From c64343a289f4eec1e671d1fce25441769e69af04 Mon Sep 17 00:00:00 2001
From: fit2cloud-chenyw <yawen.chen@fit2cloud.com>
Date: Wed, 4 Aug 2021 18:11:37 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E5=A2=9E=E5=8A=A0sql=E6=B3=A8=E5=85=A5?=
 =?UTF-8?q?=E7=99=BD=E5=90=8D=E5=8D=95=EF=BC=9Bsql=E6=B3=A8=E5=85=A5?=
 =?UTF-8?q?=E6=8B=A6=E6=88=AA=E5=99=A8=E5=8F=AA=E9=AA=8C=E8=AF=81=E6=8E=92?=
 =?UTF-8?q?=E5=BA=8F=E5=AD=97=E6=AE=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../XssAndSqlHttpServletRequestWrapper.java   | 53 ++++++++++++++++---
 .../src/main/resources/application.properties |  2 +
 2 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java b/backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java
index 5bff936f5d..a2fc32e868 100644
--- a/backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java
+++ b/backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java
@@ -5,11 +5,7 @@ import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStreamReader;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
-import java.util.Vector;
+import java.util.*;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.servlet.ReadListener;
@@ -17,12 +13,20 @@ import javax.servlet.ServletInputStream;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 
+import com.alibaba.fastjson.JSONObject;
+import com.google.gson.Gson;
 import io.dataease.commons.holder.ThreadLocalContextHolder;
+import io.dataease.commons.utils.CommonBeanFactory;
+import io.dataease.commons.utils.ServletUtils;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.core.env.Environment;
 import org.springframework.util.StreamUtils;
 
 
 public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
 
+    private static Gson gson = new Gson();
 
     HttpServletRequest orgRequest = null;
     private Map<String, String[]> parameterMap;
@@ -215,9 +219,24 @@ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrappe
     }
 
     public static boolean checkSqlInjection(Object obj){
+        HttpServletRequest request = ServletUtils.request();
+        String url = request.getRequestURI().toString();
+
+        if (null == obj) return false;
+        if (StringUtils.isEmpty(obj.toString())) return false;
+
+        String orders = orders(obj.toString());
+
+        if (StringUtils.isEmpty(orders)) return false;
+
+        String whiteLists = CommonBeanFactory.getBean(Environment.class).getProperty("dataease.sqlinjection.whitelists", String.class, null);
+        if (StringUtils.isNotEmpty(whiteLists)) {
+            // 命中白名单 无需检测sql注入
+            if (Arrays.stream(whiteLists.split(",")).anyMatch(item -> url.indexOf(item) != -1)) return false;
+        }
         Pattern pattern= Pattern.compile("(.*\\=.*\\-\\-.*)|(.*(\\+).*)|(.*\\w+(%|\\$|#|&)\\w+.*)|(.*\\|\\|.*)|(.*\\s+(and|or)\\s+.*)" +
                 "|(.*\\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b.*)");
-        Matcher matcher=pattern.matcher(obj.toString().toLowerCase());
+        Matcher matcher=pattern.matcher(orders.toLowerCase());
         return matcher.find();
     }
 
@@ -332,6 +351,28 @@ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrappe
         return false;
     }
 
+    private static String orders(String json) {
+        if (StringUtils.isEmpty(json)) return null;
+
+        try{
+            Map<String, Object> map = JSONObject.parseObject(json, Map.class);
+            Object orders = map.get("orders");
+
+            if (orders != null) {
+                return gson.toJson(orders);
+            }
+            Object sort = map.get("sort");
+
+            if (sort != null) {
+                return sort.toString();
+            }
+            return null;
+        }catch (Exception e) {
+            return null;
+        }
+
+    }
+
     @Override
     public BufferedReader getReader() throws IOException {
         return new BufferedReader(new InputStreamReader(getInputStream()));
diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
index 5084fb866f..14368c84d1 100644
--- a/backend/src/main/resources/application.properties
+++ b/backend/src/main/resources/application.properties
@@ -76,6 +76,8 @@ pagehelper.PageRowBounds=true
 #excel等用户上传文件路径
 upload.file.path=/opt/dataease/data/kettle/
 
+dataease.sqlinjection.whitelists=/dataset/table/sqlPreview,/dataset/table/update
+