u

2024-09-10 18:12:16 +08:00 · 2024-09-10 18:12:16 +08:00 · ecc4e11f4d
commit ecc4e11f4d
parent 3279ef8ab5
1 changed files with 18 additions and 22 deletions
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java
@ -1,37 +1,32 @@
 package com.ruoyi.common.utils.sql;

-import java.io.StringReader;
-
 import com.ruoyi.common.exception.UtilException;
 import com.ruoyi.common.utils.StringUtils;

-import net.sf.jsqlparser.JSQLParserException;
-import net.sf.jsqlparser.parser.CCJSqlParserManager;
-import net.sf.jsqlparser.statement.Statement;
-
 /**
 * sql操作工具类
- * 
+ *
 * @author ruoyi
 */
-public class SqlUtil {
+public class SqlUtil
+{
    /**
     * 定义常用的 sql关键字
     */
-    public static String SQL_REGEX = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |+|user()";
+    public static String SQL_REGEX = "and |extractvalue|updatexml|sleep|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |or |union |like |+|/*|user()";

    /**
     * 仅支持字母、数字、下划线、空格、逗号、小数点（支持多个字段排序）
     */
    public static String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,\\.]+";

-    private static final CCJSqlParserManager parserManager = new CCJSqlParserManager();
-
    /**
     * 检查字符，防止注入绕过
     */
-    public static String escapeOrderBySql(String value) {
-        if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value)) {
+    public static String escapeOrderBySql(String value)
+    {
+        if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value))
+        {
            throw new UtilException("参数不符合规范，不能进行查询");
        }
        return value;
@ -40,26 +35,27 @@ public class SqlUtil {
    /**
     * 验证 order by 语法是否符合规范
     */
-    public static boolean isValidOrderBySql(String value) {
+    public static boolean isValidOrderBySql(String value)
+    {
        return value.matches(SQL_PATTERN);
    }

    /**
     * SQL关键字检查
     */
-    public static void filterKeyword(String value) {
-        if (StringUtils.isEmpty(value)) {
+    public static void filterKeyword(String value)
+    {
+        if (StringUtils.isEmpty(value))
+        {
            return;
        }
        String[] sqlKeywords = StringUtils.split(SQL_REGEX, "\\|");
-        for (String sqlKeyword : sqlKeywords) {
-            if (StringUtils.indexOfIgnoreCase(value, sqlKeyword) > -1) {
+        for (String sqlKeyword : sqlKeywords)
+        {
+            if (StringUtils.indexOfIgnoreCase(value, sqlKeyword) > -1)
+            {
                throw new UtilException("参数存在SQL注入风险");
            }
        }
    }
-
-    public static Statement parseSql(String sql) throws JSQLParserException {
-        return parserManager.parse(new StringReader(sql));
-    }
 }