Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
D
dp
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Spencer Chang
dp
Commits
a7d6df93
Commit
a7d6df93
authored
Aug 26, 2020
by
Spencer Chang
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[fix] 当需要限制不允许通过*查询所有列数据时,不应校验用于计算的*符号
parent
687de5d1
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
97 additions
and
53 deletions
+97
-53
SysDpExecuteHistoryServiceImpl.java
...-code/dp/service/impl/SysDpExecuteHistoryServiceImpl.java
+10
-13
SqlParserCheckUtils.java
v2-多线程版本/java-code/dp/util/SqlParserCheckUtils.java
+87
-40
No files found.
v2-多线程版本/java-code/dp/service/impl/SysDpExecuteHistoryServiceImpl.java
View file @
a7d6df93
...
...
@@ -106,16 +106,14 @@ public class SysDpExecuteHistoryServiceImpl extends BaseServiceImpl<SysDpExecute
if
(
StringUtils
.
isNotEmpty
(
msg
.
toString
()))
{
throw
new
IllegalArgumentException
(
msg
.
toString
());
}
String
checkMsg
=
SqlParserCheckUtils
.
parserCheckSelect
(
formatSql
);
msg
.
append
(
checkMsg
);
String
checkMsg
=
null
;
// 非内部限制
if
(!
StringUtils
.
startsWith
(
ip
,
ipWhiteCheck
))
{
if
(
SqlCheckUtils
.
checkSqlIgnoreCase
(
formatSql
,
SqlConstantUtils
.
SQL_STAR
))
{
msg
.
append
(
"select语句不允许使用*查询所有字段,请重置语句!"
);
}
checkMsg
=
SqlParserCheckUtils
.
parserCheckSelect
(
formatSql
,
true
);
}
else
{
checkMsg
=
SqlParserCheckUtils
.
parserCheckSelect
(
formatSql
,
false
);
}
msg
.
append
(
checkMsg
);
if
(
StringUtils
.
isNotEmpty
(
msg
.
toString
()))
{
SysDpExecuteHistory
sysDpExecuteHistory
=
new
SysDpExecuteHistory
();
sysDpExecuteHistory
.
setDehIp
(
ip
);
...
...
@@ -204,15 +202,14 @@ public class SysDpExecuteHistoryServiceImpl extends BaseServiceImpl<SysDpExecute
if
(
StringUtils
.
isNotEmpty
(
msg
.
toString
()))
{
throw
new
IllegalArgumentException
(
msg
.
toString
());
}
String
checkMsg
=
SqlParserCheckUtils
.
parserCheckSelect
(
formatSql
);
msg
.
append
(
checkMsg
);
String
checkMsg
=
null
;
// 非内部限制
if
(!
StringUtils
.
startsWith
(
ip
,
ipWhiteCheck
))
{
if
(
SqlCheckUtils
.
checkSqlIgnoreCase
(
formatSql
,
SqlConstantUtils
.
SQL_STAR
))
{
msg
.
append
(
"select语句不允许使用*查询所有字段,请重置语句!"
);
}
checkMsg
=
SqlParserCheckUtils
.
parserCheckSelect
(
formatSql
,
true
);
}
else
{
checkMsg
=
SqlParserCheckUtils
.
parserCheckSelect
(
formatSql
,
false
);
}
msg
.
append
(
checkMsg
);
if
(
StringUtils
.
isNotEmpty
(
msg
.
toString
()))
{
sysDpExecuteHistory
.
setDehExecuteTime
(
new
Date
());
sysDpExecuteHistory
.
setDehError
(
msg
.
toString
());
...
...
v2-多线程版本/java-code/dp/util/SqlParserCheckUtils.java
View file @
a7d6df93
...
...
@@ -3,12 +3,15 @@ package com.hand.hls.dp.util;
import
com.alibaba.druid.sql.ast.SQLExpr
;
import
com.alibaba.druid.sql.ast.SQLObject
;
import
com.alibaba.druid.sql.ast.SQLStatement
;
import
com.alibaba.druid.sql.ast.expr.SQLAllColumnExpr
;
import
com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr
;
import
com.alibaba.druid.sql.ast.expr.SQLBinaryOperator
;
import
com.alibaba.druid.sql.ast.expr.SQLPropertyExpr
;
import
com.alibaba.druid.sql.ast.expr.SQLQueryExpr
;
import
com.alibaba.druid.sql.ast.statement.*
;
import
com.alibaba.druid.sql.dialect.oracle.parser.OracleStatementParser
;
import
org.apache.commons.collections.CollectionUtils
;
import
org.apache.commons.lang3.StringUtils
;
import
java.util.List
;
import
java.util.Objects
;
...
...
@@ -20,13 +23,14 @@ import java.util.Objects;
*/
public
final
class
SqlParserCheckUtils
{
private
static
final
int
STMTLISTSIZE
=
2
;
/**
* 校验查询语句
*
* @param sql 待校验语句
* @return 返回信息
*/
public
static
String
parserCheckSelect
(
String
sql
)
{
public
static
String
parserCheckSelect
(
String
sql
,
boolean
checkStarFlag
)
{
StringBuilder
ret
=
new
StringBuilder
();
OracleStatementParser
parser
=
new
OracleStatementParser
(
sql
);
List
<
SQLStatement
>
stmtList
=
parser
.
parseStatementList
();
...
...
@@ -39,19 +43,14 @@ public final class SqlParserCheckUtils {
SQLSelectStatement
selectStatement
=
(
SQLSelectStatement
)
stmt
;
SQLSelect
sqlSelect
=
selectStatement
.
getSelect
();
SQLSelectQueryBlock
queryBlock
=
sqlSelect
.
getQueryBlock
();
String
selectRet
=
parseSelectBlock
(
ret
,
queryBlock
);
if
(
selectRet
!=
null
)
{
return
selectRet
;}
String
selectRet
=
parseSelectBlock4Where
(
ret
,
queryBlock
);
if
(
StringUtils
.
isNotEmpty
(
selectRet
))
{
return
selectRet
;
}
// 校验查询字段里的SUB SELECT
List
<
SQLSelectItem
>
sqlSelectItemList
=
queryBlock
.
getSelectList
();
for
(
SQLSelectItem
selectItem
:
sqlSelectItemList
)
{
SQLExpr
itemExpr
=
selectItem
.
getExpr
();
if
(
itemExpr
instanceof
SQLQueryExpr
)
{
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
itemExpr
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
return
subSelectRet
;}
}
String
subSelectRet
=
parseSubSelect
(
ret
,
checkStarFlag
,
queryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
))
{
return
subSelectRet
;
}
}
else
{
ret
.
append
(
"不是SELECT语句!"
);
...
...
@@ -60,7 +59,47 @@ public final class SqlParserCheckUtils {
return
ret
.
toString
();
}
private
static
String
parseSelectBlock
(
StringBuilder
ret
,
SQLSelectQueryBlock
queryBlock
)
{
/**
* @param checkStarFlag 是否运行*查全部字段标识
* @param queryBlock 查询block
* @return 返回
*/
private
static
String
parseSubSelect
(
StringBuilder
ret
,
boolean
checkStarFlag
,
SQLSelectQueryBlock
queryBlock
)
{
List
<
SQLSelectItem
>
sqlSelectItemList
=
queryBlock
.
getSelectList
();
for
(
SQLSelectItem
selectItem
:
sqlSelectItemList
)
{
SQLExpr
itemExpr
=
selectItem
.
getExpr
();
if
(
itemExpr
instanceof
SQLQueryExpr
)
{
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
itemExpr
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelect4WhereRet
=
parseSelectBlock4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelect4WhereRet
))
{
return
subSelect4WhereRet
;
}
// 解析再下一层子查询
parseSubSelect
(
ret
,
checkStarFlag
,
subQueryBlock
);
}
else
if
(
itemExpr
instanceof
SQLPropertyExpr
)
{
if
(
checkStarFlag
)
{
SQLPropertyExpr
propertyExpr
=
(
SQLPropertyExpr
)
itemExpr
;
String
propertyExprName
=
propertyExpr
.
getName
();
if
(
SqlConstantUtils
.
SQL_STAR
.
equalsIgnoreCase
(
propertyExprName
))
{
ret
.
append
(
"select语句不允许使用*查询所有字段,请重置语句!"
);
}
}
}
else
if
(
itemExpr
instanceof
SQLAllColumnExpr
)
{
if
(
checkStarFlag
)
{
SQLAllColumnExpr
allColumnExpr
=
(
SQLAllColumnExpr
)
itemExpr
;
String
propertyExprName
=
allColumnExpr
.
toString
();
if
(
SqlConstantUtils
.
SQL_STAR
.
equalsIgnoreCase
(
propertyExprName
))
{
ret
.
append
(
"select语句不允许使用*查询所有字段,请重置语句!"
);
}
}
}
}
return
ret
.
toString
();
}
private
static
String
parseSelectBlock4Where
(
StringBuilder
ret
,
SQLSelectQueryBlock
queryBlock
)
{
SQLExpr
where
=
queryBlock
.
getWhere
();
if
(
Objects
.
isNull
(
where
))
{
return
ret
.
append
(
"SELECT语句没有WHERE条件!"
).
toString
();
...
...
@@ -74,8 +113,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
right
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
ret
!=
null
)
{
parseSelectBlock
4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
ret
)
)
{
return
ret
.
toString
();
}
}
...
...
@@ -84,8 +123,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
left
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
String
subSelectRet
=
parseSelectBlock
4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
)
)
{
return
subSelectRet
;
}
}
...
...
@@ -104,8 +143,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
right
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
String
subSelectRet
=
parseSelectBlock
4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
)
)
{
return
subSelectRet
;
}
}
...
...
@@ -114,8 +153,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
left
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
String
subSelectRet
=
parseSelectBlock
4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
)
)
{
return
subSelectRet
;
}
}
...
...
@@ -151,8 +190,10 @@ public final class SqlParserCheckUtils {
SQLSelect
sqlSelect
=
insertStatement
.
getQuery
();
if
(
Objects
.
nonNull
(
sqlSelect
))
{
SQLSelectQueryBlock
queryBlock
=
sqlSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
queryBlock
);
if
(
subSelectRet
!=
null
)
{
return
subSelectRet
;}
String
subSelectRet
=
parseSelectBlock4Where
(
ret
,
queryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
))
{
return
subSelectRet
;
}
}
}
else
{
ret
.
append
(
"不是INSERT语句!"
);
...
...
@@ -191,8 +232,10 @@ public final class SqlParserCheckUtils {
SQLSelect
subSqlSelect
=
sqlQueryExpr
.
getSubQuery
();
if
(
Objects
.
nonNull
(
subSqlSelect
))
{
SQLSelectQueryBlock
queryBlock
=
subSqlSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
queryBlock
);
if
(
subSelectRet
!=
null
)
{
return
subSelectRet
;}
String
subSelectRet
=
parseSelectBlock4Where
(
ret
,
queryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
))
{
return
subSelectRet
;
}
}
}
}
...
...
@@ -210,16 +253,20 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
right
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
return
subSelectRet
;}
String
subSelectRet
=
parseSelectBlock4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
))
{
return
subSelectRet
;
}
}
SQLExpr
left
=
sqlBinaryOpExpr
.
getLeft
();
if
(
left
instanceof
SQLQueryExpr
)
{
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
left
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
return
subSelectRet
;}
String
subSelectRet
=
parseSelectBlock4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
))
{
return
subSelectRet
;
}
}
if
(
Objects
.
equals
(
right
,
left
))
{
return
ret
.
append
(
"UPDATE语句WHERE条件含有1 = 1!"
).
toString
();
...
...
@@ -235,8 +282,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
right
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
String
subSelectRet
=
parseSelectBlock
4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
)
)
{
return
subSelectRet
;
}
}
...
...
@@ -245,8 +292,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
left
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
String
subSelectRet
=
parseSelectBlock
4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
)
)
{
return
subSelectRet
;
}
}
...
...
@@ -295,8 +342,8 @@ public final class SqlParserCheckUtils {
SQLSelect
sqlWhereSubSelect
=
sqlWhereSubQueryExpr
.
getSubQuery
();
if
(
Objects
.
nonNull
(
sqlWhereSubSelect
))
{
SQLSelectQueryBlock
queryBlock
=
sqlWhereSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
queryBlock
);
if
(
subSelectRet
!=
null
)
{
String
subSelectRet
=
parseSelectBlock
4Where
(
ret
,
queryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
)
)
{
return
subSelectRet
;
}
}
...
...
@@ -316,8 +363,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
right
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
String
subSelectRet
=
parseSelectBlock
4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
)
)
{
return
subSelectRet
;
}
}
...
...
@@ -326,8 +373,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr
itemQueryExpr
=
(
SQLQueryExpr
)
left
;
SQLSelect
itemSubSelect
=
itemQueryExpr
.
getSubQuery
();
SQLSelectQueryBlock
subQueryBlock
=
itemSubSelect
.
getQueryBlock
();
String
subSelectRet
=
parseSelectBlock
(
ret
,
subQueryBlock
);
if
(
subSelectRet
!=
null
)
{
String
subSelectRet
=
parseSelectBlock
4Where
(
ret
,
subQueryBlock
);
if
(
StringUtils
.
isNotEmpty
(
subSelectRet
)
)
{
return
subSelectRet
;
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment