深圳三院渗透检测修改(SQL注入问题)

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/aop/UpdateDBLogAspect.java

@@ -92,7 +92,7 @@ public class UpdateDBLogAspect {
                 }catch (Exception e){
                     logger.error(e.getMessage());
                 }
-            }else {
+            }else if (ifAddLog(point.getSignature().getName()) || point.getSignature().getName().equals("queryData")){
                 updateDataTableDao.insertLog(LogAopUtil.logError(request, point, throwable));
             }
             logger.error(throwable.getMessage(), throwable);

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/sysdata/QueryDTO.java

@@ -0,0 +1,26 @@
+package com.lc.ibps.sysdata;
+
+import java.util.List;
+
+public class QueryDTO {
+
+    private String key;
+
+    private List<String> params;
+
+    public String getKey() {
+        return key;
+    }
+
+    public void setKey(String key) {
+        this.key = key;
+    }
+
+    public List<String> getParams() {
+        return params;
+    }
+
+    public void setParams(List<String> params) {
+        this.params = params;
+    }
+}

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/sysdata/controller/UpdateDataTableController.java

@@ -12,11 +12,14 @@ import com.aliyuncs.profile.DefaultProfile;
 import com.lc.ibps.api.base.constants.StateEnum;
 import com.lc.ibps.api.form.sql.util.BeanUtils;
 import com.lc.ibps.base.core.util.Collections;
+import com.lc.ibps.base.core.util.I18nUtil;
 import com.lc.ibps.base.framework.id.UniqueIdUtil;
 import com.lc.ibps.cloud.entity.APIResult;
+import com.lc.ibps.cloud.provider.GenericProvider;
 import com.lc.ibps.cloud.util.AESUtil;
 import com.lc.ibps.components.querybuilder.utils.StringUtils;
 import com.lc.ibps.config.JcjdConfig;
+import com.lc.ibps.sysdata.QueryDTO;
 import com.lc.ibps.sysdata.entity.Smsconfig;
 import com.lc.ibps.sysdata.entity.ZhuguantixingEntity;
 import com.lc.ibps.sysdata.services.HwSendSmsService;
@@ -40,7 +43,7 @@ import java.util.*;
 @Api(tags = "脚本通用编辑接口")
 @RequestMapping("/sys/universal")
 @RestController
-public class UpdateDataTableController {
+public class UpdateDataTableController extends GenericProvider {
     @Autowired
     private HwSendSmsService hwSendSmsService;
 
@@ -49,6 +52,18 @@ public class UpdateDataTableController {
     @Autowired
     ZhuguantixingService zhuguantixingService;
 
+    @ApiOperation("根据key和参数查询")
+    @PostMapping("/queryData")
+    APIResult queryData(@RequestBody QueryDTO queryDTO) {
+        APIResult result = new APIResult<>();
+        try {
+            result = updateDataTableService.queryData(queryDTO);
+        } catch (Exception e) {
+            setExceptionResult(result, StateEnum.ILLEGAL_REQUEST.getCode(), I18nUtil.getMessage(StateEnum.ILLEGAL_REQUEST.getCode() + ""), e);
+        }
+        return result;
+    }
+
     @ApiOperation("直接运行查询sql")
     @ApiImplicitParams({@ApiImplicitParam("传入加密的sql字符串")})
     @PostMapping("/general")

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/sysdata/services/UpdateDataTableService.java

@@ -2,6 +2,7 @@ package com.lc.ibps.sysdata.services;
 
 import com.alibaba.fastjson.JSONObject;
 import com.lc.ibps.cloud.entity.APIResult;
+import com.lc.ibps.sysdata.QueryDTO;
 import org.springframework.web.bind.annotation.RequestBody;
 
 import java.util.LinkedHashMap;
@@ -83,4 +84,6 @@ public interface UpdateDataTableService {
 
     String checkParameters(String data);
 
+    APIResult queryData(QueryDTO queryDTO) throws Exception;
+
 }

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/sysdata/services/impl/UpdateDataTableImpl.java

@@ -1,5 +1,6 @@
 package com.lc.ibps.sysdata.services.impl;
 
+import cn.hutool.json.JSONUtil;
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONArray;
 import com.alibaba.fastjson.JSONObject;
@@ -23,6 +24,7 @@ import com.lc.ibps.cloud.redis.utils.RedisUtil;
 import com.lc.ibps.cloud.util.AESUtil;
 import com.lc.ibps.config.JsonUtilConfig;
 import com.lc.ibps.config.SerialConfig;
+import com.lc.ibps.sysdata.QueryDTO;
 import com.lc.ibps.sysdata.dao.UpdateDataTableDao;
 import com.lc.ibps.sysdata.entity.Material;
 import com.lc.ibps.sysdata.entity.User;
@@ -35,9 +37,15 @@ import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.DigestUtils;
 import org.springframework.web.bind.annotation.RequestBody;
 
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.time.Duration;
 import java.time.Instant;
 import javax.annotation.Resource;
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
 import java.nio.ByteBuffer;
 import java.nio.ByteOrder;
 import java.text.SimpleDateFormat;
@@ -66,6 +74,26 @@ public class UpdateDataTableImpl extends GenericProvider implements UpdateDataTa
     @Resource
     private ICommonDao<?> commonDao;
 
+    @Override
+    public APIResult queryData(QueryDTO queryDTO) throws Exception {
+        APIResult result = new APIResult();
+        if (BeanUtils.isEmpty(queryDTO) || BeanUtils.isEmpty(queryDTO.getKey())) {
+            throw new Exception("参数key不能为空！");
+        }
+        String sql = "select sql_ from t_sqlconfig where key_='%s'";
+        sql = String.format(sql, queryDTO.getKey());
+        Map<String, Object> map = commonDao.queryOne(sql);
+        List<Map<String, Object>> list = new ArrayList<>();
+        if (BeanUtils.isNotEmpty(map) && BeanUtils.isNotEmpty(map.get("sql_"))) {
+            Object[] params = queryDTO.getParams().toArray();
+            list = (List<Map<String, Object>>) commonDao.query( map.get("sql_").toString(), params);
+        }
+        Map<String, Object> datas = new HashMap<>();
+        datas.put("list", list);
+        result.setVariables(datas);
+        return result;
+    }
+
 
     @Override
     public APIResult<Void> upEmployee(String str){