Skip to content

D
dp
Commit a7d6df93 authored by Spencer Chang's avatar Spencer Chang
Browse files
Options

[fix] 当需要限制不允许通过*查询所有列数据时,不应校验用于计算的*符号

parent 687de5d1
Hide whitespace changes
Inline Side-by-side
Showing with 97 additions and 53 deletions
v2-多线程版本/java-code/dp/service/impl/SysDpExecuteHistoryServiceImpl.java
View file @ a7d6df93
...@@ -106,16 +106,14 @@ public class SysDpExecuteHistoryServiceImpl extends BaseServiceImpl<SysDpExecute ...@@ -106,16 +106,14 @@ public class SysDpExecuteHistoryServiceImpl extends BaseServiceImpl<SysDpExecute
if (StringUtils.isNotEmpty(msg.toString())) { if (StringUtils.isNotEmpty(msg.toString())) {
throw new IllegalArgumentException(msg.toString()); throw new IllegalArgumentException(msg.toString());
} }
String checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql); String checkMsg = null;
msg.append(checkMsg);
// 非内部限制 // 非内部限制
if (!StringUtils.startsWith(ip, ipWhiteCheck)) { if (!StringUtils.startsWith(ip, ipWhiteCheck)) {
if (SqlCheckUtils.checkSqlIgnoreCase(formatSql, SqlConstantUtils.SQL_STAR)) { checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql, true);
msg.append("select语句不允许使用*查询所有字段,请重置语句!"); } else {
} checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql, false);
} }
msg.append(checkMsg);
if (StringUtils.isNotEmpty(msg.toString())) { if (StringUtils.isNotEmpty(msg.toString())) {
SysDpExecuteHistory sysDpExecuteHistory = new SysDpExecuteHistory(); SysDpExecuteHistory sysDpExecuteHistory = new SysDpExecuteHistory();
sysDpExecuteHistory.setDehIp(ip); sysDpExecuteHistory.setDehIp(ip);
...@@ -204,15 +202,14 @@ public class SysDpExecuteHistoryServiceImpl extends BaseServiceImpl<SysDpExecute ...@@ -204,15 +202,14 @@ public class SysDpExecuteHistoryServiceImpl extends BaseServiceImpl<SysDpExecute
if (StringUtils.isNotEmpty(msg.toString())) { if (StringUtils.isNotEmpty(msg.toString())) {
throw new IllegalArgumentException(msg.toString()); throw new IllegalArgumentException(msg.toString());
} }
String checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql); String checkMsg = null;
msg.append(checkMsg);
// 非内部限制 // 非内部限制
if (!StringUtils.startsWith(ip, ipWhiteCheck)) { if (!StringUtils.startsWith(ip, ipWhiteCheck)) {
if (SqlCheckUtils.checkSqlIgnoreCase(formatSql, SqlConstantUtils.SQL_STAR)) { checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql, true);
msg.append("select语句不允许使用*查询所有字段,请重置语句!"); } else {
} checkMsg = SqlParserCheckUtils.parserCheckSelect(formatSql, false);
} }
msg.append(checkMsg);
if (StringUtils.isNotEmpty(msg.toString())) { if (StringUtils.isNotEmpty(msg.toString())) {
sysDpExecuteHistory.setDehExecuteTime(new Date()); sysDpExecuteHistory.setDehExecuteTime(new Date());
sysDpExecuteHistory.setDehError(msg.toString()); sysDpExecuteHistory.setDehError(msg.toString());
......
v2-多线程版本/java-code/dp/util/SqlParserCheckUtils.java
View file @ a7d6df93
...@@ -3,12 +3,15 @@ package com.hand.hls.dp.util; ...@@ -3,12 +3,15 @@ package com.hand.hls.dp.util;
import com.alibaba.druid.sql.ast.SQLExpr; import com.alibaba.druid.sql.ast.SQLExpr;
import com.alibaba.druid.sql.ast.SQLObject; import com.alibaba.druid.sql.ast.SQLObject;
import com.alibaba.druid.sql.ast.SQLStatement; import com.alibaba.druid.sql.ast.SQLStatement;
import com.alibaba.druid.sql.ast.expr.SQLAllColumnExpr;
import com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr; import com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr;
import com.alibaba.druid.sql.ast.expr.SQLBinaryOperator; import com.alibaba.druid.sql.ast.expr.SQLBinaryOperator;
import com.alibaba.druid.sql.ast.expr.SQLPropertyExpr;
import com.alibaba.druid.sql.ast.expr.SQLQueryExpr; import com.alibaba.druid.sql.ast.expr.SQLQueryExpr;
import com.alibaba.druid.sql.ast.statement.*; import com.alibaba.druid.sql.ast.statement.*;
import com.alibaba.druid.sql.dialect.oracle.parser.OracleStatementParser; import com.alibaba.druid.sql.dialect.oracle.parser.OracleStatementParser;
import org.apache.commons.collections.CollectionUtils; import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import java.util.List; import java.util.List;
import java.util.Objects; import java.util.Objects;
...@@ -20,13 +23,14 @@ import java.util.Objects; ...@@ -20,13 +23,14 @@ import java.util.Objects;
*/ */
public final class SqlParserCheckUtils { public final class SqlParserCheckUtils {
private static final int STMTLISTSIZE = 2; private static final int STMTLISTSIZE = 2;
/** /**
* 校验查询语句 * 校验查询语句
* *
* @param sql 待校验语句 * @param sql 待校验语句
* @return 返回信息 * @return 返回信息
*/ */
public static String parserCheckSelect(String sql) { public static String parserCheckSelect(String sql, boolean checkStarFlag) {
StringBuilder ret = new StringBuilder(); StringBuilder ret = new StringBuilder();
OracleStatementParser parser = new OracleStatementParser(sql); OracleStatementParser parser = new OracleStatementParser(sql);
List<SQLStatement> stmtList = parser.parseStatementList(); List<SQLStatement> stmtList = parser.parseStatementList();
...@@ -39,19 +43,14 @@ public final class SqlParserCheckUtils { ...@@ -39,19 +43,14 @@ public final class SqlParserCheckUtils {
SQLSelectStatement selectStatement = (SQLSelectStatement) stmt; SQLSelectStatement selectStatement = (SQLSelectStatement) stmt;
SQLSelect sqlSelect = selectStatement.getSelect(); SQLSelect sqlSelect = selectStatement.getSelect();
SQLSelectQueryBlock queryBlock = sqlSelect.getQueryBlock(); SQLSelectQueryBlock queryBlock = sqlSelect.getQueryBlock();
String selectRet = parseSelectBlock(ret, queryBlock); String selectRet = parseSelectBlock4Where(ret, queryBlock);
if (selectRet != null) {return selectRet;} if (StringUtils.isNotEmpty(selectRet)) {
return selectRet;
}
// 校验查询字段里的SUB SELECT // 校验查询字段里的SUB SELECT
List<SQLSelectItem> sqlSelectItemList = queryBlock.getSelectList(); String subSelectRet = parseSubSelect(ret, checkStarFlag, queryBlock);
for (SQLSelectItem selectItem : sqlSelectItemList) { if (StringUtils.isNotEmpty(subSelectRet)) {
SQLExpr itemExpr = selectItem.getExpr(); return subSelectRet;
if (itemExpr instanceof SQLQueryExpr) {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) itemExpr;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock);
if (subSelectRet != null) {return subSelectRet;}
}
} }
} else { } else {
ret.append("不是SELECT语句!"); ret.append("不是SELECT语句!");
...@@ -60,7 +59,47 @@ public final class SqlParserCheckUtils { ...@@ -60,7 +59,47 @@ public final class SqlParserCheckUtils {
return ret.toString(); return ret.toString();
} }
private static String parseSelectBlock(StringBuilder ret, SQLSelectQueryBlock queryBlock) { /**
* @param checkStarFlag 是否运行*查全部字段标识
* @param queryBlock 查询block
* @return 返回
*/
private static String parseSubSelect(StringBuilder ret, boolean checkStarFlag, SQLSelectQueryBlock queryBlock) {
List<SQLSelectItem> sqlSelectItemList = queryBlock.getSelectList();
for (SQLSelectItem selectItem : sqlSelectItemList) {
SQLExpr itemExpr = selectItem.getExpr();
if (itemExpr instanceof SQLQueryExpr) {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) itemExpr;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelect4WhereRet = parseSelectBlock4Where(ret, subQueryBlock);
if (StringUtils.isNotEmpty(subSelect4WhereRet)) {
return subSelect4WhereRet;
}
// 解析再下一层子查询
parseSubSelect(ret, checkStarFlag, subQueryBlock);
} else if (itemExpr instanceof SQLPropertyExpr) {
if (checkStarFlag) {
SQLPropertyExpr propertyExpr = (SQLPropertyExpr) itemExpr;
String propertyExprName = propertyExpr.getName();
if (SqlConstantUtils.SQL_STAR.equalsIgnoreCase(propertyExprName)) {
ret.append("select语句不允许使用*查询所有字段,请重置语句!");
}
}
} else if (itemExpr instanceof SQLAllColumnExpr) {
if (checkStarFlag) {
SQLAllColumnExpr allColumnExpr = (SQLAllColumnExpr) itemExpr;
String propertyExprName = allColumnExpr.toString();
if (SqlConstantUtils.SQL_STAR.equalsIgnoreCase(propertyExprName)) {
ret.append("select语句不允许使用*查询所有字段,请重置语句!");
}
}
}
}
return ret.toString();
}
private static String parseSelectBlock4Where(StringBuilder ret, SQLSelectQueryBlock queryBlock) {
SQLExpr where = queryBlock.getWhere(); SQLExpr where = queryBlock.getWhere();
if (Objects.isNull(where)) { if (Objects.isNull(where)) {
return ret.append("SELECT语句没有WHERE条件!").toString(); return ret.append("SELECT语句没有WHERE条件!").toString();
...@@ -74,8 +113,8 @@ public final class SqlParserCheckUtils { ...@@ -74,8 +113,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
parseSelectBlock(ret, subQueryBlock); parseSelectBlock4Where(ret, subQueryBlock);
if (ret != null) { if (StringUtils.isNotEmpty(ret)) {
return ret.toString(); return ret.toString();
} }
} }
...@@ -84,8 +123,8 @@ public final class SqlParserCheckUtils { ...@@ -84,8 +123,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) { if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet; return subSelectRet;
} }
} }
...@@ -104,8 +143,8 @@ public final class SqlParserCheckUtils { ...@@ -104,8 +143,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) { if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet; return subSelectRet;
} }
} }
...@@ -114,8 +153,8 @@ public final class SqlParserCheckUtils { ...@@ -114,8 +153,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) { if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet; return subSelectRet;
} }
} }
...@@ -151,8 +190,10 @@ public final class SqlParserCheckUtils { ...@@ -151,8 +190,10 @@ public final class SqlParserCheckUtils {
SQLSelect sqlSelect = insertStatement.getQuery(); SQLSelect sqlSelect = insertStatement.getQuery();
if (Objects.nonNull(sqlSelect)) { if (Objects.nonNull(sqlSelect)) {
SQLSelectQueryBlock queryBlock = sqlSelect.getQueryBlock(); SQLSelectQueryBlock queryBlock = sqlSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, queryBlock); String subSelectRet = parseSelectBlock4Where(ret, queryBlock);
if (subSelectRet != null) {return subSelectRet;} if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
} }
} else { } else {
ret.append("不是INSERT语句!"); ret.append("不是INSERT语句!");
...@@ -191,8 +232,10 @@ public final class SqlParserCheckUtils { ...@@ -191,8 +232,10 @@ public final class SqlParserCheckUtils {
SQLSelect subSqlSelect = sqlQueryExpr.getSubQuery(); SQLSelect subSqlSelect = sqlQueryExpr.getSubQuery();
if (Objects.nonNull(subSqlSelect)) { if (Objects.nonNull(subSqlSelect)) {
SQLSelectQueryBlock queryBlock = subSqlSelect.getQueryBlock(); SQLSelectQueryBlock queryBlock = subSqlSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, queryBlock); String subSelectRet = parseSelectBlock4Where(ret, queryBlock);
if (subSelectRet != null) {return subSelectRet;} if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
} }
} }
} }
...@@ -210,16 +253,20 @@ public final class SqlParserCheckUtils { ...@@ -210,16 +253,20 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) {return subSelectRet;} if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
} }
SQLExpr left = sqlBinaryOpExpr.getLeft(); SQLExpr left = sqlBinaryOpExpr.getLeft();
if (left instanceof SQLQueryExpr) { if (left instanceof SQLQueryExpr) {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) {return subSelectRet;} if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet;
}
} }
if (Objects.equals(right, left)) { if (Objects.equals(right, left)) {
return ret.append("UPDATE语句WHERE条件含有1 = 1!").toString(); return ret.append("UPDATE语句WHERE条件含有1 = 1!").toString();
...@@ -235,8 +282,8 @@ public final class SqlParserCheckUtils { ...@@ -235,8 +282,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) { if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet; return subSelectRet;
} }
} }
...@@ -245,8 +292,8 @@ public final class SqlParserCheckUtils { ...@@ -245,8 +292,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) { if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet; return subSelectRet;
} }
} }
...@@ -295,8 +342,8 @@ public final class SqlParserCheckUtils { ...@@ -295,8 +342,8 @@ public final class SqlParserCheckUtils {
SQLSelect sqlWhereSubSelect = sqlWhereSubQueryExpr.getSubQuery(); SQLSelect sqlWhereSubSelect = sqlWhereSubQueryExpr.getSubQuery();
if (Objects.nonNull(sqlWhereSubSelect)) { if (Objects.nonNull(sqlWhereSubSelect)) {
SQLSelectQueryBlock queryBlock = sqlWhereSubSelect.getQueryBlock(); SQLSelectQueryBlock queryBlock = sqlWhereSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, queryBlock); String subSelectRet = parseSelectBlock4Where(ret, queryBlock);
if (subSelectRet != null) { if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet; return subSelectRet;
} }
} }
...@@ -316,8 +363,8 @@ public final class SqlParserCheckUtils { ...@@ -316,8 +363,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) right;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) { if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet; return subSelectRet;
} }
} }
...@@ -326,8 +373,8 @@ public final class SqlParserCheckUtils { ...@@ -326,8 +373,8 @@ public final class SqlParserCheckUtils {
SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left; SQLQueryExpr itemQueryExpr = (SQLQueryExpr) left;
SQLSelect itemSubSelect = itemQueryExpr.getSubQuery(); SQLSelect itemSubSelect = itemQueryExpr.getSubQuery();
SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock(); SQLSelectQueryBlock subQueryBlock = itemSubSelect.getQueryBlock();
String subSelectRet = parseSelectBlock(ret, subQueryBlock); String subSelectRet = parseSelectBlock4Where(ret, subQueryBlock);
if (subSelectRet != null) { if (StringUtils.isNotEmpty(subSelectRet)) {
return subSelectRet; return subSelectRet;
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment