center/dataease-dm
center/dataease-dm
13
0
Fork 0
forked from github/dataease
Code Pull Requests Activity

Merge pull request #5524 from dataease/pr@dev@perf_sqlinjection_whitelists

Browse Source 
perf(sql白名单): sql注入检测白名单由外部配置文件覆盖
This commit is contained in:
fit2cloud-chenyw 2023-06-27 11:02:37 +08:00 committed by GitHub
commit f896a0cc42
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java
View File

@ -1,18 +1,6 @@
package io.dataease.commons.wrapper; package io.dataease.commons.wrapper;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.*;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import com.google.gson.Gson; import com.google.gson.Gson;
import io.dataease.commons.holder.ThreadLocalContextHolder; import io.dataease.commons.holder.ThreadLocalContextHolder;
import io.dataease.commons.utils.CommonBeanFactory; import io.dataease.commons.utils.CommonBeanFactory;
@ -21,11 +9,25 @@ import org.apache.commons.lang3.StringUtils;
import org.springframework.core.env.Environment; import org.springframework.core.env.Environment;
import org.springframework.util.StreamUtils; import org.springframework.util.StreamUtils;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.*;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper { public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static Gson gson = new Gson(); private static Gson gson = new Gson();
private static final String defaultWhiteList = "/dataset/table/sqlPreview,/dataset/table/update,/dataset/field/multFieldValues,/dataset/field/linkMultFieldValues";
HttpServletRequest orgRequest = null; HttpServletRequest orgRequest = null;
private Map<String, String[]> parameterMap; private Map<String, String[]> parameterMap;
private final byte[] body; //用于保存读取body中数据 private final byte[] body; //用于保存读取body中数据
@ -38,6 +40,7 @@ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrappe
} }
// 重写几个HttpServletRequestWrapper中的方法 // 重写几个HttpServletRequestWrapper中的方法
/** /**
* 获取所有参数名 * 获取所有参数名
* *
@ -159,7 +162,6 @@ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrappe
} }
/** /**
*
* 防止xss跨脚本攻击替换根据实际情况调整 * 防止xss跨脚本攻击替换根据实际情况调整
*/ */
@ -210,7 +212,7 @@ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrappe
public static boolean checkSqlInjection(Object obj) { public static boolean checkSqlInjection(Object obj) {
HttpServletRequest request = ServletUtils.request(); HttpServletRequest request = ServletUtils.request();
String url = request.getRequestURI().toString(); String url = request.getRequestURI();
if (null == obj) return false; if (null == obj) return false;
if (StringUtils.isEmpty(obj.toString())) return false; if (StringUtils.isEmpty(obj.toString())) return false;
@ -219,7 +221,7 @@ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrappe
if (StringUtils.isEmpty(orders)) return false; if (StringUtils.isEmpty(orders)) return false;
String whiteLists = CommonBeanFactory.getBean(Environment.class).getProperty("dataease.sqlinjection.whitelists", String.class, null); String whiteLists = CommonBeanFactory.getBean(Environment.class).getProperty("dataease.sqlinjection.whitelists", String.class, defaultWhiteList);
if (StringUtils.isNotEmpty(whiteLists)) { if (StringUtils.isNotEmpty(whiteLists)) {
// 命中白名单 无需检测sql注入 // 命中白名单 无需检测sql注入
if (Arrays.stream(whiteLists.split(",")).anyMatch(item -> url.indexOf(item) != -1)) return false; if (Arrays.stream(whiteLists.split(",")).anyMatch(item -> url.indexOf(item) != -1)) return false;

2
backend/src/main/resources/application.properties
View File

@ -68,7 +68,7 @@ spring.cache.ehcache.config=classpath:/ehcache/ehcache.xml
pagehelper.PageRowBounds=true pagehelper.PageRowBounds=true
#excel\u7B49\u7528\u6237\u4E0A\u4F20\u6587\u4EF6\u8DEF\u5F84 #excel\u7B49\u7528\u6237\u4E0A\u4F20\u6587\u4EF6\u8DEF\u5F84
upload.file.path=/opt/dataease/data/kettle/ upload.file.path=/opt/dataease/data/kettle/
dataease.sqlinjection.whitelists=/dataset/table/sqlPreview,/dataset/table/update,/dataset/field/multFieldValues,/dataset/field/linkMultFieldValues #dataease.sqlinjection.whitelists=/dataset/table/sqlPreview,/dataset/table/update,/dataset/field/multFieldValues,/dataset/field/linkMultFieldValues
#\u5F00\u542F\u538B\u7F29 \u63D0\u9AD8\u54CD\u5E94\u901F\u5EA6 \u51CF\u5C11\u5E26\u5BBD\u538B\u529B #\u5F00\u542F\u538B\u7F29 \u63D0\u9AD8\u54CD\u5E94\u901F\u5EA6 \u51CF\u5C11\u5E26\u5BBD\u538B\u529B
server.compression.enabled=true server.compression.enabled=true
server.compression.mime-types=application/javascript,text/css,application/json,application/xml,text/html,text/xml,text/plain server.compression.mime-types=application/javascript,text/css,application/json,application/xml,text/html,text/xml,text/plain