manager/my-worker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加过滤关键字

Browse Source
This commit is contained in:
thinkgem
2022-02-16 10:05:46 +08:00
parent 3719e62fb6
commit 4bbb63a4b6
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
View File

@@ -279,7 +279,7 @@ public class EncodeUtils {
// 预编译SQL过滤正则表达式
private static Pattern sqlPattern = Pattern.compile(
"(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|((extractvalue|updatexml)([\\s]*?)\\()|"
"(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|((extractvalue|updatexml|if|mid|database)([\\s]*?)\\()|"
+ "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|case when|sleep|union|load_file)\\b)",
Pattern.CASE_INSENSITIVE);
@@ -341,7 +341,7 @@ public class EncodeUtils {
sqlFilter((++i)+"你好insert into xxx values(1,2,3,4,5)我还在。");
sqlFilter((++i)+"你好delete from xxx我还在。");
sqlFilter((++i)+"你好a.audit_result asc,case when 1 like case when length(database())=6 then 1 else exp(11111111111111111) end then 1 else 1/0 end");
sqlFilter((++i)+"你好if(1=2,1,SLEEP(10))");
sqlFilter((++i)+"你好if(1=2,1,SLEEP(10)), if(mid(database(),{},1)=\\\"{}\\\",a.id,a.login_name)");
}
}