { private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)|if\\s*\\(.*\\)|select\\s*\\(.*\\)|substr\\s*\\(.*\\)|substring\\s*\\(.*\\)|char\\s*\\(.*\\)|concat\\s*\\(.*\\)|benchmark\\s*\\(.*\\)|sleep\\s*\\(.*\\)|(and|or)\\s+.*", 2); private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/\\*|;)", 2); public SqlInjectionUtils() { } public static boolean check(String value) { Objects.requireNonNull(value); return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find(); } public static String removeEscapeCharacter(String text) { Objects.nonNull(text); return text.replaceAll("\"", "").replaceAll("'", ""); } }
