SpringBoot 安全漏洞之SQL注入解决方案

墨蓝 2023-10-10 13:26 112阅读 0赞

## 1. SQL盲注、SQL注入 ##

**风险**：可能会查看、修改或删除数据库条目和表。  
  **原因**：未对用户输入正确执行危险字符清理。  
  **固定值**：查看危险字符注入的可能解决方案。

## 2、添加SQL注入包装类 ##

import java.util.regex.Matcher;
    import java.util.regex.Pattern;
    
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletRequestWrapper;
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    
    /**
     * SQL注入包装类
     * 
     * @author zzg
     *
     */
    
    public class SqlInjectHttpServletRequestWrapper extends HttpServletRequestWrapper {
        public static final Logger log = LoggerFactory.getLogger(SqlInjectHttpServletRequestWrapper .class);
    	/**
    	 * 构造请求对象
    	 * 
    	 * @param request
    	 */
    	public SqlInjectHttpServletRequestWrapper(HttpServletRequest request) {
    		super(request);
    	}
    
    	/**
    	 * 获取头部参数
    	 * 
    	 * @param v 参数值
    	 */
    	@Override
    	public String getHeader(String v) {
    		String header = super.getHeader(v);
    		if (header == null || "".equals(header)) {
    			return header;
    		}
    		return sqlFilter(header);
    	}
    
    	/**
    	 * 获取参数
    	 * 
    	 * @param v 参数值
    	 */
    	@Override
    	public String getParameter(String v) {
    		String param = super.getParameter(v);
    		if (param == null || "".equals(param)) {
    			return param;
    		}
    		return sqlFilter(param);
    	}
    
    	/**
    	 * 获取参数值
    	 * 
    	 * @param v 参数值
    	 */
    	@Override
    	public String[] getParameterValues(String v) {
    		String[] values = super.getParameterValues(v);
    		if (values == null) {
    			return values;
    		}
    
    		int length = values.length;
    		String[] resultValues = new String[length];
    		for (int i = 0; i < length; i++) {
    			// 过滤特殊字符
    			resultValues[i] = sqlFilter(values[i]);
    			if (!(resultValues[i]).equals(values[i])) {
    				log.debug("SQL注入过滤器 => 过滤前：{} => 过滤后：{}", values[i], resultValues[i]);
    			}
    		}
    		return resultValues;
    	}
    
    	/**
    	 * 预编译SQL过滤正则表达式
    	 */
    	private Pattern sqlPattern = Pattern.compile(
    			"(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)",
    			Pattern.CASE_INSENSITIVE);
    
    	/**
    	 * SQL过滤
    	 * 
    	 * @param v 参数值
    	 * @return
    	 */
    	private String sqlFilter(String v) {
    		if (v != null) {
    			String resultVal = v;
    			Matcher matcher = sqlPattern.matcher(resultVal);
    			if (matcher.find()) {
    				resultVal = matcher.replaceAll("");
    			}
    			if (!resultVal.equals(v)) {
    				return "";
    			}
    			return resultVal;
    		}
    		return null;
    	}
    }

## 3、配置文件添加配置 ##

# sql 注入过滤url地址
    security.sql.excludes=/images/*, /jquery/*, /layui/*

## 4、添加SQL注入过滤器 ##

import java.io.IOException;
    import java.util.List;
    import java.util.regex.Matcher;
    import java.util.regex.Pattern;
    
    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.annotation.WebFilter;
    import javax.servlet.http.HttpServletRequest;
    import org.springframework.stereotype.Component;
    import org.springframework.beans.factory.annotation.Value;
    
    /**
     * SQL注入过滤器
     * 
     * @author zzg
     *
     */
    @Component
    @WebFilter(filterName = "SqlInjectFilter", urlPatterns = "/*")
    public class SqlInjectFilter implements Filter {
    
    	/**
    	 * 过滤器配置对象
    	 */
    	FilterConfig filterConfig = null;
    
    	/**
    	 * 是否启用(默认启用)
    	 */
    	private boolean enable = true;
    
    
    	/**
    	 * 忽略的URL
    	 */
        @Value("${security.sql.excludes}")
    	private String excludes;
    
    
    	/**
    	 * 初始化
    	 */
    	@Override
    	public void init(FilterConfig filterConfig) throws ServletException {
    		this.filterConfig = filterConfig;
    	}
    
    	/**
    	 * 拦截
    	 */
    	@Override
    	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
    			throws IOException, ServletException {
    		HttpServletRequest request = (HttpServletRequest) servletRequest;
    
    		// 不启用或者已忽略的URL不拦截
    		if (!enable || isExcludeUrl(request.getServletPath())) {
    			filterChain.doFilter(servletRequest, servletResponse);
    			return;
    		}
    		SqlInjectHttpServletRequestWrapper sqlInjectHttpServletRequestWrapper = new SqlInjectHttpServletRequestWrapper(
    				request);
    		filterChain.doFilter(sqlInjectHttpServletRequestWrapper, servletResponse);
    	}
    
    	/**
    	 * 销毁
    	 */
    	@Override
    	public void destroy() {
    		this.filterConfig = null;
    	}
    
    	/**
    	 * 判断是否为忽略的URL
    	 * 
    	 * @param urlPath URL路径
    	 * @return true-忽略，false-过滤
    	 */
    	private boolean isExcludeUrl(String url) {
    		if (excludes == null || excludes.isEmpty()) {
    			return false;
    		}
            List<String> urls = Arrays.asList(excludes.split(","));
    		return urls .stream().map(pattern -> Pattern.compile("^" + pattern)).map(p -> p.matcher(url))
    				.anyMatch(Matcher::find);
    	}
    }

涉及知识点：[Spring Boot 读取配置文件的五种方式][Spring Boot]

[Spring Boot]: https://blog.csdn.net/zhouzhiwengang/article/details/103532796