脚手架完善
This commit is contained in:
谭凯凯
Tankaikai
parent
6524caea92
commit
293323ff6a
|
|
@ -1,6 +1,8 @@
|
|||
package com.czg.utils;
|
||||
|
||||
import cn.hutool.core.util.StrUtil;
|
||||
|
||||
import java.util.Objects;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
/**
|
||||
|
|
@ -10,14 +12,15 @@ import java.util.regex.Pattern;
|
|||
*/
|
||||
public class SqlUtil {
|
||||
/**
|
||||
* 定义常用的 sql关键字
|
||||
* SQL语法检查正则:符合两个关键字(有先后顺序)才算匹配
|
||||
*/
|
||||
private static final Pattern SQL_KEYWORD_PATTERN = Pattern.compile("(?i)(and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |\\+|user\\(\\))");
|
||||
|
||||
private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" +
|
||||
"\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)" +
|
||||
"|if\\s*\\(.*\\)|select\\s*\\(.*\\)|substr\\s*\\(.*\\)|substring\\s*\\(.*\\)|char\\s*\\(.*\\)|concat\\s*\\(.*\\)|benchmark\\s*\\(.*\\)|sleep\\s*\\(.*\\)|(and|or)\\s+.*", Pattern.CASE_INSENSITIVE);
|
||||
/**
|
||||
* 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序)
|
||||
* 使用'、;或注释截断SQL检查正则
|
||||
*/
|
||||
private static final Pattern SQL_PATTERN = Pattern.compile("[a-zA-Z0-9_\\ \\,\\.]+");
|
||||
private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/\\*|;)", Pattern.CASE_INSENSITIVE);
|
||||
|
||||
/**
|
||||
* 限制orderBy最大长度
|
||||
|
|
@ -29,7 +32,7 @@ public class SqlUtil {
|
|||
*/
|
||||
public static String escapeOrderBySql(String value) {
|
||||
if (StrUtil.isNotEmpty(value)) {
|
||||
if (!isValidOrderBySql(value)) {
|
||||
if (!check(value)) {
|
||||
throw new IllegalArgumentException("参数不符合规范,不能进行查询");
|
||||
}
|
||||
if (value.length() > ORDER_BY_MAX_LENGTH) {
|
||||
|
|
@ -40,18 +43,24 @@ public class SqlUtil {
|
|||
}
|
||||
|
||||
/**
|
||||
* 验证 order by 语法是否符合规范
|
||||
* 检查参数是否存在 SQL 注入
|
||||
*
|
||||
* @param value 检查参数
|
||||
* @return true 非法 false 合法
|
||||
*/
|
||||
public static boolean isValidOrderBySql(String value) {
|
||||
return SQL_PATTERN.matcher(value).matches();
|
||||
public static boolean check(String value) {
|
||||
Objects.requireNonNull(value);
|
||||
// 处理是否包含SQL注释字符 || 检查是否包含SQL注入敏感字符
|
||||
return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find();
|
||||
}
|
||||
|
||||
/**
|
||||
* SQL关键字检查
|
||||
* 刪除字段转义符单引号双引号
|
||||
*
|
||||
* @param text 待处理字段
|
||||
*/
|
||||
public static void filterKeyword(String value) {
|
||||
if (StrUtil.isNotEmpty(value) && SQL_KEYWORD_PATTERN.matcher(value).find()) {
|
||||
throw new IllegalArgumentException("参数存在 SQL 注入风险");
|
||||
}
|
||||
public static String removeEscapeCharacter(String text) {
|
||||
Objects.nonNull(text);
|
||||
return text.replaceAll("\"", "").replaceAll("'", "");
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue