From ac699f90573359cd082f387e08a7ff1c6f350929 Mon Sep 17 00:00:00 2001 From: thinkgem Date: Tue, 11 Feb 2025 12:46:41 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=20=E5=88=97=E5=90=8D=20colum?= =?UTF-8?q?nName=20=E6=AD=A3=E5=88=99=E8=A1=A8=E8=BE=BE=E5=BC=8F=E7=9A=84?= =?UTF-8?q?=E5=AE=89=E5=85=A8=E8=BF=87=E6=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../main/java/com/jeesite/common/codec/EncodeUtils.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java index 1e5ad944..caf335ee 100644 --- a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java +++ b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java @@ -267,6 +267,7 @@ public class EncodeUtils { + "|(\\b(select|update|and|or|delete|insert|trancate|substr|ascii|declare|exec|count|master|into" + "|drop|execute|case when|sleep|union|load_file)\\b)", Pattern.CASE_INSENSITIVE); private static final Pattern simplePattern = Pattern.compile("[a-z0-9_\\.\\, ]*", Pattern.CASE_INSENSITIVE); + private static final Pattern columnNamePattern = Pattern.compile("[a-z0-9_\\.`\"\\[\\]]*", Pattern.CASE_INSENSITIVE); /** * SQL过滤,防止注入,传入参数输入有select相关代码,替换空。 @@ -283,11 +284,16 @@ public class EncodeUtils { public static String sqlFilter(String text, String source){ if (text != null){ String value = text; - if ("simple".equals(source) || "orderBy".equals(source)) { + if (StringUtils.inString(source, "simple", "orderBy")) { Matcher matcher = simplePattern.matcher(value); if (!matcher.matches()) { value = StringUtils.EMPTY; } + } else if (StringUtils.inString(source, "columnName")) { + Matcher matcher = columnNamePattern.matcher(value); + if (!matcher.matches()) { + value = StringUtils.EMPTY; + } } else { Matcher matcher = sqlPattern.matcher(value); if (matcher.find()) {