From ef497ced624486c71f90d68b63bafa83cd46902a Mon Sep 17 00:00:00 2001
From: smallchill <smallchill@163.com>
Date: Tue, 5 Dec 2023 01:15:29 +0800
Subject: [PATCH] =?UTF-8?q?:zap:=20=E4=BC=98=E5=8C=96sql=E9=98=B2=E6=B3=A8?=
 =?UTF-8?q?=E5=85=A5=E9=80=BB=E8=BE=91=EF=BC=8C=E9=81=BF=E5=85=8D=E5=8F=8C?=
 =?UTF-8?q?=E5=86=99=E7=AD=89=E6=83=85=E5=86=B5=E5=87=BA=E7=8E=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../core/mp/support/SqlKeyword.java           | 37 ++++++++++++++++++-
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java b/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java
index 212fb60..bb8ca31 100644
--- a/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java
+++ b/blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java
@@ -16,12 +16,15 @@
 package org.springblade.core.mp.support;
 
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
+import lombok.SneakyThrows;
 import org.springblade.core.tool.utils.DateUtil;
 import org.springblade.core.tool.utils.Func;
 import org.springblade.core.tool.utils.StringPool;
 import org.springblade.core.tool.utils.StringUtil;
 
+import java.sql.SQLException;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 /**
  * 定义常用的 sql关键字
@@ -29,7 +32,19 @@ import java.util.Map;
  * @author Chill
  */
 public class SqlKeyword {
-	private final static String SQL_REGEX = "'|%|--|insert|delete|select|sleep|count|group|union|drop|truncate|alter|grant|execute|exec|xp_cmdshell|call|declare|sql";
+	/**
+	 * 常规sql字符匹配关键词
+	 */
+	private final static String SQL_REGEX = "(?i)(?<![a-z])('|%|--|insert|delete|select|sleep|count|updatexml|group|union|drop|truncate|alter|grant|execute|exec|xp_cmdshell|call|declare|sql)(?![a-z])";
+
+	/**
+	 * 二次匹配防止双写等注入手段
+	 */
+	private final static Pattern PATTERN = Pattern.compile("(?:--|[\"';%]|\\binsert\\b|\\bdelete\\b|\\bselect\\b|\\bcount\\b|\\bupdatexml\\b|\\bsleep\\b|group\\s+by|\\bunion\\b|\\bdrop\\b|\\btruncate\\b|\\balter\\b|\\bgrant\\b|\\bexecute\\b|\\bxp_cmdshell\\b|\\bcall\\b|\\bdeclare\\b|\\bsql\\b)");
+	/**
+	 * sql注入警告语
+	 */
+	private final static String SQL_INJECTION_MESSAGE = "SQL keyword injection prevention processing!";
 
 	private static final String EQUAL = "_equal";
 	private static final String NOT_EQUAL = "_notequal";
@@ -121,10 +136,28 @@ public class SqlKeyword {
 	 * @param param 关键字
 	 * @return string
 	 */
+	@SneakyThrows(SQLException.class)
 	public static String filter(String param) {
 		if (param == null) {
 			return null;
 		}
-		return param.replaceAll("(?i)" + SQL_REGEX, StringPool.EMPTY);
+		// 将校验到的sql关键词替换为空字符串
+		String sql = param.replaceAll(SQL_REGEX, StringPool.EMPTY);
+		// 二次校验，避免双写绕过等情况出现
+		if (match(sql)) {
+			throw new SQLException(SQL_INJECTION_MESSAGE);
+		}
+		return sql;
 	}
+
+	/**
+	 * 判断字符是否包含SQL关键字
+	 *
+	 * @param param 关键字
+	 * @return boolean
+	 */
+	public static Boolean match(String param) {
+		return Func.isNotEmpty(param) && PATTERN.matcher(param).find();
+	}
+
 }