fix: 修复sort和order参数的SQL注入漏洞

2025-09-14 05:02:43 +00:00 · 2025-07-17 19:03:58 +08:00
parent 54bd194b98
commit 3db8828384
36 changed files with 344 additions and 29 deletions
--- a/novel-common/pom.xml
+++ b/novel-common/pom.xml
@@ -22,6 +22,12 @@
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

+        <!-- Aop 相关 -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-aop</artifactId>
+        </dependency>
+
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
--- a/novel-common/src/main/java/com/java2nb/novel/core/annotation/ValidateSortOrder.java
+++ b/novel-common/src/main/java/com/java2nb/novel/core/annotation/ValidateSortOrder.java
@@ -0,0 +1,13 @@
+package com.java2nb.novel.core.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * @author xiongxiaoyang
+ * @date 2025/7/17
+ */
+@Target(ElementType.PARAMETER)
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface ValidateSortOrder {
+}
--- a/novel-common/src/main/java/com/java2nb/novel/core/aspect/SortOrderValidationAspect.java
+++ b/novel-common/src/main/java/com/java2nb/novel/core/aspect/SortOrderValidationAspect.java
@@ -0,0 +1,89 @@
+package com.java2nb.novel.core.aspect;
+
+import com.java2nb.novel.core.annotation.ValidateSortOrder;
+import com.java2nb.novel.core.utils.SortWhitelistUtil;
+import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.stereotype.Component;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.util.*;
+
+/**
+ * @author xiongxiaoyang
+ * @date 2025/7/17
+ */
+@Aspect
+@Component
+@RequiredArgsConstructor
+public class SortOrderValidationAspect {
+
+    /**
+     * 拦截所有的mapper方法
+     */
+    @SneakyThrows
+    @Around("execution(* com.java2nb.novel.mapper.*Mapper.*(..))")
+    public Object validateSortAndOrder(ProceedingJoinPoint joinPoint) {
+        Object[] args = joinPoint.getArgs();
+        MethodSignature signature = (MethodSignature) joinPoint.getSignature();
+        Method method = signature.getMethod();
+
+        Annotation[][] parameterAnnotations = method.getParameterAnnotations();
+
+        for (int i = 0; i < parameterAnnotations.length; i++) {
+            boolean hasAnnotation = Arrays.stream(parameterAnnotations[i])
+                .anyMatch(a -> a.annotationType().equals(ValidateSortOrder.class));
+
+            if (hasAnnotation && args[i] != null) {
+                processArgument(args[i]);
+            }
+        }
+
+        return joinPoint.proceed(args);
+    }
+
+    @SneakyThrows
+    private void processArgument(Object obj) {
+        if (obj instanceof Map<?,?> map) {
+            processMap(map);
+        } else {
+            traverseAndSanitize(obj);
+        }
+    }
+
+    @SneakyThrows
+    private void traverseAndSanitize(Object obj) {
+        for (Field field : obj.getClass().getDeclaredFields()) {
+            switch (field.getName()) {
+                case "sort", "order" -> {
+                    field.setAccessible(true);
+                    Object value = field.get(obj);
+                    if (value instanceof String strValue) {
+                        String sanitized = "sort".equals(field.getName())
+                            ? SortWhitelistUtil.sanitizeColumn(strValue)
+                            : SortWhitelistUtil.sanitizeOrder(strValue);
+                        field.set(obj, sanitized);
+                    }
+                }
+                default -> {
+                }
+            }
+        }
+    }
+
+    private void processMap(Map map) {
+        if (map.get("sort") instanceof String sortStr) {
+            map.put("sort", SortWhitelistUtil.sanitizeColumn(sortStr));
+        }
+        if (map.get("order") instanceof String orderStr) {
+            map.put("order", SortWhitelistUtil.sanitizeOrder(orderStr));
+        }
+    }
+
+}
--- a/novel-common/src/main/java/com/java2nb/novel/core/utils/SortWhitelistUtil.java
+++ b/novel-common/src/main/java/com/java2nb/novel/core/utils/SortWhitelistUtil.java
@@ -0,0 +1,28 @@
+package com.java2nb.novel.core.utils;
+
+import lombok.experimental.UtilityClass;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @author xiongxiaoyang
+ * @date 2025/7/17
+ */
+@UtilityClass
+public class SortWhitelistUtil {
+
+    private final Set<String> allowedColumns = new HashSet<>(
+        Arrays.asList("id", "name", "create_time", "update_time", "last_index_update_time", "word_count",
+            "visit_count"));
+    private final Set<String> allowedOrders = new HashSet<>(Arrays.asList("asc", "desc"));
+
+    public String sanitizeColumn(String input) {
+        return allowedColumns.contains(input.toLowerCase()) ? input.toLowerCase() : "id";
+    }
+
+    public String sanitizeOrder(String input) {
+        return allowedOrders.contains(input.toLowerCase()) ? input.toLowerCase() : "asc";
+    }
+}