From 978a0bbae0e67064a1767e1a84da9c43ed2be084 Mon Sep 17 00:00:00 2001 From: wangshaoping Date: Thu, 25 Sep 2025 11:15:00 +0800 Subject: [PATCH] =?UTF-8?q?=E5=9F=BA=E7=A1=80=E6=A1=86=E6=9E=B6=E5=8F=91?= =?UTF-8?q?=E5=B8=83:=208.2.41=20=20=201.=20=E8=A7=84=E5=88=99=E5=BC=95?= =?UTF-8?q?=E6=93=8E=E5=B0=86=E6=9E=9A=E4=B8=BE=E5=8F=98=E9=87=8F=E6=9B=BF?= =?UTF-8?q?=E6=8D=A2=E4=B8=BA=E6=9E=9A=E4=B8=BE=E5=80=BC=E8=BF=94=E5=9B=9E?= =?UTF-8?q?=E7=BB=99=E5=AE=A2=E6=88=B7=E7=AB=AF=E3=80=82=20=20=202.=20?= =?UTF-8?q?=E5=86=B3=E7=AD=96=E5=BC=95=E6=93=8E=E5=A2=9E=E5=8A=A0=E8=A1=80?= =?UTF-8?q?=E7=BC=98=E5=85=B3=E7=B3=BB=E6=9F=A5=E8=AF=A2=20=20=203.=20?= =?UTF-8?q?=E4=BF=AE=E6=94=B9=20logback=20=E6=97=A5=E5=BF=97=E9=85=8D?= =?UTF-8?q?=E7=BD=AE=20=20=204.=20=E6=8F=90=E4=BE=9B=E7=94=A8=E4=BA=8E?= =?UTF-8?q?=E6=A3=80=E6=B5=8B=20SQL=20=E6=B3=A8=E5=85=A5=E7=9A=84=E8=BE=85?= =?UTF-8?q?=E5=8A=A9=E7=B1=BB=20io.sc.platform.jdbc.util.SqlInjectionPreve?= =?UTF-8?q?nter?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 前端核心发布: 8.2.135 1. 修改错误处理机制 2. 决策引擎增加血缘关系查询 --- .../jdbc/exception/SqlInjectionException.java | 23 +++++++ .../jdbc/util/SqlInjectionPreventer.java | 68 +++++++++++++++---- .../sc/platform/jdbc/i18n/messages.properties | 4 +- .../jdbc/i18n/messages_tw_CN.properties | 2 + .../jdbc/i18n/messages_zh_CN.properties | 2 + .../service/impl/ConfigureServiceImpl.java | 5 ++ 6 files changed, 89 insertions(+), 15 deletions(-) create mode 100644 io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/exception/SqlInjectionException.java diff --git a/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/exception/SqlInjectionException.java b/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/exception/SqlInjectionException.java new file mode 100644 index 00000000..81e3f766 --- /dev/null +++ b/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/exception/SqlInjectionException.java @@ -0,0 +1,23 @@ +package io.sc.platform.jdbc.exception; + +public class SqlInjectionException extends RuntimeException{ + public SqlInjectionException() { + super(); + } + + public SqlInjectionException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) { + super(message, cause, enableSuppression, writableStackTrace); + } + + public SqlInjectionException(String message, Throwable cause) { + super(message, cause); + } + + public SqlInjectionException(String message) { + super(message); + } + + public SqlInjectionException(Throwable cause) { + super(cause); + } +} diff --git a/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java b/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java index 041fa70f..db4392a7 100644 --- a/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java +++ b/io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java @@ -1,30 +1,70 @@ package io.sc.platform.jdbc.util; +import io.sc.platform.jdbc.exception.SqlInjectionException; + +import java.util.regex.Pattern; + /** - * 防止 SQL 注入工具类 + * 检测是否包含 SQL 注入 */ public class SqlInjectionPreventer { - private static final String[] STRING_ESCAPED_CHARACTERS = { - "'", "\"", "\\", "&", ",", ";", " " + // 可能的危险关键字和符号 + private static final String[] DANGEROUS_KEYWORDS = { + "SELECT", "INSERT", "UPDATE", "DELETE", + "UNION", "ALL", "WHERE", "HAVING", + "ORDER BY", "GROUP BY", "LIMIT", + "'OR'", "'AND'", "/*", "*/", "--", + ";", "=", "<>", "UNION ALL" }; - public static String escapeString(String input) { - StringBuilder escaped = new StringBuilder(); - for (char c : input.toCharArray()) { - if (isEscapeCharacter(c)) { - escaped.append('\\'); - } - escaped.append(c); + // 危险符号 + private static final String[] DANGEROUS_CHARS = { + "'", "\"", ";", "/", "\\" + }; + + /** + * 检查字符串是否含有 SQL 注入,如果含有 SQL 注入,则抛出违例,否则返回原字符串 + * @param input 输入字符串 + * @return 是否含有 SQL 注入 + */ + public static String checkSqlInjection(String input) { + if(isSqlInjection(input)){ + throw new SqlInjectionException(); } - return escaped.toString(); + return input; } - public static boolean isEscapeCharacter(char c) { - for (String escapeChar : STRING_ESCAPED_CHARACTERS) { - if (c == escapeChar.charAt(0)) { + + /** + * 是否有 SQL 注入 + * @param input 输入字符串 + * @return 是否有 SQL 注入 + */ + private static boolean isSqlInjection(String input) { + if (input == null || input.isEmpty()) { + return false; + } + + // 检查是否包含危险关键字或符号 + for (String keyword : DANGEROUS_KEYWORDS) { + if (input.contains(keyword)) { return true; } } + + for (String char1 : DANGEROUS_CHARS) { + if (input.contains(char1)) { + return true; + } + } + + // 使用正则表达式检测常见的注入模式 + String regexPattern = "';|\\);|/\\*|\\*/|--|^OR$|UNION ALL"; + Pattern pattern = Pattern.compile(regexPattern); + if (pattern.matcher(input).find()) { + return true; + } + return false; } } diff --git a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties index ddc60901..30f62590 100644 --- a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties +++ b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties @@ -1,2 +1,4 @@ +io.sc.platform.orm.api.exception.SqlInjectionException=Operation was Rejected, exists SQL injection! + io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC -io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI \ No newline at end of file +io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI diff --git a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties index ddc60901..640f6163 100644 --- a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties +++ b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties @@ -1,2 +1,4 @@ +io.sc.platform.orm.api.exception.SqlInjectionException=\u64CD\u4F5C\u88AB\u62D2\u7D55, \u53EF\u80FD\u5B58\u5728 SQL \u6CE8\u5165\u98A8\u96AA! + io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI \ No newline at end of file diff --git a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties index ddc60901..51958d4c 100644 --- a/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties +++ b/io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties @@ -1,2 +1,4 @@ +io.sc.platform.orm.api.exception.SqlInjectionException=\u64CD\u4F5C\u88AB\u62D2\u7EDD, \u53EF\u80FD\u5B58\u5728 SQL \u6CE8\u5165\u98CE\u9669! + io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI \ No newline at end of file diff --git a/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java b/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java index 5536b88a..219a0f57 100644 --- a/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java +++ b/io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java @@ -106,19 +106,24 @@ public class ConfigureServiceImpl extends DaoServiceImpl