严重安全漏洞修复

1.SQL注入检测存在绕过风险 2./upload接口存在任意文件上传漏洞

严重安全漏洞修复
1.SQL注入检测存在绕过风险 2./upload接口存在任意文件上传漏洞
b66fff6c · zhangdaiscott · 2be616ee · b66fff6c · b66fff6c · b66fff6c
Commit b66fff6c authored Feb 26, 2022 by zhangdaiscott
3 changed files
--- a/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
+++ b/jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
@@ -3,7 +3,9 @@ package org.jeecg.common.util;
 import cn.hutool.crypto.SecureUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.exception.JeecgBootException;
 import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Pattern;
 /**
 * sql注入处理工具类
@@ -51,6 +53,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
 		String[] xssArr = xssStr.split("\\|");
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1) {
@@ -59,6 +64,9 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}
@@ -76,6 +84,9 @@ public class SqlInjectionUtil {
 			}
 			// 统一转为小写
 			value = value.toLowerCase();
+			//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+			value = value.replaceAll("/\\*.*\\*/","");
 			for (int i = 0; i < xssArr.length; i++) {
 				if (value.indexOf(xssArr[i]) > -1) {
 					log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@@ -83,6 +94,9 @@ public class SqlInjectionUtil {
 					throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 				}
 			}
+			if(Pattern.matches("show\\s+tables", value)){
+				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+			}
 		}
 		return;
 	}
@@ -101,6 +115,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@@ -108,6 +125,9 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}
@@ -126,6 +146,9 @@ public class SqlInjectionUtil {
 		}
 		// 统一转为小写
 		value = value.toLowerCase();
+		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		value = value.replaceAll("/\\*.*\\*/","");
 		for (int i = 0; i < xssArr.length; i++) {
 			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
 				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
@@ -133,6 +156,10 @@ public class SqlInjectionUtil {
 				throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
 			}
 		}
+		if(Pattern.matches("show\\s+tables", value)){
+			throw new RuntimeException("请注意，值可能存在SQL注入风险!--->" + value);
+		}
 		return;
 	}

--- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
+++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
@@ -5,6 +5,7 @@ import com.alibaba.fastjson.JSONObject;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.constant.CommonConstant;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.RestUtil;
@@ -73,6 +74,12 @@ public class CommonController {
        Result<?> result = new Result<>();
        String savePath = "";
        String bizPath = request.getParameter("biz");
+        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
+        if(bizPath.contains("../") || bizPath.contains("..\\")){
+            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        }
        MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
        MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象
        if(oConvertUtils.isEmpty(bizPath)){

--- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
+++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
@@ -2,6 +2,7 @@ package org.jeecg.modules.system.controller;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.MinioUtil;
 import org.jeecg.common.util.oConvertUtils;
@@ -34,6 +35,12 @@ public class SysUploadController {
    public Result<?> uploadMinio(HttpServletRequest request) {
        Result<?> result = new Result<>();
        String bizPath = request.getParameter("biz");
+        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
+        if(bizPath.contains("../") || bizPath.contains("..\\")){
+            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        }
        if(oConvertUtils.isEmpty(bizPath)){
            bizPath = "";
        }