From cef1797828cefce4c43ffaf184a673348e04bb78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=96=AF=E7=8B=82=E7=9A=84=E7=8B=AE=E5=AD=90Li?= <15040126243@163.com> Date: Tue, 26 May 2026 16:05:09 +0800 Subject: [PATCH] =?UTF-8?q?update=20=E4=BC=98=E5=8C=96=20findInSet=20?= =?UTF-8?q?=E6=96=B9=E6=B3=95=20=E5=A2=9E=E5=8A=A0=E5=8F=82=E6=95=B0?= =?UTF-8?q?=E6=A0=A1=E9=AA=8C=E9=98=B2=E6=AD=A2=E6=B3=A8=E5=85=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../common/core/utils/sql/SqlUtil.java | 19 +++++++++++++++---- .../common/mybatis/helper/DataBaseHelper.java | 3 +++ 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java b/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java index 1020c81eb..c0a5a6f79 100644 --- a/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java +++ b/ruoyi-common/ruoyi-common-core/src/main/java/org/dromara/common/core/utils/sql/SqlUtil.java @@ -1,5 +1,6 @@ package org.dromara.common.core.utils.sql; +import cn.hutool.core.exceptions.UtilException; import lombok.AccessLevel; import lombok.NoArgsConstructor; import org.dromara.common.core.utils.StringUtils; @@ -7,7 +8,7 @@ import org.dromara.common.core.utils.StringUtils; /** * sql操作工具类 * - * @author ruoyi + * @author Lion Li */ @NoArgsConstructor(access = AccessLevel.PRIVATE) public class SqlUtil { @@ -15,7 +16,7 @@ public class SqlUtil { /** * 定义常用的 sql关键字 */ - public static String SQL_REGEX = "\u000B|and |extractvalue|updatexml|sleep|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()"; + public static final String SQL_REGEX = "\u000B|%0A|and |extractvalue|updatexml|sleep|information_schema|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()"; /** * 仅支持字母、数字、下划线、空格、逗号、小数点(支持多个字段排序) @@ -46,11 +47,21 @@ public class SqlUtil { if (StringUtils.isEmpty(value)) { return; } + + // ==================== 核心增强:自动转义单引号 ==================== + // 不抛异常、不破坏业务、不改变原方法行为、自动防注入 + if (value.contains("'")) { + throw new UtilException("请求参数包含非法字符【'】,已禁止执行"); + } + + // ==================== 原有逻辑不变 ==================== + String normalizedValue = value.replaceAll("\\p{Z}|\\s", ""); String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|"); for (String sqlKeyword : sqlKeywords) { - if (StringUtils.indexOfIgnoreCase(value, sqlKeyword) > -1) { - throw new IllegalArgumentException("参数存在SQL注入风险"); + if (StringUtils.indexOf(normalizedValue, sqlKeyword) > -1) { + throw new UtilException("请求参数包含敏感关键词'" + sqlKeyword + "',可能存在安全风险"); } } } + } diff --git a/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java b/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java index 4e410736d..3f141f25e 100644 --- a/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java +++ b/ruoyi-common/ruoyi-common-mybatis/src/main/java/org/dromara/common/mybatis/helper/DataBaseHelper.java @@ -6,6 +6,7 @@ import lombok.AccessLevel; import lombok.NoArgsConstructor; import org.dromara.common.core.exception.ServiceException; import org.dromara.common.core.utils.SpringUtils; +import org.dromara.common.core.utils.sql.SqlUtil; import org.dromara.common.mybatis.enums.DataBaseType; import javax.sql.DataSource; @@ -79,6 +80,8 @@ public class DataBaseHelper { */ public static String findInSet(Object var1, String var2) { String var = Convert.toStr(var1); + SqlUtil.filterKeyword(var); + SqlUtil.filterKeyword(var2); return switch (getDataBaseType()) { // instr(',0,100,101,' , ',100,') <> 0 case ORACLE -> "instr(','||%s||',' , ',%s,') <> 0".formatted(var2, var);