test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix: 修复 order by sql注入的问题 

Closes #8651
This commit is contained in:
CaptainB 2021-12-21 10:47:41 +08:00 committed by shiziyuan9527
parent 7152640161
commit 20ea661962
1 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
backend/src/main/java/io/metersphere/controller/request/OrderRequest.java
View File

@ -1,13 +1,48 @@
package io.metersphere.controller.request; package io.metersphere.controller.request;
import lombok.Getter;
import lombok.Setter; import lombok.Setter;
import org.apache.commons.lang3.StringUtils;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@Getter
@Setter @Setter
public class OrderRequest { public class OrderRequest {
private String name; private String name;
private String type; private String type;
// 表前缀 // 表前缀
private String prefix; private String prefix;
public String getName() {
if (checkSqlInjection(name)) {
return "1";
}
return name;
}
public String getType() {
if (StringUtils.equalsIgnoreCase(type, "asc")) {
return "ASC";
} else {
return "DESC";
}
}
public String getPrefix() {
if (checkSqlInjection(prefix)) {
return "";
}
return prefix;
}
public static boolean checkSqlInjection(String script) {
if (StringUtils.isEmpty(script)) {
return false;
}
Pattern pattern = Pattern.compile("^\\w+$");
Matcher matcher = pattern.matcher(script.toLowerCase());
return !matcher.find();
}
} }