From c3b0b3c4c3543e9a820cd78f294a5640b2a77fce Mon Sep 17 00:00:00 2001 From: simsevenx Date: Thu, 15 Oct 2020 22:52:30 +0800 Subject: [PATCH] Remove SQL Injection Filter of NativeRepository And Relative Refactor (#10) --- .../xream/sqli/filter/UnsafeSyntaxFilter.java | 3 +-- .../io/xream/sqli/core/NativeSupport.java | 2 +- .../java/io/xream/sqli/spi/JdbcHelper.java | 2 +- .../repository/core/CacheableRepository.java | 15 ++--------- .../io/xream/sqli/repository/dao/Dao.java | 3 +-- .../io/xream/sqli/repository/dao/DaoImpl.java | 16 +++--------- .../internal/DefaultNativeRepository.java | 4 +-- .../sqli/repository/util/SqlParserUtil.java | 25 ------------------- .../sqli/starter/InitializerListener.java | 23 +++++++++++------ 9 files changed, 28 insertions(+), 65 deletions(-) diff --git a/sqli-builder/src/main/java/io/xream/sqli/filter/UnsafeSyntaxFilter.java b/sqli-builder/src/main/java/io/xream/sqli/filter/UnsafeSyntaxFilter.java index 8b9085a7..20b22ec1 100644 --- a/sqli-builder/src/main/java/io/xream/sqli/filter/UnsafeSyntaxFilter.java +++ b/sqli-builder/src/main/java/io/xream/sqli/filter/UnsafeSyntaxFilter.java @@ -26,7 +26,6 @@ public interface UnsafeSyntaxFilter { default String filter(String sql) { - return sql.replace("'", "''") - .replace(";", SqlScript.SPACE); + return sql.replace("'", "''"); } } diff --git a/sqli-core/src/main/java/io/xream/sqli/core/NativeSupport.java b/sqli-core/src/main/java/io/xream/sqli/core/NativeSupport.java index af6e036e..c2a81fc8 100644 --- a/sqli-core/src/main/java/io/xream/sqli/core/NativeSupport.java +++ b/sqli-core/src/main/java/io/xream/sqli/core/NativeSupport.java @@ -26,7 +26,7 @@ */ public interface NativeSupport { - boolean execute(Class clzz, String sql); + boolean execute(String sql, Object...objs); List> list(String sql, List conditionList); } diff --git a/sqli-core/src/main/java/io/xream/sqli/spi/JdbcHelper.java b/sqli-core/src/main/java/io/xream/sqli/spi/JdbcHelper.java index 7dc6305f..cfce2f26 100644 --- a/sqli-core/src/main/java/io/xream/sqli/spi/JdbcHelper.java +++ b/sqli-core/src/main/java/io/xream/sqli/spi/JdbcHelper.java @@ -40,7 +40,7 @@ public interface JdbcHelper extends BaseFinder, ResultMapFinder { boolean remove(String sql, Object id); - boolean execute(String sql); + boolean execute(String sql,Object...objs); List queryForPlainValueList(Class clzz, String sql, Collection valueList, Dialect dialect); diff --git a/sqli-repo/src/main/java/io/xream/sqli/repository/core/CacheableRepository.java b/sqli-repo/src/main/java/io/xream/sqli/repository/core/CacheableRepository.java index bf2014fb..a252bfcb 100644 --- a/sqli-repo/src/main/java/io/xream/sqli/repository/core/CacheableRepository.java +++ b/sqli-repo/src/main/java/io/xream/sqli/repository/core/CacheableRepository.java @@ -230,19 +230,8 @@ public List list(Criteria criteria) { } - public boolean execute(Class clzz, String sql) { - - Parsed parsed = Parser.get(clzz); - boolean b = dao.execute(clzz, sql); - - if (!b) - return b; - if (isCacheEnabled(parsed)) { - String key = ParserUtil.getCacheKey(clzz, parsed); - cacheResolver.refresh(clzz, key); - } - - return b; + public boolean execute(String sql, Object...objs) { + return dao.execute(sql,objs); } diff --git a/sqli-repo/src/main/java/io/xream/sqli/repository/dao/Dao.java b/sqli-repo/src/main/java/io/xream/sqli/repository/dao/Dao.java index 17bd09d5..be49ba9e 100644 --- a/sqli-repo/src/main/java/io/xream/sqli/repository/dao/Dao.java +++ b/sqli-repo/src/main/java/io/xream/sqli/repository/dao/Dao.java @@ -66,8 +66,7 @@ List> list(String sql, List list(Criteria criteria); - @Deprecated - boolean execute(Class clzz, String sql); + boolean execute(String sql, Object...objs); T getOne(T conditionObj); diff --git a/sqli-repo/src/main/java/io/xream/sqli/repository/dao/DaoImpl.java b/sqli-repo/src/main/java/io/xream/sqli/repository/dao/DaoImpl.java index 448e5f1e..8bf8fd2c 100644 --- a/sqli-repo/src/main/java/io/xream/sqli/repository/dao/DaoImpl.java +++ b/sqli-repo/src/main/java/io/xream/sqli/repository/dao/DaoImpl.java @@ -19,6 +19,7 @@ package io.xream.sqli.repository.dao; import io.xream.sqli.annotation.X; +import io.xream.sqli.api.NativeRepository; import io.xream.sqli.builder.*; import io.xream.sqli.builder.internal.PageBuilderHelper; import io.xream.sqli.converter.ObjectDataConverter; @@ -175,8 +176,6 @@ public boolean createOrReplace(Object obj) { @Override public List> list(String sql, List conditionList) { - sql = sqlBuilder.filter(sql); - return this.jdbcHelper.queryForResultMapList(sql, conditionList,null, null,this.dialect); } @@ -262,21 +261,14 @@ private long getCount(Class clz, String sql, Collection list) { /** * - * @param clzz + * @param * @param sql */ @Deprecated @Override - public boolean execute(Class clzz, String sql) { - - Parsed parsed = Parser.get(clzz); - - sql = sqlBuilder.filter(sql); - sql = SqlParserUtil.mapperForNative(sql, parsed); - - SqliLoggerProxy.debug(clzz, sql); + public boolean execute(String sql, Object...objs) { - return this.jdbcHelper.execute(sql); + return this.jdbcHelper.execute(sql,objs); } diff --git a/sqli-repo/src/main/java/io/xream/sqli/repository/internal/DefaultNativeRepository.java b/sqli-repo/src/main/java/io/xream/sqli/repository/internal/DefaultNativeRepository.java index 56c700a8..9e7ec34f 100644 --- a/sqli-repo/src/main/java/io/xream/sqli/repository/internal/DefaultNativeRepository.java +++ b/sqli-repo/src/main/java/io/xream/sqli/repository/internal/DefaultNativeRepository.java @@ -54,9 +54,9 @@ public void setNativeSupport(NativeSupport nativeSupport){ } @Override - public boolean execute(Class clzz, String sql){ + public boolean execute(String sql, Object...objs){ try { - return nativeSupport.execute(clzz, sql); + return nativeSupport.execute(sql, objs); }catch (Exception e) { if (e instanceof RuntimeException){ throw e; diff --git a/sqli-repo/src/main/java/io/xream/sqli/repository/util/SqlParserUtil.java b/sqli-repo/src/main/java/io/xream/sqli/repository/util/SqlParserUtil.java index 3b346692..c2e57c3e 100644 --- a/sqli-repo/src/main/java/io/xream/sqli/repository/util/SqlParserUtil.java +++ b/sqli-repo/src/main/java/io/xream/sqli/repository/util/SqlParserUtil.java @@ -26,35 +26,10 @@ */ public final class SqlParserUtil { - public final static String COMMA = ","; public final static String SPACE = " "; public final static String SQL_KEYWORD_MARK = "`"; - public static String mapperForNative(String sqlSegment, Parsed parsed) { - - sqlSegment = mapper(sqlSegment,parsed); - - if (parsed.isNoSpec()) - return sqlSegment; - - if (!sqlSegment.contains(COMMA)) - return sqlSegment; - - for (String property : parsed.getPropertyMapperMap().keySet()){//FIXME 解析之后, 替换,拼接 - String key = SPACE+property+COMMA; - String value = SPACE+parsed.getMapper(property)+COMMA; - sqlSegment = sqlSegment.replaceAll(key, value); - } - for (String property : parsed.getPropertyMapperMap().keySet()){//FIXME 解析之后, 替换,拼接 - String key = COMMA+property+COMMA; - String value = COMMA+parsed.getMapper(property)+COMMA; - sqlSegment = sqlSegment.replaceAll(key, value); - } - return sqlSegment; - } - - public static String mapper(String sql, Parsed parsed) { if (parsed.isNoSpec()) diff --git a/sqli-repo/src/main/java/io/xream/sqli/starter/InitializerListener.java b/sqli-repo/src/main/java/io/xream/sqli/starter/InitializerListener.java index ceaf8009..9a3ef2d0 100644 --- a/sqli-repo/src/main/java/io/xream/sqli/starter/InitializerListener.java +++ b/sqli-repo/src/main/java/io/xream/sqli/starter/InitializerListener.java @@ -22,6 +22,7 @@ import io.xream.sqli.builder.DialectSupport; import io.xream.sqli.core.NativeSupport; import io.xream.sqli.core.RepositoryManagement; +import io.xream.sqli.exception.ParsingException; import io.xream.sqli.parser.Parser; import io.xream.sqli.repository.exception.UninitializedException; import io.xream.sqli.repository.init.SqlInit; @@ -37,7 +38,9 @@ public class InitializerListener { private final static Logger logger = LoggerFactory.getLogger(InitializerListener.class); private static InitializerListener instance; - private InitializerListener(){} + + private InitializerListener() { + } public static void onStarted(NativeSupport nativeSupport, DialectSupport dialect, SqlInit sqlInit) { @@ -45,14 +48,20 @@ public static void onStarted(NativeSupport nativeSupport, DialectSupport dialect return; instance = new InitializerListener(); + for (BaseRepository repository : RepositoryManagement.REPOSITORY_LIST) { if (repository.getClzz() == Void.class) continue; - logger.info("Parsing {}" ,repository.getClzz()); - Parser.get(repository.getClzz()); + logger.info("Parsing {}", repository.getClzz()); + try { + Parser.get(repository.getClzz()); + } catch (Exception e) { + if (e instanceof ParsingException) { + throw new ParsingException(repository.getClzz() + ", " + e.getMessage()); + } + } } - boolean flag = false; boolean isNotSupportTableSql = false; @@ -65,12 +74,12 @@ public static void onStarted(NativeSupport nativeSupport, DialectSupport dialect String createSql = sqlInit.tryToParse(clz); String test = sqlInit.getSql(clz, SqlInit.CREATE); if (SqliStringUtil.isNullOrEmpty(test)) { - logger.info("Failed to start sqli-repo, check Bean: {}",clz); + logger.info("Failed to start sqli-repo, check Bean: {}", clz); throw new UninitializedException("Failed to start sqli-repo, check Bean: " + clz); } if (SqliStringUtil.isNotNull(createSql)) { - nativeSupport.execute(clz, createSql); + nativeSupport.execute(createSql); } } catch (Exception e) { @@ -85,7 +94,7 @@ public static void onStarted(NativeSupport nativeSupport, DialectSupport dialect logger.info("The dialect not support creating table, try to implement Dialect.buildTableSql(clzz, isTemporary)"); } - logger.info("sqli-repo " + (flag ? "still " : "") + "started" + (flag ? " OK, wtih some problem" : "" ) + "\n"); + logger.info("sqli-repo " + (flag ? "still " : "") + "started" + (flag ? " OK, wtih some problem" : "") + "\n"); } }