iailab-plat-v2.0.git

潘志宝

2025-01-20 619626ae7ef85afc60c720fb309efb08b58b0cb7

sqlInject2

已修改5个文件

	iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/common/xss/SQLFilter.java	26 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/ind/data/controller/admin/IndDataSetController.java	4 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/ind/value/service/impl/IndItemValueServiceImpl.java	10 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/data/controller/admin/PlanDataSetController.java	4 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java	2 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史

 iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/common/xss/SQLFilter.java

@@ -12,6 +12,7 @@

    /**
     * SQL注入过滤
     *
     * @param str  待验证的字符串
     */
    public static String sqlInject(String str){
@@ -39,4 +40,29 @@

        return str;
    }

    /**
     * SQL注入过滤
     *
     * @param orgStr 待验证的字符串
     */
    public static String sqlInject2(String orgStr) {
        if (StringUtils.isBlank(orgStr)) {
            return null;
        }
        //转换成小写
        String str = new String(orgStr.toLowerCase());

        //非法字符
        String[] keywords = {";", "master", "truncate", "insert", "select", "delete", "update", "declare", "alter", "drop"};

        //判断是否包含非法字符
        for (String keyword : keywords) {
            if (str.indexOf(keyword) != -1) {
                throw new RRException("包含非法字符");
            }
        }

        return str;
    }
}

 iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/ind/data/controller/admin/IndDataSetController.java

@@ -48,7 +48,7 @@
    @Operation(summary = "创建指标数据集")
    @PreAuthorize("@ss.hasPermission('data:ind-data-set:create')")
    public CommonResult<Boolean> create(@Valid @RequestBody IndDataSetSaveReqVO createReqVO) {
        SQLFilter.sqlInject(createReqVO.getQuerySql());
        SQLFilter.sqlInject2(createReqVO.getQuerySql());
        indDataSetService.create(createReqVO);
        return success(true);
    }
@@ -57,7 +57,7 @@
    @Operation(summary = "修改指标数据集")
    @PreAuthorize("@ss.hasPermission('data:ind-data-set:update')")
    public CommonResult<Boolean> update(@Valid @RequestBody IndDataSetSaveReqVO updateReqVO) {
        SQLFilter.sqlInject(updateReqVO.getQuerySql());
        SQLFilter.sqlInject2(updateReqVO.getQuerySql());
        indDataSetService.update(updateReqVO);
        return success(true);
    }

 iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/ind/value/service/impl/IndItemValueServiceImpl.java

@@ -65,11 +65,11 @@
            log.warn("数据源不能为空");
            return null;
        }
        SQLFilter.sqlInject(dto.getSelectSql());
        SQLFilter.sqlInject(dto.getViewSql());
        SQLFilter.sqlInject(dto.getWhereSql());
        SQLFilter.sqlInject(dto.getGroupSql());
        SQLFilter.sqlInject(dto.getGroupSql());
        SQLFilter.sqlInject2(dto.getSelectSql());
        SQLFilter.sqlInject2(dto.getViewSql());
        SQLFilter.sqlInject2(dto.getWhereSql());
        SQLFilter.sqlInject2(dto.getGroupSql());
        SQLFilter.sqlInject2(dto.getGroupSql());
        DataContextHolder.setDataSourceId(Long.valueOf(dto.getDataSource()));
        return baseDao.getSourceValue(dto);
    }

 iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/data/controller/admin/PlanDataSetController.java

@@ -47,7 +47,7 @@
    @Operation(summary = "创建计划数据集")
    @PreAuthorize("@ss.hasPermission('data:plan-data-set:create')")
    public CommonResult<Boolean> create(@Valid @RequestBody PlanDataSetSaveReqVO createReqVO) {
        SQLFilter.sqlInject(createReqVO.getQuerySql());
        SQLFilter.sqlInject2(createReqVO.getQuerySql());
        indDataSetService.create(createReqVO);
        return success(true);
    }
@@ -56,7 +56,7 @@
    @Operation(summary = "修改计划数据集")
    @PreAuthorize("@ss.hasPermission('data:plan-data-set:update')")
    public CommonResult<Boolean> update(@Valid @RequestBody PlanDataSetSaveReqVO updateReqVO) {
        SQLFilter.sqlInject(updateReqVO.getQuerySql());
        SQLFilter.sqlInject2(updateReqVO.getQuerySql());
        indDataSetService.update(updateReqVO);
        return success(true);
    }

 iailab-module-data/iailab-module-data-biz/src/main/java/com/iailab/module/data/plan/item/collection/PlanItemCollector.java

@@ -2,6 +2,7 @@

import com.iailab.framework.tenant.core.context.DataContextHolder;
import com.iailab.module.data.common.utils.DateUtils;
import com.iailab.module.data.common.xss.SQLFilter;
import com.iailab.module.data.plan.data.entity.PlanDataSetEntity;
import com.iailab.module.data.plan.data.service.PlanDataSetService;
import com.iailab.module.data.plan.item.entity.PlanItemEntity;
@@ -44,6 +45,7 @@
            return null;
        }
        Map<String, Object> params = getSqlParams(dataSet, startTime, endTime);
        SQLFilter.sqlInject2(dataSet.getQuerySql());
        DataContextHolder.setDataSourceId(Long.valueOf(dataSet.getDataSource()));
        List<PlanItemDataVO> dataList = planItemService.getSourceValue(params);

			@@ -12,6 +12,7 @@

			/**
			* SQL注入过滤
			*
			* @param str 待验证的字符串
			*/
			public static String sqlInject(String str){
			@@ -39,4 +40,29 @@

			return str;
			}

			/**
			* SQL注入过滤
			*
			* @param orgStr 待验证的字符串
			*/
			public static String sqlInject2(String orgStr) {
			if (StringUtils.isBlank(orgStr)) {
			return null;
			}
			//转换成小写
			String str = new String(orgStr.toLowerCase());

			//非法字符
			String[] keywords = {";", "master", "truncate", "insert", "select", "delete", "update", "declare", "alter", "drop"};

			//判断是否包含非法字符
			for (String keyword : keywords) {
			if (str.indexOf(keyword) != -1) {
			throw new RRException("包含非法字符");
			}
			}

			return str;
			}
			}

			@@ -48,7 +48,7 @@
			@Operation(summary = "创建指标数据集")
			@PreAuthorize("@ss.hasPermission('data:ind-data-set:create')")
			public CommonResult<Boolean> create(@Valid @RequestBody IndDataSetSaveReqVO createReqVO) {
			SQLFilter.sqlInject(createReqVO.getQuerySql());
			SQLFilter.sqlInject2(createReqVO.getQuerySql());
			indDataSetService.create(createReqVO);
			return success(true);
			}
			@@ -57,7 +57,7 @@
			@Operation(summary = "修改指标数据集")
			@PreAuthorize("@ss.hasPermission('data:ind-data-set:update')")
			public CommonResult<Boolean> update(@Valid @RequestBody IndDataSetSaveReqVO updateReqVO) {
			SQLFilter.sqlInject(updateReqVO.getQuerySql());
			SQLFilter.sqlInject2(updateReqVO.getQuerySql());
			indDataSetService.update(updateReqVO);
			return success(true);
			}

			@@ -65,11 +65,11 @@
			log.warn("数据源不能为空");
			return null;
			}
			SQLFilter.sqlInject(dto.getSelectSql());
			SQLFilter.sqlInject(dto.getViewSql());
			SQLFilter.sqlInject(dto.getWhereSql());
			SQLFilter.sqlInject(dto.getGroupSql());
			SQLFilter.sqlInject(dto.getGroupSql());
			SQLFilter.sqlInject2(dto.getSelectSql());
			SQLFilter.sqlInject2(dto.getViewSql());
			SQLFilter.sqlInject2(dto.getWhereSql());
			SQLFilter.sqlInject2(dto.getGroupSql());
			SQLFilter.sqlInject2(dto.getGroupSql());
			DataContextHolder.setDataSourceId(Long.valueOf(dto.getDataSource()));
			return baseDao.getSourceValue(dto);
			}

			@@ -47,7 +47,7 @@
			@Operation(summary = "创建计划数据集")
			@PreAuthorize("@ss.hasPermission('data:plan-data-set:create')")
			public CommonResult<Boolean> create(@Valid @RequestBody PlanDataSetSaveReqVO createReqVO) {
			SQLFilter.sqlInject(createReqVO.getQuerySql());
			SQLFilter.sqlInject2(createReqVO.getQuerySql());
			indDataSetService.create(createReqVO);
			return success(true);
			}
			@@ -56,7 +56,7 @@
			@Operation(summary = "修改计划数据集")
			@PreAuthorize("@ss.hasPermission('data:plan-data-set:update')")
			public CommonResult<Boolean> update(@Valid @RequestBody PlanDataSetSaveReqVO updateReqVO) {
			SQLFilter.sqlInject(updateReqVO.getQuerySql());
			SQLFilter.sqlInject2(updateReqVO.getQuerySql());
			indDataSetService.update(updateReqVO);
			return success(true);
			}

			@@ -2,6 +2,7 @@

			import com.iailab.framework.tenant.core.context.DataContextHolder;
			import com.iailab.module.data.common.utils.DateUtils;
			import com.iailab.module.data.common.xss.SQLFilter;
			import com.iailab.module.data.plan.data.entity.PlanDataSetEntity;
			import com.iailab.module.data.plan.data.service.PlanDataSetService;
			import com.iailab.module.data.plan.item.entity.PlanItemEntity;
			@@ -44,6 +45,7 @@
			return null;
			}
			Map<String, Object> params = getSqlParams(dataSet, startTime, endTime);
			SQLFilter.sqlInject2(dataSet.getQuerySql());
			DataContextHolder.setDataSourceId(Long.valueOf(dataSet.getDataSource()));
			List<PlanItemDataVO> dataList = planItemService.getSourceValue(params);