• Home
• com.github.bliplink
• gw
• 1.0.12
• source code
• SqlInjSecurityCheck.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.gateway.invoke.security.SqlInjSecurityCheck Maven / Gradle / Ivy

package com.gateway.invoke.security;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import com.gateway.connector.proto.Proto;
import com.gateway.message.SystemMessage;
import com.gateway.utils.JsonUtils;

public class SqlInjSecurityCheck implements ISecurityCheck {
	private final Logger logger = LoggerFactory.getLogger(this.getClass());
	private static int WhiteListCheck = 10004;
	private static String WhiteListCheckMsg = "";
	private List sqls = new ArrayList();

	public void init() {
		sqls.add("'");
//		sqls.add("\"");
		//sqls.add("{");
		//sqls.add("}");
		//sqls.add("[");
		//sqls.add("]");
//		sqls.add("\\");
//		sqls.add(":");
		// sqls.add(";");
		sqls.add("<");
		sqls.add(">");
//		sqls.add("?");
		// sqls.add(",");
		// sqls.add(".");
		sqls.add("`");
		sqls.add("~");
//		sqls.add("!");
//		sqls.add("@");
		sqls.add("$");
		sqls.add("%");
		sqls.add("^");
		//sqls.add("and");
		sqls.add("exec");
		sqls.add("insert");
		sqls.add("select");
		sqls.add("delete");
		sqls.add("update");
//		sqls.add("count");
//		sqls.add("count");
//		sqls.add("*");
//		sqls.add("chr");
		sqls.add("mid");
		sqls.add("master");
		sqls.add("truncate");
		sqls.add("char");
		sqls.add("declare");
//		sqls.add("or");

	}

	@Override
	public SecurityResult check(SystemMessage sMsg, Proto message, String serverName, String method, String content,
			Map hm) {
		SecurityResult pr = new SecurityResult();

		Object contentObj = hm.get("content");
		if (contentObj != null) {
			if (contentObj instanceof String) {
				content = contentObj + "";
				if (isInj(content)) {
					pr.code = WhiteListCheck;
					pr.msg = WhiteListCheckMsg;
					return pr;
				}
			} else if (contentObj instanceof JSONArray) {
				JSONArray jsonArray = (JSONArray) contentObj;
				for (Object object : jsonArray) {
					JSONObject jo = (JSONObject) object;
					if (jo != null) {
						for (Entry entry : jo.entrySet()) {
							String value = entry.getValue() + "";
							if (isInj(value)) {
								pr.code = WhiteListCheck;
								pr.msg = WhiteListCheckMsg;
								break;
							}
						}
					}
				}
			} else {
				JSONObject jo = (JSONObject) contentObj;
				if (jo != null) {
					for (Entry entry : jo.entrySet()) {
						String value = entry.getValue() + "";
						if (isInj(value)) {
							pr.code = WhiteListCheck;
							pr.msg = WhiteListCheckMsg;
							break;
						}
					}
				}

			}
		}

		return pr;
	}

	private boolean isInj(String value) {
		boolean flag = false;
		for (String sql : sqls) {
			if (value.indexOf(sql) >= 0) {
				flag = true;
				logger.warn(String.format("value:%s sql:%s", value, sql));
				break;
			}
		}
		return flag;
	}
}