Commit a7d6df93 authored by Spencer Chang's avatar Spencer Chang

[fix] 当需要限制不允许通过*查询所有列数据时,不应校验用于计算的*符号

parent 687de5d1
......@@ -106,16 +106,14 @@ public class SysDpExecuteHistoryServiceImpl extends BaseServiceImpl<SysDpExecute
if (StringUtils.isNotEmpty(msg.toString())) {
throw new IllegalArgumentException(msg.toString());
}
String checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql);
msg.append(checkMsg);
String checkMsg = null;
// 非内部限制
if (!StringUtils.startsWith(ip, ipWhiteCheck)) {
if (SqlCheckUtils.checkSqlIgnoreCase(formatSql, SqlConstantUtils.SQL_STAR)) {
msg.append("select语句不允许使用*查询所有字段,请重置语句!");
}
checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql, true);
} else {
checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql, false);
}
msg.append(checkMsg);
if (StringUtils.isNotEmpty(msg.toString())) {
SysDpExecuteHistory sysDpExecuteHistory = new SysDpExecuteHistory();
sysDpExecuteHistory.setDehIp(ip);
......@@ -204,15 +202,14 @@ public class SysDpExecuteHistoryServiceImpl extends BaseServiceImpl<SysDpExecute
if (StringUtils.isNotEmpty(msg.toString())) {
throw new IllegalArgumentException(msg.toString());
}
String checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql);
msg.append(checkMsg);
String checkMsg = null;
// 非内部限制
if (!StringUtils.startsWith(ip, ipWhiteCheck)) {
if (SqlCheckUtils.checkSqlIgnoreCase(formatSql, SqlConstantUtils.SQL_STAR)) {
msg.append("select语句不允许使用*查询所有字段,请重置语句!");
}
checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql, true);
} else {
checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql, false);
}
msg.append(checkMsg);
if (StringUtils.isNotEmpty(msg.toString())) {
sysDpExecuteHistory.setDehExecuteTime(new Date());
sysDpExecuteHistory.setDehError(msg.toString());
......
......@@ -3,12 +3,15 @@ package com.hand.hls.dp.util;
import com.alibaba.druid.sql.ast.SQLExpr;
import com.alibaba.druid.sql.ast.SQLObject;
import com.alibaba.druid.sql.ast.SQLStatement;
import com.alibaba.druid.sql.ast.expr.SQLAllColumnExpr;
import com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr;
import com.alibaba.druid.sql.ast.expr.SQLBinaryOperator;
import com.alibaba.druid.sql.ast.expr.SQLPropertyExpr;
import com.alibaba.druid.sql.ast.expr.SQLQueryExpr;
import com.alibaba.druid.sql.ast.statement.*;
import com.alibaba.druid.sql.dialect.oracle.parser.OracleStatementParser;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import java.util.List;
import java.util.Objects;
......@@ -20,13 +23,14 @@ import java.util.Objects;
*/
public final class SqlParserCheckUtils {
private static final int STMTLISTSIZE = 2;
/**
* 校验查询语句
*
* @param sql 待校验语句
* @return 返回信息
*/
public static String parserCheckSelect(String sql) {
public static String parserCheckSelect(String sql, boolean checkStarFlag) {
StringBuilder ret = new StringBuilder();
OracleStatementParser parser = new OracleStatementParser(sql);
List<SQLStatement> stmtList = parser.parseStatementList();
......@@ -39,19 +43,14 @@ public final class SqlParserCheckUtils {
SQLSelectStatement selectStatement = (SQLSelectStatement) stmt;
SQLSelect sqlSelect = selectStatement.getSelect();
SQLSelectQueryBlock queryBlock = sqlSelect.getQueryBlock();
String selectRet = parseSelectBlock(ret, queryBlock);
if (selectRet != null) {return selectRet;}
String selectRet = parseSelectBlock4Where(ret, queryBlock);
if (StringUtils.isNotEmpty(selectRet)) {
return selectRet;
}
// 校验查询字段里的SUB SELECT
List<SQLSelectItem> sqlSelectItemList = queryBlock.getSelectList();
for (SQLSelectItem selectItem : sqlSelectItemList) {
SQLExpr itemExpr = selectItem.getExpr();
if (itemExpr instanceof SQLQueryExpr) {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) itemExpr;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {return subSelectRet;}
}
String subSelectRet = parseSubSelect(ret, checkStarFlag, queryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
} else {
ret.append("不是SELECT语句!");
......@@ -60,7 +59,47 @@ public final class SqlParserCheckUtils {
return ret.toString();
}
private static String parseSelectBlock(StringBuilder ret, SQLSelectQueryBlock queryBlock) {
/**
* @param checkStarFlag 是否运行*查全部字段标识
* @param queryBlock 查询block
* @return 返回
*/
private static String parseSubSelect(StringBuilder ret, boolean checkStarFlag, SQLSelectQueryBlock queryBlock) {
List<SQLSelectItem> sqlSelectItemList = queryBlock.getSelectList();
for (SQLSelectItem selectItem : sqlSelectItemList) {
SQLExpr itemExpr = selectItem.getExpr();
if (itemExpr instanceof SQLQueryExpr) {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) itemExpr;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelect4WhereRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelect4WhereRet)) {
return subSelect4WhereRet;
}
// 解析再下一层子查询
parseSubSelect(ret, checkStarFlag, subQueryBlock);
} else if (itemExpr instanceof SQLPropertyExpr) {
if (checkStarFlag) {
SQLPropertyExpr propertyExpr = (SQLPropertyExpr) itemExpr;
String propertyExprName = propertyExpr.getName();
if (SqlConstantUtils.SQL_STAR.equalsIgnoreCase(propertyExprName)) {
ret.append("select语句不允许使用*查询所有字段,请重置语句!");
}
}
} else if (itemExpr instanceof SQLAllColumnExpr) {
if (checkStarFlag) {
SQLAllColumnExpr allColumnExpr = (SQLAllColumnExpr) itemExpr;
String propertyExprName = allColumnExpr.toString();
if (SqlConstantUtils.SQL_STAR.equalsIgnoreCase(propertyExprName)) {
ret.append("select语句不允许使用*查询所有字段,请重置语句!");
}
}
}
}
return ret.toString();
}
private static String parseSelectBlock4Where(StringBuilder ret, SQLSelectQueryBlock queryBlock) {
SQLExpr where = queryBlock.getWhere();
if (Objects.isNull(where)) {
return ret.append("SELECT语句没有WHERE条件!").toString();
......@@ -74,8 +113,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
parseSelectBlock(ret, subQueryBlock);
if (ret != null) {
parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(ret)) {
return ret.toString();
}
}
......@@ -84,8 +123,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
......@@ -104,8 +143,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
......@@ -114,8 +153,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
......@@ -151,8 +190,10 @@ public final class SqlParserCheckUtils {
SQLSelect sqlSelect = insertStatement.getQuery();
if (Objects.nonNull(sqlSelect)) {
SQLSelectQueryBlock queryBlock = sqlSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, queryBlock);
if (subSelectRet != null) {return subSelectRet;}
String subSelectRet = parseSelectBlock4Where(ret, queryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
} else {
ret.append("不是INSERT语句!");
......@@ -191,8 +232,10 @@ public final class SqlParserCheckUtils {
SQLSelect subSqlSelect = sqlQueryExpr.getSubQuery();
if (Objects.nonNull(subSqlSelect)) {
SQLSelectQueryBlock queryBlock = subSqlSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, queryBlock);
if (subSelectRet != null) {return subSelectRet;}
String subSelectRet = parseSelectBlock4Where(ret, queryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
}
}
......@@ -210,16 +253,20 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {return subSelectRet;}
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
SQLExpr left = sqlBinaryOpExpr.getLeft();
if (left instanceof SQLQueryExpr) {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {return subSelectRet;}
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
if (Objects.equals(right, left)) {
return ret.append("UPDATE语句WHERE条件含有1 = 1!").toString();
......@@ -235,8 +282,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
......@@ -245,8 +292,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
......@@ -295,8 +342,8 @@ public final class SqlParserCheckUtils {
SQLSelect sqlWhereSubSelect = sqlWhereSubQueryExpr.getSubQuery();
if (Objects.nonNull(sqlWhereSubSelect)) {
SQLSelectQueryBlock queryBlock = sqlWhereSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, queryBlock);
if (subSelectRet != null) {
String subSelectRet = parseSelectBlock4Where(ret, queryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
......@@ -316,8 +363,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
......@@ -326,8 +373,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {
String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment