diff --git a/win-framework/win-common/src/main/java/com/win/framework/common/exception/enums/GlobalErrorCodeConstants.java b/win-framework/win-common/src/main/java/com/win/framework/common/exception/enums/GlobalErrorCodeConstants.java index 8f7c5a6..2ad3310 100644 --- a/win-framework/win-common/src/main/java/com/win/framework/common/exception/enums/GlobalErrorCodeConstants.java +++ b/win-framework/win-common/src/main/java/com/win/framework/common/exception/enums/GlobalErrorCodeConstants.java @@ -35,6 +35,7 @@ public interface GlobalErrorCodeConstants { ErrorCode REPEATED_REQUESTS = new ErrorCode(900, "重复请求,请稍后重试"); // 重复请求 ErrorCode DEMO_DENY = new ErrorCode(901, "演示模式,禁止写操作"); + ErrorCode SQL_INJECTION = new ErrorCode(901, "参数存在非法字符,请确认:{}"); ErrorCode UNKNOWN = new ErrorCode(999, "未知错误"); diff --git a/win-framework/win-common/src/main/java/com/win/framework/common/util/sql/ValidSql.java b/win-framework/win-common/src/main/java/com/win/framework/common/util/sql/ValidSql.java new file mode 100644 index 0000000..a88ec14 --- /dev/null +++ b/win-framework/win-common/src/main/java/com/win/framework/common/util/sql/ValidSql.java @@ -0,0 +1,27 @@ +package com.win.framework.common.util.sql; + +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import static com.win.framework.common.exception.enums.GlobalErrorCodeConstants.SQL_INJECTION; +import static com.win.framework.common.exception.util.ServiceExceptionUtil.exception; + +public class ValidSql { + + static String reg = "\\b(and|exec|insert|select|drop|grant|alter|delete|update|count|mid|truncate|char|or)\\b|([*;+'%])"; + static Pattern sqlPattern = Pattern.compile(reg, Pattern.CASE_INSENSITIVE);//表示忽略大小写 + + /** + * 参数校验 + * + * @param str ep: "or 1=1" + */ + public static boolean isSqlValid(String str) { + Matcher matcher = sqlPattern.matcher(str); + if (matcher.find()) { + throw exception(SQL_INJECTION, matcher.group()); + } + return true; + } + +} diff --git a/win-framework/win-spring-boot-starter-mybatis/src/main/java/com/win/framework/mybatis/core/util/QueryWrapperUtils.java b/win-framework/win-spring-boot-starter-mybatis/src/main/java/com/win/framework/mybatis/core/util/QueryWrapperUtils.java index 4eed2ec..d62ed35 100644 --- a/win-framework/win-spring-boot-starter-mybatis/src/main/java/com/win/framework/mybatis/core/util/QueryWrapperUtils.java +++ b/win-framework/win-spring-boot-starter-mybatis/src/main/java/com/win/framework/mybatis/core/util/QueryWrapperUtils.java @@ -4,6 +4,7 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; import com.google.common.base.CaseFormat; import com.win.framework.common.pojo.CustomConditions; import com.win.framework.common.util.collection.CollectionUtils; +import com.win.framework.common.util.sql.ValidSql; import java.time.Instant; import java.time.LocalDateTime; @@ -32,6 +33,8 @@ public class QueryWrapperUtils { continue; } column = CaseFormat.LOWER_CAMEL.to(CaseFormat.LOWER_UNDERSCORE, column); + //校验sql是否包含关键字 + ValidSql.isSqlValid(column); switch (condition.getAction()) { case "==" : queryWrapper.eq(column, condition.getValue()); diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/DeptMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/DeptMapper.java index d0f9ce7..7f3a801 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/DeptMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/DeptMapper.java @@ -9,6 +9,7 @@ import com.win.module.system.controller.dept.vo.dept.DeptListReqVO; import com.win.module.system.controller.dept.vo.dept.DeptPageReqVO; import com.win.module.system.dal.dataobject.dept.DeptDO; import com.win.module.system.dal.dataobject.permission.RoleDO; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import org.apache.ibatis.annotations.Param; @@ -17,6 +18,7 @@ import java.util.List; import java.util.Map; @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface DeptMapper extends BaseMapperX { default List selectList(DeptListReqVO reqVO) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/PostMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/PostMapper.java index fbecc81..17db8a9 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/PostMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/PostMapper.java @@ -6,12 +6,14 @@ import com.win.framework.mybatis.core.query.LambdaQueryWrapperX; import com.win.module.system.controller.dept.vo.post.PostExportReqVO; import com.win.module.system.controller.dept.vo.post.PostPageReqVO; import com.win.module.system.dal.dataobject.dept.PostDO; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import java.util.Collection; import java.util.List; @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface PostMapper extends BaseMapperX { default List selectList(Collection ids, Collection statuses) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/UserPostMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/UserPostMapper.java index bf64f77..58d40c1 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/UserPostMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/dept/UserPostMapper.java @@ -4,12 +4,14 @@ import com.win.framework.mybatis.core.mapper.BaseMapperX; import com.win.framework.mybatis.core.query.LambdaQueryWrapperX; import com.win.module.system.dal.dataobject.dept.UserPostDO; import com.baomidou.mybatisplus.core.toolkit.Wrappers; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import java.util.Collection; import java.util.List; @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface UserPostMapper extends BaseMapperX { default List selectListByUserId(Long userId) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/MenuMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/MenuMapper.java index 76874b5..bf5e1ad 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/MenuMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/MenuMapper.java @@ -4,11 +4,13 @@ import com.win.framework.mybatis.core.mapper.BaseMapperX; import com.win.framework.mybatis.core.query.LambdaQueryWrapperX; import com.win.module.system.controller.permission.vo.menu.MenuListReqVO; import com.win.module.system.dal.dataobject.permission.MenuDO; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import java.util.List; @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface MenuMapper extends BaseMapperX { default MenuDO selectByParentIdAndName(Long parentId, String name) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMapper.java index 4e55e50..907888e 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMapper.java @@ -9,6 +9,7 @@ import com.win.framework.mybatis.core.util.QueryWrapperUtils; import com.win.module.system.controller.permission.vo.role.RoleExportReqVO; import com.win.module.system.controller.permission.vo.role.RolePageReqVO; import com.win.module.system.dal.dataobject.permission.RoleDO; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import org.springframework.lang.Nullable; @@ -16,6 +17,7 @@ import java.util.Collection; import java.util.List; @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface RoleMapper extends BaseMapperX { default PageResult selectPage(RolePageReqVO reqVO) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMenuMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMenuMapper.java index b665d89..e98f71f 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMenuMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/RoleMenuMapper.java @@ -3,12 +3,14 @@ package com.win.module.system.dal.mysql.permission; import com.win.framework.mybatis.core.mapper.BaseMapperX; import com.win.module.system.dal.dataobject.permission.RoleMenuDO; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import java.util.Collection; import java.util.List; @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface RoleMenuMapper extends BaseMapperX { default List selectListByRoleId(Long roleId) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/UserRoleMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/UserRoleMapper.java index 3be1519..d1e9eaf 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/UserRoleMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/permission/UserRoleMapper.java @@ -3,12 +3,14 @@ package com.win.module.system.dal.mysql.permission; import com.win.framework.mybatis.core.mapper.BaseMapperX; import com.win.module.system.dal.dataobject.permission.UserRoleDO; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import java.util.Collection; import java.util.List; @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface UserRoleMapper extends BaseMapperX { default List selectListByUserId(Long userId) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantMapper.java index 47ccfb3..a20ea6c 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantMapper.java @@ -6,6 +6,7 @@ import com.win.framework.mybatis.core.query.LambdaQueryWrapperX; import com.win.module.system.controller.tenant.vo.tenant.TenantExportReqVO; import com.win.module.system.controller.tenant.vo.tenant.TenantPageReqVO; import com.win.module.system.dal.dataobject.tenant.TenantDO; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import java.util.List; @@ -16,6 +17,7 @@ import java.util.List; * @author 闻荫源码 */ @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface TenantMapper extends BaseMapperX { default PageResult selectPage(TenantPageReqVO reqVO) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantPackageMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantPackageMapper.java index 9a77627..3cbe417 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantPackageMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/tenant/TenantPackageMapper.java @@ -5,6 +5,7 @@ import com.win.framework.mybatis.core.mapper.BaseMapperX; import com.win.framework.mybatis.core.query.LambdaQueryWrapperX; import com.win.module.system.controller.tenant.vo.packages.TenantPackagePageReqVO; import com.win.module.system.dal.dataobject.tenant.TenantPackageDO; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import java.util.List; @@ -15,6 +16,7 @@ import java.util.List; * @author 闻荫源码 */ @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface TenantPackageMapper extends BaseMapperX { default PageResult selectPage(TenantPackagePageReqVO reqVO) { diff --git a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/user/AdminUserMapper.java b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/user/AdminUserMapper.java index 832f091..3247c3e 100644 --- a/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/user/AdminUserMapper.java +++ b/win-module-system/win-module-system-biz/src/main/java/com/win/module/system/dal/mysql/user/AdminUserMapper.java @@ -7,12 +7,14 @@ import com.win.module.system.controller.user.vo.user.UserExportReqVO; import com.win.module.system.controller.user.vo.user.UserPageReqVO; import com.win.module.system.dal.dataobject.user.AdminUserDO; import com.win.module.system.dal.dataobject.user.AdminUserDOExpand; +import org.apache.ibatis.annotations.CacheNamespace; import org.apache.ibatis.annotations.Mapper; import java.util.Collection; import java.util.List; @Mapper +@CacheNamespace(flushInterval = 60000, size = 4096) public interface AdminUserMapper extends BaseMapperX { default AdminUserDO selectByUsername(String username) {