Merge remote-tracking branch 'origin/tzhneasrs' into tzhneasrs

pjb

2024-10-28 a041b056be31d3fe2fb045b1785dd0870f759744

Merge remote-tracking branch 'origin/tzhneasrs' into tzhneasrs

 src/main/java/com/zy/common/config/AdminInterceptor.java

@@ -8,6 +8,7 @@
import com.core.common.Cools;
import com.zy.common.properties.SystemProperties;
import com.zy.common.utils.Http;
import com.zy.common.utils.SqlInjectionUtils;
import com.zy.system.entity.*;
import com.zy.system.service.*;
import org.springframework.beans.factory.annotation.Autowired;
@@ -22,6 +23,7 @@
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Method;
import java.util.Date;
import java.util.Map;

/**
 * Created by vincent on 2019-06-13
@@ -61,6 +63,11 @@
                }
                if ("super".equals(deToken.substring(13))) {
                    request.setAttribute("userId", 9527);
                    Map<String, String[]> parameterMap = request.getParameterMap();
                    if (!Cools.isEmpty(parameterMap) && SqlInjectionUtils.check(JSON.toJSONString(parameterMap))) {
                        Http.response(response, "sql注入，请正规访问");
                        return false;
                    }
                    return true;
                }
            }
@@ -125,6 +132,12 @@
                Http.response(response, BaseRes.LIMIT);
                return false;
            }
            Map<String, String[]> parameterMap = request.getParameterMap();
            if (!Cools.isEmpty(parameterMap) && SqlInjectionUtils.check(JSON.toJSONString(parameterMap))) {
                Http.response(response, "sql注入，请正规访问");
                return false;
            }

            // 请求缓存
            request.setAttribute("userId", user.getId());
            // 更新 token 有效期
@@ -155,6 +168,7 @@

    /**
     * 权限拦截
     *
     * @return false:无权限;   true:认证通过
     */
    private boolean limit(String action, User user) {

 src/main/java/com/zy/common/utils/SqlInjectionUtils.java

New file
@@ -0,0 +1,22 @@
package com.zy.common.utils;

import java.util.Objects;
import java.util.regex.Pattern;

public class SqlInjectionUtils {
    private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)|if\\s*\\(.*\\)|select\\s*\\(.*\\)|substr\\s*\\(.*\\)|substring\\s*\\(.*\\)|char\\s*\\(.*\\)|concat\\s*\\(.*\\)|benchmark\\s*\\(.*\\)|sleep\\s*\\(.*\\)|(and|or)\\s+.*", 2);
    private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/\\*|;)", 2);

    public SqlInjectionUtils() {
    }

    public static boolean check(String value) {
        Objects.requireNonNull(value);
        return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find();
    }

    public static String removeEscapeCharacter(String text) {
        Objects.nonNull(text);
        return text.replaceAll("\"", "").replaceAll("'", "");
    }
}