严重安全漏洞修复

1.SQL注入检测存在绕过风险 2./upload接口存在任意文件上传漏洞
chenzhongxing · Feb 26, 2022 · b66fff6 · b66fff6
1 parent 2be616e
commit b66fff6
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/...-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/...-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@@ -3,7 +3,9 @@
 import cn.hutool.crypto.SecureUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.exception.JeecgBootException;
+
 import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Pattern;
 
 /**
  * sql注入处理工具类
@@ -51,6 +53,9 @@ public static void filterContent(String value) {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		String[] xssArr = xssStr.split("\\|");
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1) {
@@ -59,6 +64,9 @@ public static void filterContent(String value) {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}
 
@@ -76,13 +84,19 @@ public static void filterContent(String[] values) {
 			}
 			// 统一转为小写
 			value = value.toLowerCase();
+			//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+			value = value.replaceAll("/\\*.*\\*/","");
+
 			for (int i = 0; i < xssArr.length; i++) {
 				if (value.indexOf(xssArr[i]) > -1) {
 					log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
 					log.error("请注意，值可能存在SQL注入风险!---> {}", value);
 					throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 				}
 			}
+			if(Pattern.matches("show\\s+tables", value)){
+				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+			}
 		}
 		return;
 	}
@@ -101,13 +115,19 @@ public static void specialFilterContent(String value) {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
 				log.error("请注意，值可能存在SQL注入风险!---> {}", value);
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}
 
@@ -126,13 +146,20 @@ public static void specialFilterContentForOnlineReport(String value) {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
+
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
 				log.error("请注意，值可能存在SQL注入风险!---> {}", value);
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}
 

diff --git a/...oot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java b/...oot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
@@ -5,6 +5,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.constant.CommonConstant;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.RestUtil;
@@ -73,6 +74,12 @@ public Result<?> upload(HttpServletRequest request, HttpServletResponse response
         Result<?> result = new Result<>();
         String savePath = "";
         String bizPath = request.getParameter("biz");
+
+        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
+        if(bizPath.contains("../") || bizPath.contains("..\\")){
+            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        }
+
         MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
         MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象
         if(oConvertUtils.isEmpty(bizPath)){

diff --git a/...-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java b/...-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
@@ -2,6 +2,7 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.MinioUtil;
 import org.jeecg.common.util.oConvertUtils;
@@ -34,6 +35,12 @@ public class SysUploadController {
     public Result<?> uploadMinio(HttpServletRequest request) {
         Result<?> result = new Result<>();
         String bizPath = request.getParameter("biz");
+
+        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
+        if(bizPath.contains("../") || bizPath.contains("..\\")){
+            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        }
+
         if(oConvertUtils.isEmpty(bizPath)){
             bizPath = "";
         }