mirror of https://gitee.com/maxjhandsome/pig
🔒 修复安全问题 fix #IYBLJ Page作为入参的sql注入问题
This commit is contained in:
@ -0,0 +1,111 @@
* Copyright (c) 2018-2025, lengleng All rights reserved.
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* Neither the name of the pig4cloud.com developer nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
* Author: lengleng (wangiegie@gmail.com)
package com.pig4cloud.pig.common.core.mybatis;
import cn.hutool.core.util.ArrayUtil;
import cn.hutool.core.util.StrUtil;
import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
import com.pig4cloud.pig.common.core.exception.CheckedException;
import lombok.extern.slf4j.Slf4j;
import org.springframework.core.MethodParameter;
import org.springframework.web.bind.support.WebDataBinderFactory;
import org.springframework.web.context.request.NativeWebRequest;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.method.support.ModelAndViewContainer;
import javax.servlet.http.HttpServletRequest;
* @author lengleng
* @date 2019-06-24
* <p>
* 解决Mybatis Plus Order By SQL注入问题
public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver {
private final static String[] KEYWORDS = {"master", "truncate", "insert", "select"
, "delete", "update", "declare", "alter", "drop", "sleep"};
* 判断Controller是否包含page 参数
* @param parameter 参数
* @return 是否过滤
public boolean supportsParameter(MethodParameter parameter) {
return parameter.getParameterType().equals(Page.class);
* @param parameter 入参集合
* @param mavContainer model 和 view
* @param webRequest web相关
* @param binderFactory 入参解析
* @return 检查后新的page对象
* <p>
* page 只支持查询 GET .如需解析POST获取请求报文体处理
public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer
, NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
HttpServletRequest request = webRequest.getNativeRequest(HttpServletRequest.class);
String[] ascs = request.getParameterValues("ascs");
String[] descs = request.getParameterValues("descs");
String current = request.getParameter("current");
String size = request.getParameter("size");
Page page = new Page();
if (StrUtil.isNotBlank(current)) {
if (StrUtil.isNotBlank(size)) {
return page;
* SQL注入过滤
* @param str 待验证的字符串
public static String[] sqlInject(String[] str) {
if (ArrayUtil.isEmpty(str)) {
return null;
String inStr = ArrayUtil.join(str, StrUtil.COMMA).toLowerCase();
for (String keyword : KEYWORDS) {
if (inStr.contains(keyword)) {
log.error("查询包含非法字符 {}", keyword);
throw new CheckedException(keyword + "包含非法字符");
return str;
@ -0,0 +1,38 @@
* Copyright (c) 2018-2025, lengleng All rights reserved.
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* Neither the name of the pig4cloud.com developer nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
* Author: lengleng (wangiegie@gmail.com)
package com.pig4cloud.pig.common.core.mybatis;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import java.util.List;
* @author lengleng
* @date 2019-06-24
* <p>
* 注入自自定义SQL 过滤
public class WebMvcConfig implements WebMvcConfigurer {
public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
argumentResolvers.add(new SqlFilterArgumentResolver());
Reference in New Issue