update 优化 findInSet 方法增加参数校验防止注入

2026-06-08 06:46:06 +00:00 · 2026-05-26 16:05:09 +08:00
parent 02c0c65c7e
commit cef1797828
2 changed files with 18 additions and 4 deletions
--- a/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java
@@ -1,5 +1,6 @@
 package org.dromara.common.core.utils.sql;

+import cn.hutool.core.exceptions.UtilException;
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 import org.dromara.common.core.utils.StringUtils;
@@ -7,7 +8,7 @@ import org.dromara.common.core.utils.StringUtils;
 /**
 * sql操作工具类
 *
- * @author ruoyi
+ * @author Lion Li
 */
@NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class SqlUtil {
@@ -15,7 +16,7 @@ public class SqlUtil {
    /**
     * 定义常用的 sql关键字
     */
-    public static String SQL_REGEX = "\u000B|and |extractvalue|updatexml|sleep|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()";
+    public static final String SQL_REGEX = "\u000B|%0A|and |extractvalue|updatexml|sleep|information_schema|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()";

    /**
     * 仅支持字母、数字、下划线、空格、逗号、小数点（支持多个字段排序）
@@ -46,11 +47,21 @@ public class SqlUtil {
        if (StringUtils.isEmpty(value)) {
            return;
        }
+
+        // ==================== 核心增强：自动转义单引号 ====================
+        // 不抛异常、不破坏业务、不改变原方法行为、自动防注入
+        if (value.contains("'")) {
+            throw new UtilException("请求参数包含非法字符【'】，已禁止执行");
+        }
+
+        // ==================== 原有逻辑不变 ====================
+        String normalizedValue = value.replaceAll("\\p{Z}|\\s", "");
        String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
        for (String sqlKeyword : sqlKeywords) {
-            if (StringUtils.indexOfIgnoreCase(value, sqlKeyword) > -1) {
-                throw new IllegalArgumentException("参数存在SQL注入风险");
+            if (StringUtils.indexOf(normalizedValue, sqlKeyword) > -1) {
+                throw new UtilException("请求参数包含敏感关键词'" + sqlKeyword + "'，可能存在安全风险");
            }
        }
    }
+
 }
--- a/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java
+++ b/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java
@@ -6,6 +6,7 @@ import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 import org.dromara.common.core.exception.ServiceException;
 import org.dromara.common.core.utils.SpringUtils;
+import org.dromara.common.core.utils.sql.SqlUtil;
 import org.dromara.common.mybatis.enums.DataBaseType;

 import javax.sql.DataSource;
@@ -79,6 +80,8 @@ public class DataBaseHelper {
     */
    public static String findInSet(Object var1, String var2) {
        String var = Convert.toStr(var1);
+        SqlUtil.filterKeyword(var);
+        SqlUtil.filterKeyword(var2);
        return switch (getDataBaseType()) {
            // instr(',0,100,101,' , ',100,') <> 0
            case ORACLE -> "instr(','||%s||',' , ',%s,') <> 0".formatted(var2, var);