blade
/
blade-tool
mirror of https://github.com/chillzhuang/blade-tool
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: blade:077a6bf44d7070c1f7557d464e01d27f82811b71
Branches Tags
blade:master
blade:dependabot/maven/blade-bom/mysql-mysql-connector-java-8.0.28
blade:dependabot/maven/blade-bom/org.jsoup-jsoup-1.15.3
blade:dependabot/maven/blade-bom/com.alibaba-fastjson-1.2.83
blade:dependabot/maven/blade-bom/org.postgresql-postgresql-42.3.7
blade:dependabot/maven/blade-bom/com.xuxueli-xxl-job-core-2.3.0
...
compare: blade:54af570642e47dd4e04baeddb181774743dfadd4
Branches Tags
blade:master
blade:dependabot/maven/blade-bom/mysql-mysql-connector-java-8.0.28
blade:dependabot/maven/blade-bom/org.jsoup-jsoup-1.15.3
blade:dependabot/maven/blade-bom/com.alibaba-fastjson-1.2.83
blade:dependabot/maven/blade-bom/org.postgresql-postgresql-42.3.7
blade:dependabot/maven/blade-bom/com.xuxueli-xxl-job-core-2.3.0

2 Commits
077a6bf44d ... 54af570642

Author SHA1 Message Date
smallchill 54af570642 🎉 3.7.1.RELEASE 2023-12-05 12:41:55 +08:00
smallchill ef497ced62 优化sql防注入逻辑,避免双写等情况出现 2023-12-05 01:15:29 +08:00
22 changed files with 69 additions and 30 deletions
Show Stats Expand all files Collapse all files

2
blade-core-boot/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<groupId>org.springblade</groupId>
<artifactId>blade-tool</artifactId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-boot/src/main/resources/bootstrap.yml
View File

@ -101,7 +101,7 @@ mybatis-plus:
swagger:
title: SpringBlade 接口文档系统
description: SpringBlade 接口文档系统
version: 3.7.0
version: 3.7.1
license: Powered By SpringBlade
licenseUrl: https://bladex.vip
terms-of-service-url: https://bladex.vip

2
blade-core-cloud/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-crypto/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-datascope/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-develop/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-launch/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-launch/src/main/java/org/springblade/core/launch/constant/AppConstant.java
View File

@ -25,7 +25,7 @@ public interface AppConstant {
/**
* 应用版本
*/
String APPLICATION_VERSION = "3.7.0";
String APPLICATION_VERSION = "3.7.1";
/**
* 基础包

2
blade-core-loadbalancer/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-log/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

7
blade-core-mybatis/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>
@ -22,6 +22,11 @@
<artifactId>mybatis</artifactId>
<version>${mybatis.version}</version>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>${mybatis.spring.version}</version>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus</artifactId>

37
blade-core-mybatis/src/main/java/org/springblade/core/mp/support/SqlKeyword.java
View File

@ -16,12 +16,15 @@
package org.springblade.core.mp.support;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import lombok.SneakyThrows;
import org.springblade.core.tool.utils.DateUtil;
import org.springblade.core.tool.utils.Func;
import org.springblade.core.tool.utils.StringPool;
import org.springblade.core.tool.utils.StringUtil;
import java.sql.SQLException;
import java.util.Map;
import java.util.regex.Pattern;
/**
* 定义常用的 sql关键字
@ -29,7 +32,19 @@ import java.util.Map;
* @author Chill
*/
public class SqlKeyword {
private final static String SQL_REGEX = "'|%|--|insert|delete|select|sleep|count|group|union|drop|truncate|alter|grant|execute|exec|xp_cmdshell|call|declare|sql";
/**
* 常规sql字符匹配关键词
*/
private final static String SQL_REGEX = "(?i)(?<![a-z])('|%|--|insert|delete|select|sleep|count|updatexml|group|union|drop|truncate|alter|grant|execute|exec|xp_cmdshell|call|declare|sql)(?![a-z])";
/**
* 二次匹配防止双写等注入手段
*/
private final static Pattern PATTERN = Pattern.compile("(?:--|[\"';%]|\\binsert\\b|\\bdelete\\b|\\bselect\\b|\\bcount\\b|\\bupdatexml\\b|\\bsleep\\b|group\\s+by|\\bunion\\b|\\bdrop\\b|\\btruncate\\b|\\balter\\b|\\bgrant\\b|\\bexecute\\b|\\bxp_cmdshell\\b|\\bcall\\b|\\bdeclare\\b|\\bsql\\b)");
/**
* sql注入警告语
*/
private final static String SQL_INJECTION_MESSAGE = "SQL keyword injection prevention processing!";
private static final String EQUAL = "_equal";
private static final String NOT_EQUAL = "_notequal";
@ -121,10 +136,28 @@ public class SqlKeyword {
* @param param 关键字
* @return string
*/
@SneakyThrows(SQLException.class)
public static String filter(String param) {
if (param == null) {
return null;
}
return param.replaceAll("(?i)" + SQL_REGEX, StringPool.EMPTY);
// 将校验到的sql关键词替换为空字符串
String sql = param.replaceAll(SQL_REGEX, StringPool.EMPTY);
// 二次校验避免双写绕过等情况出现
if (match(sql)) {
throw new SQLException(SQL_INJECTION_MESSAGE);
}
return sql;
}
/**
* 判断字符是否包含SQL关键字
*
* @param param 关键字
* @return boolean
*/
public static Boolean match(String param) {
return Func.isNotEmpty(param) && PATTERN.matcher(param).find();
}
}

2
blade-core-oss/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-report/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-secure/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-social/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-swagger/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-swagger/src/main/java/org/springblade/core/swagger/SwaggerProperties.java
View File

@ -55,7 +55,7 @@ public class SwaggerProperties {
/**
* 版本
**/
private String version = "3.7.0";
private String version = "3.7.1";
/**
* 许可证
**/

2
blade-core-test/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<groupId>org.springblade</groupId>
<artifactId>blade-tool</artifactId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-tool/pom.xml
View File

@ -6,7 +6,7 @@
<parent>
<groupId>org.springblade</groupId>
<artifactId>blade-tool</artifactId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

2
blade-core-transaction/pom.xml
View File

@ -5,7 +5,7 @@
<parent>
<artifactId>blade-tool</artifactId>
<groupId>org.springblade</groupId>
<version>3.7.0</version>
<version>3.7.1</version>
</parent>
<modelVersion>4.0.0</modelVersion>

17
pom.xml
View File

@ -5,7 +5,7 @@
<groupId>org.springblade</groupId>
<artifactId>blade-tool</artifactId>
<version>3.7.0</version>
<version>3.7.1</version>
<packaging>pom</packaging>
<name>blade-tool</name>
<description>
@ -36,15 +36,16 @@
</scm>
<properties>
<blade.tool.version>3.7.0</blade.tool.version>
<blade.tool.version>3.7.1</blade.tool.version>
<java.version>1.8</java.version>
<maven.plugin.version>3.8.1</maven.plugin.version>
<knife4j.version>4.1.0</knife4j.version>
<knife4j.version>4.3.0</knife4j.version>
<mybatis.version>3.5.13</mybatis.version>
<mybatis.plus.version>3.5.3.2</mybatis.plus.version>
<mybatis.plus.generator.version>3.5.3.2</mybatis.plus.generator.version>
<mybatis.spring.version>2.1.1</mybatis.spring.version>
<mybatis.plus.version>3.5.4.1</mybatis.plus.version>
<mybatis.plus.generator.version>3.5.4.1</mybatis.plus.generator.version>
<protostuff.version>1.6.0</protostuff.version>
<disruptor.version>3.4.2</disruptor.version>
<guava.version>31.1-jre</guava.version>
@ -53,9 +54,9 @@
<alibaba.cloud.version>2021.0.5.0</alibaba.cloud.version>
<alibaba.nacos.version>2.1.2</alibaba.nacos.version>
<spring.version>5.3.29</spring.version>
<spring.boot.version>2.7.15</spring.boot.version>
<spring.boot.admin.version>2.7.10</spring.boot.admin.version>
<spring.version>5.3.31</spring.version>
<spring.boot.version>2.7.18</spring.boot.version>
<spring.boot.admin.version>2.7.14</spring.boot.admin.version>
<spring.cloud.version>2021.0.8</spring.cloud.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>