diff --git a/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/exception/SqlInjectionException.java b/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/exception/SqlInjectionException.java new file mode 100644 index 00000000..81e3f766 --- /dev/null +++ b/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/exception/SqlInjectionException.java @@ -0,0 +1,23 @@ +package io.sc.platform.jdbc.exception; + +public class SqlInjectionException extends RuntimeException{ + public SqlInjectionException() { + super(); + } + + public SqlInjectionException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) { + super(message, cause, enableSuppression, writableStackTrace); + } + + public SqlInjectionException(String message, Throwable cause) { + super(message, cause); + } + + public SqlInjectionException(String message) { + super(message); + } + + public SqlInjectionException(Throwable cause) { + super(cause); + } +} diff --git a/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java b/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java index 041fa70f..db4392a7 100644 --- a/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java +++ b/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java @@ -1,30 +1,70 @@ package io.sc.platform.jdbc.util; +import io.sc.platform.jdbc.exception.SqlInjectionException; + +import java.util.regex.Pattern; + /** - * 防止 SQL 注入工具类 + * 检测是否包含 SQL 注入 */ public class SqlInjectionPreventer { - private static final String[] STRING_ESCAPED_CHARACTERS = { - "'", "\"", "\\", "&", ",", ";", " " + // 可能的危险关键字和符号 + private static final String[] DANGEROUS_KEYWORDS = { + "SELECT", "INSERT", "UPDATE", "DELETE", + "UNION", "ALL", "WHERE", "HAVING", + "ORDER BY", "GROUP BY", "LIMIT", + "'OR'", "'AND'", "/*", "*/", "--", + ";", "=", "<>", "UNION ALL" }; - public static String escapeString(String input) { - StringBuilder escaped = new StringBuilder(); - for (char c : input.toCharArray()) { - if (isEscapeCharacter(c)) { - escaped.append('\\'); - } - escaped.append(c); + // 危险符号 + private static final String[] DANGEROUS_CHARS = { + "'", "\"", ";", "/", "\\" + }; + + /** + * 检查字符串是否含有 SQL 注入,如果含有 SQL 注入,则抛出违例,否则返回原字符串 + * @param input 输入字符串 + * @return 是否含有 SQL 注入 + */ + public static String checkSqlInjection(String input) { + if(isSqlInjection(input)){ + throw new SqlInjectionException(); } - return escaped.toString(); + return input; } - public static boolean isEscapeCharacter(char c) { - for (String escapeChar : STRING_ESCAPED_CHARACTERS) { - if (c == escapeChar.charAt(0)) { + + /** + * 是否有 SQL 注入 + * @param input 输入字符串 + * @return 是否有 SQL 注入 + */ + private static boolean isSqlInjection(String input) { + if (input == null || input.isEmpty()) { + return false; + } + + // 检查是否包含危险关键字或符号 + for (String keyword : DANGEROUS_KEYWORDS) { + if (input.contains(keyword)) { return true; } } + + for (String char1 : DANGEROUS_CHARS) { + if (input.contains(char1)) { + return true; + } + } + + // 使用正则表达式检测常见的注入模式 + String regexPattern = "';|\\);|/\\*|\\*/|--|^OR$|UNION ALL"; + Pattern pattern = Pattern.compile(regexPattern); + if (pattern.matcher(input).find()) { + return true; + } + return false; } } diff --git a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties index ddc60901..30f62590 100644 --- a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties +++ b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties @@ -1,2 +1,4 @@ +io.sc.platform.orm.api.exception.SqlInjectionException=Operation was Rejected, exists SQL injection! + io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC -io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI \ No newline at end of file +io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI diff --git a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties index ddc60901..640f6163 100644 --- a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties +++ b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties @@ -1,2 +1,4 @@ +io.sc.platform.orm.api.exception.SqlInjectionException=\u64CD\u4F5C\u88AB\u62D2\u7D55, \u53EF\u80FD\u5B58\u5728 SQL \u6CE8\u5165\u98A8\u96AA! + io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI \ No newline at end of file diff --git a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties index ddc60901..51958d4c 100644 --- a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties +++ b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties @@ -1,2 +1,4 @@ +io.sc.platform.orm.api.exception.SqlInjectionException=\u64CD\u4F5C\u88AB\u62D2\u7EDD, \u53EF\u80FD\u5B58\u5728 SQL \u6CE8\u5165\u98CE\u9669! + io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI \ No newline at end of file diff --git a/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java b/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java index 5536b88a..219a0f57 100644 --- a/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java +++ b/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java @@ -106,19 +106,24 @@ public class ConfigureServiceImpl extends DaoServiceImpl