From 64bed39ee98c8d9b03e3b9c983d42daaaec32860 Mon Sep 17 00:00:00 2001 From: "Crystal.Sea" Date: Mon, 14 Dec 2020 23:43:34 +0800 Subject: [PATCH] sqlInjection & style sqlInjection & style --- .../java/org/maxkey/util/StringUtils.java | 29 +++++++++++++++++++ .../persistence/service/GroupsService.java | 17 ++++++++++- .../persistence/service/RolesService.java | 17 ++++++++++- .../mapper/xml/mysql/GroupMemberMapper.xml | 6 ++-- .../src/main/resources/static/css/base.css | 8 +++-- .../views/accounts/appAccountsList.ftl | 3 +- .../templates/views/apps/appsList.ftl | 2 ++ .../config/passwordpolicy/passwordpolicy.ftl | 2 ++ .../views/groupapp/groupAppsList.ftl | 3 +- .../templates/views/groups/groupsList.ftl | 2 ++ .../views/groupuser/groupUsersList.ftl | 3 +- .../resources/templates/views/layout/top.ftl | 26 +++++++---------- .../views/logs/loginAppsHistoryList.ftl | 3 +- .../templates/views/logs/loginHistoryList.ftl | 3 +- .../templates/views/logs/logsList.ftl | 3 +- .../main/resources/templates/views/main.ftl | 18 ++++++------ .../templates/views/orgs/orgsList.ftl | 5 ++-- .../views/permissions/permissionsList.ftl | 2 ++ .../views/resources/resourcesList.ftl | 3 +- .../templates/views/roles/rolesList.ftl | 3 +- .../views/roleusers/roleUsersList.ftl | 4 ++- .../templates/views/userinfo/usersList.ftl | 3 +- 22 files changed, 121 insertions(+), 44 deletions(-) diff --git a/maxkey-core/src/main/java/org/maxkey/util/StringUtils.java b/maxkey-core/src/main/java/org/maxkey/util/StringUtils.java index 24fbbbc9a..2ccd17be5 100644 --- a/maxkey-core/src/main/java/org/maxkey/util/StringUtils.java +++ b/maxkey-core/src/main/java/org/maxkey/util/StringUtils.java @@ -518,4 +518,33 @@ public final class StringUtils { return flag; } + public static ArrayList sqlInjection = null; + + static{ + sqlInjection = new ArrayList(); + sqlInjection.add("--"); + sqlInjection.add(";"); + sqlInjection.add("/"); + sqlInjection.add("\\"); + sqlInjection.add("#"); + sqlInjection.add("drop"); + sqlInjection.add("create"); + sqlInjection.add("delete"); + sqlInjection.add("alter"); + sqlInjection.add("truncate"); + sqlInjection.add("update"); + sqlInjection.add("insert"); + sqlInjection.add("and"); + sqlInjection.add("or"); + } + + public static boolean filtersSQLInjection(String filters) { + for(String s : sqlInjection) { + if(filters.indexOf(s)>-1) { + return true; + } + } + return false; + } + } diff --git a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java index f35ef818f..c1d8cc8c0 100644 --- a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java +++ b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java @@ -22,13 +22,16 @@ import java.util.List; import org.apache.mybatis.jpa.persistence.JpaBaseService; import org.maxkey.domain.Groups; import org.maxkey.persistence.mapper.GroupsMapper; +import org.maxkey.util.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Service; @Service public class GroupsService extends JpaBaseService{ - + final static Logger _logger = LoggerFactory.getLogger(GroupsService.class); @Autowired @Qualifier("groupMemberService") GroupMemberService groupMemberService; @@ -62,10 +65,22 @@ public class GroupsService extends JpaBaseService{ if(dynamicGroup.getOrgIdsList()!=null && !dynamicGroup.getOrgIdsList().equals("")) { dynamicGroup.setOrgIdsList("'"+dynamicGroup.getOrgIdsList().replace(",", "','")+"'"); } + String filters = dynamicGroup.getFilters(); + if(StringUtils.filtersSQLInjection(filters.toLowerCase())) { + _logger.info("filters include SQL Injection Attack Risk."); + return; + } + + filters = filters.replace("&", " AND "); + filters = filters.replace("|", " OR "); + + dynamicGroup.setFilters(filters); groupMemberService.deleteDynamicGroupMember(dynamicGroup); groupMemberService.addDynamicGroupMember(dynamicGroup); } } + + } diff --git a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java index 631a5caee..0d5db5807 100644 --- a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java +++ b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java @@ -23,13 +23,17 @@ import org.apache.mybatis.jpa.persistence.JpaBaseService; import org.maxkey.domain.RolePermissions; import org.maxkey.domain.Roles; import org.maxkey.persistence.mapper.RolesMapper; +import org.maxkey.util.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Service; @Service public class RolesService extends JpaBaseService{ - + final static Logger _logger = LoggerFactory.getLogger(RolesService.class); + @Autowired @Qualifier("roleMemberService") RoleMemberService roleMemberService; @@ -74,6 +78,17 @@ public class RolesService extends JpaBaseService{ dynamicRole.setOrgIdsList("'"+dynamicRole.getOrgIdsList().replace(",", "','")+"'"); } + String filters = dynamicRole.getFilters(); + if(StringUtils.filtersSQLInjection(filters.toLowerCase())) { + _logger.info("filters include SQL Injection Attack Risk."); + return; + } + + filters = filters.replace("&", " AND "); + filters = filters.replace("|", " OR "); + + dynamicRole.setFilters(filters); + roleMemberService.deleteDynamicRoleMember(dynamicRole); roleMemberService.addDynamicRoleMember(dynamicRole); } diff --git a/maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml b/maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml index be2727ddd..5a2643152 100644 --- a/maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml +++ b/maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml @@ -227,7 +227,7 @@ AND GM.TYPE='USER-DYNAMIC' ) - ${filters} + AND (${filters}) AND U.DEPARTMENTID IN( ${orgIdsList}) @@ -244,10 +244,10 @@ WHERE 1 = 1 AND U.ID=GM.MEMBERID - ${filters} + AND (${filters}) - AND U.DEPARTMENTID IN( ${orgIdsList}) + AND U.DEPARTMENTID IN ( ${orgIdsList}) ) diff --git a/maxkey-web-manage/src/main/resources/static/css/base.css b/maxkey-web-manage/src/main/resources/static/css/base.css index 6d1a1f468..1e16b2d36 100644 --- a/maxkey-web-manage/src/main/resources/static/css/base.css +++ b/maxkey-web-manage/src/main/resources/static/css/base.css @@ -148,7 +148,7 @@ header .header-container .nav-left>li, .header .header-container .nav-right>li { } .page-container .main-content { - padding: calc(50px + 35px) 15px 15px; + padding: calc(35px + 35px) 15px 15px; min-height: calc(100vh - 65px); background: #e6e8ea; width: 100%; @@ -178,13 +178,17 @@ header .header-container .nav-left>li, .header .header-container .nav-right>li { } .breadcrumb-wrapper { - margin-bottom: 20px; + margin-bottom: 10px; display: flex; -webkit-box-align: center; -ms-flex-align: center; align-items: center; } +.content-wrapper { + padding-top: 15px; +} + .breadcrumb-wrapper .breadcrumb li { display: inline-block; font-size: 14px; diff --git a/maxkey-web-manage/src/main/resources/templates/views/accounts/appAccountsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/accounts/appAccountsList.ftl index 7e543102e..cb21de7fc 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/accounts/appAccountsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/accounts/appAccountsList.ftl @@ -33,7 +33,7 @@
- +
@@ -113,6 +113,7 @@
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/apps/appsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/apps/appsList.ftl index 14c1e5e0f..bdabac6ba 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/apps/appsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/apps/appsList.ftl @@ -111,6 +111,7 @@
+
@@ -209,6 +210,7 @@
+
<#include "../layout/footer.ftl"/>
diff --git a/maxkey-web-manage/src/main/resources/templates/views/config/passwordpolicy/passwordpolicy.ftl b/maxkey-web-manage/src/main/resources/templates/views/config/passwordpolicy/passwordpolicy.ftl index 09efc8ab5..6015df841 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/config/passwordpolicy/passwordpolicy.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/config/passwordpolicy/passwordpolicy.ftl @@ -57,6 +57,7 @@
+
@@ -241,6 +242,7 @@
+
<#include "../../layout/footer.ftl"/>
diff --git a/maxkey-web-manage/src/main/resources/templates/views/groupapp/groupAppsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/groupapp/groupAppsList.ftl index 6d56f052b..7d25ee8bc 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/groupapp/groupAppsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/groupapp/groupAppsList.ftl @@ -58,6 +58,7 @@
+
@@ -140,7 +141,7 @@
<#include "../layout/footer.ftl"/>
- +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/groups/groupsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/groups/groupsList.ftl index d7067b2bd..0cb5b96cd 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/groups/groupsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/groups/groupsList.ftl @@ -37,6 +37,7 @@
+
@@ -113,6 +114,7 @@
+
<#include "../layout/footer.ftl"/>
diff --git a/maxkey-web-manage/src/main/resources/templates/views/groupuser/groupUsersList.ftl b/maxkey-web-manage/src/main/resources/templates/views/groupuser/groupUsersList.ftl index c5eef7993..897967d68 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/groupuser/groupUsersList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/groupuser/groupUsersList.ftl @@ -57,6 +57,7 @@
+
@@ -151,7 +152,7 @@
- +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/layout/top.ftl b/maxkey-web-manage/src/main/resources/templates/views/layout/top.ftl index 1909bcd6d..501c2a4a5 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/layout/top.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/layout/top.ftl @@ -11,28 +11,22 @@ <@locale code="global.application"/>
    -
  • - <@locale code="global.text.welcome"/>: +
  • + <@locale code="global.text.welcome"/>: <#if Session["current_user"]?exists> - ${Session["current_user"].displayName} + ${Session["current_user"].displayName} + (${Session["current_user"].username}) - ( - <#if Session["current_user"]?exists> - ${Session["current_user"].username} - - )   +  
    • -
  • - - +
  • + +
    • -
  • -   -
    • -
  • +
  • - Exit +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/logs/loginAppsHistoryList.ftl b/maxkey-web-manage/src/main/resources/templates/views/logs/loginAppsHistoryList.ftl index 685c5ffe3..d84ec8c3c 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/logs/loginAppsHistoryList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/logs/loginAppsHistoryList.ftl @@ -37,7 +37,7 @@
- +
@@ -121,6 +121,7 @@
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/logs/loginHistoryList.ftl b/maxkey-web-manage/src/main/resources/templates/views/logs/loginHistoryList.ftl index 5e53807b5..574cb6c35 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/logs/loginHistoryList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/logs/loginHistoryList.ftl @@ -37,7 +37,7 @@
- +
@@ -130,6 +130,7 @@
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/logs/logsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/logs/logsList.ftl index dc580b3e0..53cd05f64 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/logs/logsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/logs/logsList.ftl @@ -37,7 +37,7 @@
- +
@@ -124,6 +124,7 @@
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/main.ftl b/maxkey-web-manage/src/main/resources/templates/views/main.ftl index 049059f72..e66af222b 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/main.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/main.ftl @@ -41,10 +41,10 @@
-
+
-
-
+
+
@@ -54,8 +54,8 @@
-
-
+
+
@@ -65,8 +65,8 @@
-
-
+
+
@@ -76,8 +76,8 @@
-
-
+
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/orgs/orgsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/orgs/orgsList.ftl index ac4580908..f76cb8ea0 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/orgs/orgsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/orgs/orgsList.ftl @@ -163,7 +163,7 @@ $(function () {
- +
@@ -249,10 +249,11 @@ $(function () {
+
<#include "../layout/footer.ftl"/>
- +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/permissions/permissionsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/permissions/permissionsList.ftl index 0a960948e..bf52a1534 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/permissions/permissionsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/permissions/permissionsList.ftl @@ -232,6 +232,7 @@ $('#datagrid').on('click-row.bs.table', function (row, element, field) {
+
@@ -314,6 +315,7 @@ $('#datagrid').on('click-row.bs.table', function (row, element, field) {
+
<#include "../layout/footer.ftl"/>
diff --git a/maxkey-web-manage/src/main/resources/templates/views/resources/resourcesList.ftl b/maxkey-web-manage/src/main/resources/templates/views/resources/resourcesList.ftl index 869a97a7b..511845389 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/resources/resourcesList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/resources/resourcesList.ftl @@ -163,6 +163,7 @@ $(function () {
+
@@ -254,12 +255,12 @@ $(function () {
+
<#include "../layout/footer.ftl"/>
-
diff --git a/maxkey-web-manage/src/main/resources/templates/views/roles/rolesList.ftl b/maxkey-web-manage/src/main/resources/templates/views/roles/rolesList.ftl index 3355fa5b3..f1d46775b 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/roles/rolesList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/roles/rolesList.ftl @@ -36,6 +36,7 @@
+
@@ -112,10 +113,10 @@
+
<#include "../layout/footer.ftl"/>
-
diff --git a/maxkey-web-manage/src/main/resources/templates/views/roleusers/roleUsersList.ftl b/maxkey-web-manage/src/main/resources/templates/views/roleusers/roleUsersList.ftl index 1f21b5979..bc7227e09 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/roleusers/roleUsersList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/roleusers/roleUsersList.ftl @@ -57,6 +57,7 @@
+
@@ -146,10 +147,11 @@
+
<#include "../layout/footer.ftl"/>
- +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/userinfo/usersList.ftl b/maxkey-web-manage/src/main/resources/templates/views/userinfo/usersList.ftl index 0fdf514a3..8992d01e2 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/userinfo/usersList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/userinfo/usersList.ftl @@ -177,7 +177,7 @@ $(function () {
- +
@@ -292,6 +292,7 @@ $(function () {
+