基础框架发布: 8.2.41

1. 规则引擎将枚举变量替换为枚举值返回给客户端。
  2. 决策引擎增加血缘关系查询
  3. 修改 logback 日志配置
  4. 提供用于检测 SQL 注入的辅助类 io.sc.platform.jdbc.util.SqlInjectionPreventer

前端核心发布: 8.2.135
  1. 修改错误处理机制
  2. 决策引擎增加血缘关系查询

io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/exception/SqlInjectionException.java

@@ -0,0 +1,23 @@
+package io.sc.platform.jdbc.exception;
+
+public class SqlInjectionException extends RuntimeException{
+	public SqlInjectionException() {
+		super();
+	}
+
+	public SqlInjectionException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+		super(message, cause, enableSuppression, writableStackTrace);
+	}
+
+	public SqlInjectionException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+	public SqlInjectionException(String message) {
+		super(message);
+	}
+
+	public SqlInjectionException(Throwable cause) {
+		super(cause);
+	}
+}

io.sc.platform.jdbc/src/main/java/io/sc/platform/jdbc/util/SqlInjectionPreventer.java

@@ -1,30 +1,70 @@
 package io.sc.platform.jdbc.util;
 
+import io.sc.platform.jdbc.exception.SqlInjectionException;
+
+import java.util.regex.Pattern;
+
 /**
- * 防止 SQL 注入工具类
+ * 检测是否包含 SQL 注入
  */
 public class SqlInjectionPreventer {
-    private static final String[] STRING_ESCAPED_CHARACTERS = {
+    // 可能的危险关键字和符号
-            "'", "\"", "\\", "&", ",", ";", " "
+    private static final String[] DANGEROUS_KEYWORDS = {
+            "SELECT", "INSERT", "UPDATE", "DELETE",
+            "UNION", "ALL", "WHERE", "HAVING",
+            "ORDER BY", "GROUP BY", "LIMIT",
+            "'OR'", "'AND'", "/*", "*/", "--",
+            ";", "=", "<>", "UNION ALL"
     };
 
-    public static String escapeString(String input) {
+    // 危险符号
-        StringBuilder escaped = new StringBuilder();
+    private static final String[] DANGEROUS_CHARS = {
-        for (char c : input.toCharArray()) {
+            "'", "\"", ";", "/", "\\"
-            if (isEscapeCharacter(c)) {
+    };
-                escaped.append('\\');
+
-            }
+    /**
-            escaped.append(c);
+     * 检查字符串是否含有 SQL 注入，如果含有 SQL 注入，则抛出违例，否则返回原字符串
+     * @param input 输入字符串
+     * @return 是否含有 SQL 注入
+     */
+    public static String checkSqlInjection(String input) {
+        if(isSqlInjection(input)){
+            throw new SqlInjectionException();
         }
-        return escaped.toString();
+        return input;
     }
 
-    public static boolean isEscapeCharacter(char c) {
+
-        for (String escapeChar : STRING_ESCAPED_CHARACTERS) {
+    /**
-            if (c == escapeChar.charAt(0)) {
+     * 是否有 SQL 注入
+     * @param input 输入字符串
+     * @return 是否有 SQL 注入
+     */
+    private static boolean isSqlInjection(String input) {
+        if (input == null || input.isEmpty()) {
+            return false;
+        }
+
+        // 检查是否包含危险关键字或符号
+        for (String keyword : DANGEROUS_KEYWORDS) {
+            if (input.contains(keyword)) {
                 return true;
             }
         }
+
+        for (String char1 : DANGEROUS_CHARS) {
+            if (input.contains(char1)) {
+                return true;
+            }
+        }
+
+        // 使用正则表达式检测常见的注入模式
+        String regexPattern = "';|\\);|/\\*|\\*/|--|^OR$|UNION ALL";
+        Pattern pattern = Pattern.compile(regexPattern);
+        if (pattern.matcher(input).find()) {
+            return true;
+        }
+
         return false;
     }
 }

io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages.properties

@@ -1,2 +1,4 @@
+io.sc.platform.orm.api.exception.SqlInjectionException=Operation was Rejected, exists SQL injection!
+
 io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC
-io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI
+io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI

io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_tw_CN.properties

@@ -1,2 +1,4 @@
+io.sc.platform.orm.api.exception.SqlInjectionException=\u64CD\u4F5C\u88AB\u62D2\u7D55, \u53EF\u80FD\u5B58\u5728 SQL \u6CE8\u5165\u98A8\u96AA!
+
 io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC
 io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI

io.sc.platform.jdbc/src/main/resources/io/sc/platform/jdbc/i18n/messages_zh_CN.properties

@@ -1,2 +1,4 @@
+io.sc.platform.orm.api.exception.SqlInjectionException=\u64CD\u4F5C\u88AB\u62D2\u7EDD, \u53EF\u80FD\u5B58\u5728 SQL \u6CE8\u5165\u98CE\u9669!
+
 io.sc.platform.jdbc.datasource.DatasourceType.JDBC=JDBC
 io.sc.platform.jdbc.datasource.DatasourceType.JNDI=JNDI

io.sc.platform.lcdp/src/main/java/io/sc/platform/lcdp/configure/service/impl/ConfigureServiceImpl.java

@@ -106,19 +106,24 @@ public class ConfigureServiceImpl extends DaoServiceImpl<ConfigureEntity, String
             configure.getSetting().setLogoutSuccessUrl(logoutSuccessUrl);
         }
 
+        // 是不是前端密码编码后传给后端
         String encodePassword =parameters.get("parameter.system.login.encodePassword");
         if(StringUtils.hasText(encodePassword)) {
             configure.getTheme().getLogin().setEncodePassword(Boolean.valueOf(encodePassword));
         }
 
+        // 认证模式
         AuthenticationMode authenticationMode =environment.getProperty("application.authentication.mode",AuthenticationMode.class);
         configure.getSetting().setAuthenticationMode(authenticationMode);
 
+        // 是否支持切换角色
         boolean enableChangeRole =environment.getProperty("application.enable-change-role",Boolean.class,false);
         configure.getSetting().setEnableChangeRole(enableChangeRole);
 
+        // 是否支持多法人
         configure.getSetting().setIsMultiCorporationMode(io.sc.platform.core.Environment.getInstance().isMultiCorportationMode());
 
+        // 是否支持当前工作流任务执行完毕后继续下一个任务处理
         String workbenchAutoHandleNextTask =parameters.get("parameter.system.workbench.autoHandleNextTask");
         if(StringUtils.hasText(workbenchAutoHandleNextTask)) {
             configure.getSetting().setWorkbenchAutoHandleNextTask(Boolean.valueOf(workbenchAutoHandleNextTask));