Merge remote-tracking branch 'origin/dev' into dev

2020-09-01 13:48:21 +08:00 · 2020-09-01 13:48:21 +08:00 · 5f4f91b4f0
parent d7b94414e8 3249136d45
commit 5f4f91b4f0
2 changed files with 21 additions and 23 deletions
--- a/pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/mybatis/SqlFilterArgumentResolver.java
+++ b/pig-common/pig-common-core/src/main/java/com/pig4cloud/pig/common/core/mybatis/SqlFilterArgumentResolver.java
@ -29,11 +29,7 @@ import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.method.support.ModelAndViewContainer;

 import javax.servlet.http.HttpServletRequest;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Optional;
-import java.util.function.Predicate;
+import java.util.*;
 import java.util.stream.Collectors;

 /**
@ -45,9 +41,6 @@ import java.util.stream.Collectors;
@Slf4j
 public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver {

-	private final static String[] KEYWORDS = { "master", "truncate", "insert", "select", "delete", "update", "declare",
-			"alter", "drop", "sleep" };
-
 	/**
 	 * 判断Controller是否包含page 参数
 	 * @param parameter 参数
@ -78,7 +71,7 @@ public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver
 		String current = request.getParameter("current");
 		String size = request.getParameter("size");

-		Page page = new Page();
+		Page<?> page = new Page<>();
 		if (StrUtil.isNotBlank(current)) {
 			page.setCurrent(Long.parseLong(current));
 		}
@ -89,27 +82,32 @@ public class SqlFilterArgumentResolver implements HandlerMethodArgumentResolver

 		List<OrderItem> orderItemList = new ArrayList<>();
 		Optional.ofNullable(ascs).ifPresent(s -> orderItemList.addAll(
-				Arrays.stream(s).filter(sqlInjectPredicate()).map(OrderItem::asc).collect(Collectors.toList())));
+				Arrays.stream(s).filter(Objects::isNull).map(this::clear).map(OrderItem::asc).collect(Collectors.toList())));
 		Optional.ofNullable(descs).ifPresent(s -> orderItemList.addAll(
-				Arrays.stream(s).filter(sqlInjectPredicate()).map(OrderItem::desc).collect(Collectors.toList())));
+				Arrays.stream(s).filter(Objects::isNull).map(this::clear).map(OrderItem::desc).collect(Collectors.toList())));
 		page.addOrder(orderItemList);

 		return page;
 	}

 	/**
-	 * 判断用户输入里面有没有关键字
-	 * @return Predicate
+	 * 参数清理
+	 *
+	 * @param param 参数
+	 * @return String
 	 */
-	private Predicate<String> sqlInjectPredicate() {
-		return sql -> {
-			for (String keyword : KEYWORDS) {
-				if (StrUtil.containsIgnoreCase(sql, keyword)) {
-					return false;
-				}
+	private String clear(String param) {
+		if (StrUtil.isBlank(param)) {
+			return StrUtil.trim(param);
+		}
+		StringBuilder builder = new StringBuilder();
+		for (int i = 0; i < param.length(); i++) {
+			char c = param.charAt(i);
+			if (Character.isJavaIdentifierPart(c)) {
+				builder.append(c);
 			}
-			return true;
-		};
+		}
+		return builder.toString();
 	}

 }
--- a/pom.xml
+++ b/pom.xml
@ -44,8 +44,8 @@
 		<git.commit.plugin>2.2.5</git.commit.plugin>
 		<spring.checkstyle.plugin>0.0.23</spring.checkstyle.plugin>
 		<spring-boot-admin.version>2.3.0</spring-boot-admin.version>
-		<hutool.version>5.3.10</hutool.version>
-		<mybatis-plus.version>3.3.2</mybatis-plus.version>
+		<hutool.version>5.4.0</hutool.version>
+		<mybatis-plus.version>3.4.0</mybatis-plus.version>
 		<dynamic-ds.version>3.2.0</dynamic-ds.version>
 		<captcha.version>2.0.0</captcha.version>
 		<velocity.version>1.7</velocity.version>