Introducing new features. #I9300D sql注入检测提供换 mybatis-plus 提供工具类

This commit is contained in:
lbw 2024-02-22 19:27:22 +08:00
parent 395a198885
commit 7031ba049c

View File

@ -20,6 +20,7 @@ package com.pig4cloud.pig.common.mybatis.resolver;
import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.StrUtil;
import com.baomidou.mybatisplus.core.metadata.OrderItem; import com.baomidou.mybatisplus.core.metadata.OrderItem;
import com.baomidou.mybatisplus.core.toolkit.sql.SqlInjectionUtils;
import com.baomidou.mybatisplus.extension.plugins.pagination.Page; import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -45,9 +46,6 @@ import java.util.stream.Collectors;
@Slf4j @Slf4j
public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver { public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver {
private final static String[] KEYWORDS = { "master", "truncate", "insert", "select", "delete", "update", "declare",
"alter", "drop", "sleep", "extractvalue", "concat" };
/** /**
* 判断Controller是否包含page 参数 * 判断Controller是否包含page 参数
* @param parameter 参数 * @param parameter 参数
@ -90,21 +88,12 @@ public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver
List<OrderItem> orderItemList = new ArrayList<>(); List<OrderItem> orderItemList = new ArrayList<>();
Optional.ofNullable(ascs) Optional.ofNullable(ascs)
.ifPresent(s -> orderItemList.addAll( .ifPresent(s -> orderItemList.addAll(
Arrays.stream(s).filter(sqlInjectPredicate()).map(OrderItem::asc).collect(Collectors.toList()))); Arrays.stream(s).filter(SqlInjectionUtils::check).map(OrderItem::asc).collect(Collectors.toList())));
Optional.ofNullable(descs) Optional.ofNullable(descs)
.ifPresent(s -> orderItemList.addAll( .ifPresent(s -> orderItemList.addAll(
Arrays.stream(s).filter(sqlInjectPredicate()).map(OrderItem::desc).collect(Collectors.toList()))); Arrays.stream(s).filter(SqlInjectionUtils::check).map(OrderItem::desc).collect(Collectors.toList())));
page.addOrder(orderItemList); page.addOrder(orderItemList);
return page; return page;
} }
/**
* 判断用户输入里面有没有关键字
* @return Predicate
*/
private Predicate<String> sqlInjectPredicate() {
return sql -> Arrays.stream(KEYWORDS).noneMatch(keyword -> StrUtil.containsIgnoreCase(sql, keyword));
}
} }