public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-06-12 16:31:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 增加防sql注入逻辑 (#18564)

Browse Source
This commit is contained in:
王嘉豪
2026-06-11 11:52:44 +08:00
committed by GitHub
parent f6f704813b
commit 4463e21cb7
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
core/core-backend/src/main/java/io/dataease/engine/trans/Quota2SQLObj.java
View File

@@ -155,11 +155,11 @@ public class Quota2SQLObj {
} else if (StringUtils.equalsIgnoreCase(f.getTerm(), "not_empty")) {
whereValue = "''";
} else if (StringUtils.containsIgnoreCase(f.getTerm(), "in")) {
whereValue = "('" + StringUtils.join(f.getValue(), "','") + "')";
whereValue = "('" + StringUtils.join(sanitizeSqlLiteral(f.getValue()), "','") + "')";
} else if (StringUtils.containsIgnoreCase(f.getTerm(), "like")) {
whereValue = "'%" + f.getValue() + "%'";
whereValue = "'%" + sanitizeSqlLiteral(f.getValue()) + "%'";
} else {
whereValue = String.format(SQLConstants.WHERE_VALUE_VALUE, f.getValue());
whereValue = String.format(SQLConstants.WHERE_VALUE_VALUE, sanitizeSqlLiteral(f.getValue()));
}
list.add(SQLObj.builder()
.whereField(fieldAlias)
@@ -173,4 +173,10 @@ public class Quota2SQLObj {
return !CollectionUtils.isEmpty(list) ? "(" + String.join(" " + Utils.getLogic(y.getLogic()) + " ", strList) + ")" : null;
}
private static String sanitizeSqlLiteral(String value) {
String normalized = StringUtils.defaultString(value);
Utils.validateSqlInjectionRisk(normalized);
return Utils.transValue(normalized);
}
}