sql注入漏洞、xxe漏洞、任意文件上传漏洞修复

2021-07-12 11:19:51 +08:00 · 2021-07-12 11:19:51 +08:00 · 6052d45185
parent 5f154ecf89
commit 6052d45185
3 changed files with 76 additions and 50 deletions
--- a/src/main/java/com/zzjee/api/TokenController.java
+++ b/src/main/java/com/zzjee/api/TokenController.java
@ -318,6 +318,7 @@ public class TokenController {
 			if (!f.exists()) {
 				f.mkdirs();
 			}
+			fileAddr = f.getCanonicalPath();
 			OutputStream os = new FileOutputStream(fileAddr + File.separator + fileName);
 			int bytesRead = 0;
 			byte[] buffer = new byte[8192];
--- a/src/main/java/com/zzjee/sdk/XMLUtil.java
+++ b/src/main/java/com/zzjee/sdk/XMLUtil.java
@ -29,6 +29,10 @@ public class XMLUtil {

        InputStream in = new ByteArrayInputStream(strxml.getBytes("UTF-8"));
        SAXBuilder builder = new SAXBuilder();
+        builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
+        builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        builder.setExpandEntities(false);
        Document doc = builder.build(in);
        Element root = doc.getRootElement();
        List list = root.getChildren();
--- a/src/main/java/org/jeecgframework/web/cgform/service/migrate/MigrateForm.java
+++ b/src/main/java/org/jeecgframework/web/cgform/service/migrate/MigrateForm.java
@ -26,6 +26,7 @@ import javax.servlet.http.HttpServletRequest;

 import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
+import org.apache.log4j.spi.ErrorCode;
 import org.apache.tools.zip.ZipEntry;
 import org.apache.tools.zip.ZipFile;
 import org.apache.tools.zip.ZipOutputStream;
@ -42,10 +43,12 @@ import org.jeecgframework.web.cgform.pojo.config.CgFormHeadPojo;
 import org.jeecgframework.web.cgform.pojo.config.CgFormIndexPojo;
 import org.jeecgframework.web.cgform.util.PublicUtil;
 import org.springframework.beans.BeanUtils;
+import org.springframework.dao.DataAccessException;
 import org.springframework.jdbc.core.BeanPropertyRowMapper;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.jdbc.core.RowCallbackHandler;
 import org.springframework.jdbc.core.namedparam.MapSqlParameterSource;
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
 import org.springframework.jdbc.core.namedparam.SqlParameterSource;
 import org.springframework.jdbc.support.rowset.SqlRowSet;
 import org.springframework.jdbc.support.rowset.SqlRowSetMetaData;
@ -169,33 +172,41 @@ public class MigrateForm<T> {
 		Map subSqlMap = null;
 		String[] idList = ids.split(",");// 获得指定的ID数据
 		for (String id : idList) {
-			ls_sql = "select * from cgform_head where id='" + id + "'"; // 获得导出表单
-			listTables.add(bulidDbTableFromSQL(ls_sql, CgFormHeadPojo.class, jdbcTemplate));
+			/**
+			 * 判断字符串是否是整数
+			 */
+			try {
+				Integer.parseInt(id);
+			} catch (NumberFormatException e) {
+				return new ArrayList<DBTable>();
+			}

-			ls_tmpsql = "select * from cgform_index where table_id='" + id + "'"; // 获得导出索引的字段
-			listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgFormIndexPojo.class, jdbcTemplate));
-
-
-
-			ls_tmpsql = "select * from cgform_field where table_id='" + id + "'"; // 获得导出表单的字段
-			listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgFormFieldPojo.class, jdbcTemplate));
+			ls_sql = "select * from cgform_head where id=:id"; // 获得导出表单
+			listTables.add(bulidDbTableFromSQL(ls_sql,id, CgFormHeadPojo.class, jdbcTemplate));
+			ls_tmpsql = "select * from cgform_index where table_id=:id"; // 获得导出索引的字段
+			listTables.add(bulidDbTableFromSQL(ls_tmpsql,id, CgFormIndexPojo.class, jdbcTemplate));
+			ls_tmpsql = "select * from cgform_field where table_id=:id"; // 获得导出表单的字段
+			listTables.add(bulidDbTableFromSQL(ls_tmpsql,id, CgFormFieldPojo.class, jdbcTemplate));
 			// 获得自定义按钮数据
-			ls_tmpsql = "select * from cgform_button where form_id ='" + id + "'";
-			listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgformButtonEntity.class, jdbcTemplate));
+			ls_tmpsql = "select * from cgform_button where form_id =:id";
+			listTables.add(bulidDbTableFromSQL(ls_tmpsql,id, CgformButtonEntity.class, jdbcTemplate));
 			// 获得JS增强数据
-			ls_tmpsql = "select * from cgform_enhance_js where form_id ='" + id + "'";
-			listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgformEnhanceJsEntity.class, jdbcTemplate));
+			ls_tmpsql = "select * from cgform_enhance_js where form_id =:id";
+			listTables.add(bulidDbTableFromSQL(ls_tmpsql,id, CgformEnhanceJsEntity.class, jdbcTemplate));
 			// 获得SQL增强数据
-			ls_tmpsql = "select * from cgform_button_sql where form_id ='" + id + "'";
-			listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgformButtonSqlEntity.class, jdbcTemplate));
+			ls_tmpsql = "select * from cgform_button_sql where form_id =:id";
+			listTables.add(bulidDbTableFromSQL(ls_tmpsql,id, CgformButtonSqlEntity.class, jdbcTemplate));
 			// 获得模板数据
-			ls_tmpsql = "select * from cgform_ftl where cgform_id ='" + id + "'";
-			listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgformFtlEntity.class, jdbcTemplate));
+			ls_tmpsql = "select * from cgform_ftl where cgform_id =:id";
+			listTables.add(bulidDbTableFromSQL(ls_tmpsql,id, CgformFtlEntity.class, jdbcTemplate));
 			// 获得上传文件数据
-			ls_tmpsql = "select * from cgform_uploadfiles where cgform_id ='" + id + "'";
-			listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgUploadEntity.class, jdbcTemplate));
+			ls_tmpsql = "select * from cgform_uploadfiles where cgform_id =:id";
+			listTables.add(bulidDbTableFromSQL(ls_tmpsql,id, CgUploadEntity.class, jdbcTemplate));

-			rowsList = jdbcTemplate.queryForList(ls_sql);
+			NamedParameterJdbcTemplate namedParameterJdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
+			MapSqlParameterSource parameters = new MapSqlParameterSource();
+			parameters.addValue("id", id);
+			rowsList = namedParameterJdbcTemplate.queryForList(ls_sql,parameters);
 			if (rowsList != null && rowsList.size() > 0) {
 				sqlMap = (Map) rowsList.get(0);
 				subTable = (String) sqlMap.get("sub_table_str"); // 获得子表
@ -209,12 +220,9 @@ public class MigrateForm<T> {
 						if (subRowsList != null && subRowsList.size() > 0) {
 							subSqlMap = (Map) subRowsList.get(0);
 							ls_subid = (String) subSqlMap.get("id");
-
 							// 获得导出子表索引
 							ls_tmpsql = "select * from cgform_index where table_id='" + ls_subid + "'";
 							listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgFormIndexPojo.class, jdbcTemplate));
-
-
 							// 获得导出子表字段
 							ls_tmpsql = "select * from cgform_field where table_id='" + ls_subid + "'";
 							listTables.add(bulidDbTableFromSQL(ls_tmpsql, CgFormFieldPojo.class, jdbcTemplate));
@ -263,6 +271,19 @@ public class MigrateForm<T> {
 		dbTable.setTableData(dataList);
 		return dbTable;
 	}
+	public static <T> DBTable<T> bulidDbTableFromSQL(String sql,String id, Class<T> clazz, JdbcTemplate jdbcTemplate) throws InstantiationException, IllegalAccessException, Exception {
+		DBTable<T> dbTable = new DBTable<T>();
+		dbTable.setTableName(PublicUtil.getTableName(sql));
+		dbTable.setClass1(clazz);
+
+		NamedParameterJdbcTemplate namedParameterJdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
+		MapSqlParameterSource parameters = new MapSqlParameterSource();
+		parameters.addValue("id", id);
+		List<T> dataList = namedParameterJdbcTemplate.queryForList(sql, parameters, clazz);
+
+		dbTable.setTableData(dataList);
+		return dbTable;
+	}

 	/**
 	 * 获取列名和列值