From f9da2e5b872202ee618a98659b0c7bec018dc33f Mon Sep 17 00:00:00 2001 From: yi-l-i-yi-li <8995991+yi-l-i-yi-li@user.noreply.gitee.com> Date: Mon, 15 Aug 2022 08:04:12 +0000 Subject: [PATCH 1/4] update ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java. Signed-off-by: yi-l-i-yi-li <8995991+yi-l-i-yi-li@user.noreply.gitee.com> --- .../src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java index 246a9cfc8..9da3d3cff 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java @@ -12,8 +12,9 @@ public class SqlUtil { /** * 定义常用的 sql关键字 + * 删除管道符 "|"左边的空格,空格会导致sql注入 */ - public static String SQL_REGEX = "select |insert |delete |update |drop |count |exec |chr |mid |master |truncate |char |and |declare "; + public static String SQL_REGEX = "select|insert|delete|update|drop|count|exec|chr|mid|master|truncate|char|and|declare"; /** * 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序) From c61a805792521f299880e61b94d3dd0129fec52a Mon Sep 17 00:00:00 2001 From: yi-l-i-yi-li <8995991+yi-l-i-yi-li@user.noreply.gitee.com> Date: Mon, 15 Aug 2022 11:18:10 +0000 Subject: [PATCH 2/4] update ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java. Signed-off-by: yi-l-i-yi-li <8995991+yi-l-i-yi-li@user.noreply.gitee.com> --- .../src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java index 9da3d3cff..4c4bef5e6 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java @@ -13,8 +13,9 @@ public class SqlUtil /** * 定义常用的 sql关键字 * 删除管道符 "|"左边的空格,空格会导致sql注入 + * chr |mid |char |and | 去掉空格容易引起误报 */ - public static String SQL_REGEX = "select|insert|delete|update|drop|count|exec|chr|mid|master|truncate|char|and|declare"; + public static String SQL_REGEX = "select|insert|delete|update|drop|count|exec|chr |mid |master|truncate|char |and |declare"; /** * 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序) From bc80c8d9aa0c75aba11ba36221b6632a1dcdfe7b Mon Sep 17 00:00:00 2001 From: yi-l-i-yi-li <8995991+yi-l-i-yi-li@user.noreply.gitee.com> Date: Mon, 15 Aug 2022 11:22:33 +0000 Subject: [PATCH 3/4] update ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java. Signed-off-by: yi-l-i-yi-li <8995991+yi-l-i-yi-li@user.noreply.gitee.com> --- .../main/java/com/ruoyi/generator/controller/GenController.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java b/ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java index d482c2255..47d70a9d2 100644 --- a/ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java +++ b/ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java @@ -207,6 +207,8 @@ public class GenController extends BaseController if (sqlStatement instanceof MySqlCreateTableStatement) { MySqlCreateTableStatement createTableStatement = (MySqlCreateTableStatement) sqlStatement; + //检查sql是否存在关键字 + SqlUtil.filterKeyword(createTableStatement.toString()); if (genTableService.createTable(createTableStatement.toString())) { String tableName = createTableStatement.getTableName().replaceAll("`", ""); From b61663f25f7422c5f5bf8afa21f8299196ada38e Mon Sep 17 00:00:00 2001 From: yi-l-i-yi-li <8995991+yi-l-i-yi-li@user.noreply.gitee.com> Date: Mon, 15 Aug 2022 11:26:24 +0000 Subject: [PATCH 4/4] update ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java. Signed-off-by: yi-l-i-yi-li <8995991+yi-l-i-yi-li@user.noreply.gitee.com> --- .../java/com/ruoyi/generator/controller/GenController.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java b/ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java index 47d70a9d2..af31cabc1 100644 --- a/ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java +++ b/ruoyi-generator/src/main/java/com/ruoyi/generator/controller/GenController.java @@ -199,7 +199,7 @@ public class GenController extends BaseController { try { - SqlUtil.filterKeyword(sql); + //SqlUtil.filterKeyword(sql); List sqlStatements = SQLUtils.parseStatements(sql, DbType.mysql); List tableNames = new ArrayList<>(); for (SQLStatement sqlStatement : sqlStatements) @@ -207,7 +207,7 @@ public class GenController extends BaseController if (sqlStatement instanceof MySqlCreateTableStatement) { MySqlCreateTableStatement createTableStatement = (MySqlCreateTableStatement) sqlStatement; - //检查sql是否存在关键字 + //关键字过滤 SqlUtil.filterKeyword(createTableStatement.toString()); if (genTableService.createTable(createTableStatement.toString())) {