深圳三院SQL注入修改-新加接口

ibps-base-root/modules/base-web/src/main/java/com/lc/ibps/base/web/util/RequestUtil.java

@@ -256,16 +256,11 @@ public class RequestUtil {
 	static {
 		// 扩展SQL关键字和危险符号（按长度降序排列，避免部分匹配）
 		String[] sqlKeywords = {
-				"\\bexec\\b", "\\binsert\\b", "\\bdelete\\b", "\\bupdate\\b",
-				"\\bdrop\\b", "\\bcreate\\b", "\\balter\\b", "\\btruncate\\b",
-				"\\bchar\\b", "\\bchr\\b", "\\bxp_cmdshell\\b"
+				"\\bexec\\b", "\\binsert\\b", "\\bselect\\b", "\\bdelete\\b", "\\bupdate\\b",
+				"\\bdrop\\b", "\\bcreate\\b", "\\balter\\b", "\\btruncate\\b", "\\bunion\\b",
+				"\\bchar\\b", "\\bchr\\b", "\\bcount\\b", "\\bfrom\\b", "\\bwhere\\b",
+				";", "--", "/\\*", "\\*/", "\"", "'", "\\|", "\\%", "\\=", "\\bxp_cmdshell\\b"
 		};
-//		String[] sqlKeywords = {
-//				"\\bexec\\b", "\\binsert\\b", "\\bselect\\b", "\\bdelete\\b", "\\bupdate\\b",
-//				"\\bdrop\\b", "\\bcreate\\b", "\\balter\\b", "\\btruncate\\b", "\\bunion\\b",
-//				"\\bchar\\b", "\\bchr\\b", "\\bcount\\b", "\\bfrom\\b", "\\bwhere\\b",
-//				";", "--", "/\\*", "\\*/", "\"", "'", "\\|", "\\%", "\\=", "\\bxp_cmdshell\\b"
-//		};
 		String regex = String.join("|", sqlKeywords);
 		SQL_INJECT_PATTERN = Pattern.compile(regex, Pattern.CASE_INSENSITIVE | Pattern.UNICODE_CASE);
 	}

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/aop/UpdateDBLogAspect.java

@@ -138,7 +138,7 @@ public class UpdateDBLogAspect {
 
     public boolean ifAddLog(String methodName){
         String[] names = {"addDataContextTable","updateDataContextTable","updatesDatasContextTable",
-                          "updatesBatchContextTable","batchDelete","deleteDataContextTable"};
+                          "updatesBatchContextTable","batchDelete","deleteDataContextTable","encipher"};
         return Arrays.asList(names).contains(methodName);
     }
 

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/business/controller/ReformController.java

@@ -0,0 +1,67 @@
+package com.lc.ibps.business.controller;
+
+import com.lc.ibps.api.base.constants.StateEnum;
+import com.lc.ibps.base.core.util.I18nUtil;
+import com.lc.ibps.business.service.ReformService;
+import com.lc.ibps.cloud.entity.APIResult;
+import com.lc.ibps.cloud.provider.GenericProvider;
+import io.swagger.annotations.Api;
+import io.swagger.annotations.ApiOperation;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@Api(tags = "SQL注入修改")
+@RequestMapping("/reform")
+@RestController
+public class ReformController extends GenericProvider {
+
+    @Autowired
+    private ReformService reformService;
+
+    @ApiOperation("根据供应商类型查询供应商配置")
+    @GetMapping("/gyspzList")
+    APIResult querySupplierConfig(@RequestParam(name = "type", required = true) String type){
+        APIResult result = new APIResult<>();
+        try {
+            result = reformService.querySupplierConfig(type);
+        } catch (Exception e) {
+            setExceptionResult(result, StateEnum.ILLEGAL_REQUEST.getCode(), I18nUtil.getMessage(StateEnum.ILLEGAL_REQUEST.getCode() + ""), e);
+        }
+        return result;
+    }
+
+    @ApiOperation("根据流程定义key和业务主键id查询附件和快照")
+    @GetMapping("/getFileInfo")
+    APIResult getFileInfo(@RequestParam(name = "procDefKey", required = true) String procDefKey,
+                          @RequestParam(name = "id", required = true) String id){
+        APIResult result = new APIResult<>();
+        try {
+            result = reformService.getFileInfo(procDefKey,id);
+        } catch (Exception e) {
+            setExceptionResult(result, StateEnum.ILLEGAL_REQUEST.getCode(), I18nUtil.getMessage(StateEnum.ILLEGAL_REQUEST.getCode() + ""), e);
+        }
+        return result;
+    }
+
+    @ApiOperation("受控文件查阅")
+    @GetMapping("/queryWjxx")
+    APIResult getDocumentsInfo(@RequestParam(name = "folderId", required = false) String folderId,
+                               @RequestParam(name = "fileCode", required = false) String fileCode,
+                               @RequestParam(name = "fileName", required = false) String fileName,
+                               @RequestParam(name = "version", required = false) String version,
+                               @RequestParam(name = "startDate", required = false) String startDate,
+                               @RequestParam(name = "endDate", required = false) String endDate,
+                               @RequestParam(name = "order", required = false) String order ){
+        APIResult result = new APIResult<>();
+        try {
+            result = reformService.getDocumentsInfo(folderId,fileCode,fileName,version,startDate,endDate ,order);
+        } catch (Exception e) {
+            setExceptionResult(result, StateEnum.ILLEGAL_REQUEST.getCode(), I18nUtil.getMessage(StateEnum.ILLEGAL_REQUEST.getCode() + ""), e);
+        }
+        return result;
+    }
+
+}

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/business/service/ReformService.java

@@ -0,0 +1,13 @@
+package com.lc.ibps.business.service;
+
+import com.lc.ibps.cloud.entity.APIResult;
+
+public interface ReformService {
+
+    APIResult querySupplierConfig(String type);
+
+
+    APIResult getFileInfo(String procDefKey, String id);
+
+    APIResult getDocumentsInfo(String folderId, String fileCode, String fileName, String version, String startDate, String endDate, String order);
+}

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/business/service/impl/ReformServiceImpl.java

@@ -0,0 +1,231 @@
+package com.lc.ibps.business.service.impl;
+
+import com.lc.ibps.base.core.constants.StringPool;
+import com.lc.ibps.base.core.util.AppUtil;
+import com.lc.ibps.base.core.util.BeanUtils;
+import com.lc.ibps.base.core.util.Collections;
+import com.lc.ibps.base.framework.table.ICommonDao;
+import com.lc.ibps.base.web.context.ContextUtil;
+import com.lc.ibps.business.service.ReformService;
+import com.lc.ibps.cloud.entity.APIResult;
+import com.lc.ibps.org.api.IPartyPositionService;
+import com.lc.ibps.org.party.persistence.entity.PartyPositionPo;
+import com.lc.ibps.org.party.persistence.entity.PartyPositionTbl;
+import io.swagger.annotations.ApiOperation;
+import io.swagger.annotations.ApiParam;
+import lombok.extern.log4j.Log4j2;
+import net.sf.morph.wrap.Bean;
+import org.springframework.stereotype.Service;
+
+import javax.annotation.Resource;
+import java.util.*;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+@Log4j2
+@Service
+public class ReformServiceImpl implements ReformService {
+
+    @Resource
+    private ICommonDao<?> commonDao;
+
+    @ApiOperation(value = "根据供应商类型查询供应商配置", notes = "根据供应商类型查询供应商配置")
+    @Override
+    public APIResult querySupplierConfig(
+            @ApiParam(name = "type", value = "供应商类型", required = true)  String type) {
+        APIResult result = new APIResult<>();
+        List<Map<String,Object>> list = new ArrayList<>();
+        Map<String, Object> data = new HashMap<>();
+        String sql = "SELECT id_ FROM t_mjgyskhnrpzb WHERE yong_tu_='评价' AND di_dian_='%s' ORDER BY create_time_ DESC LIMIT 1";
+        sql = String.format(sql, getDiDian());
+        Map<String, Object> map = commonDao.queryOne(sql);
+        if (BeanUtils.isNotEmpty(map) && BeanUtils.isNotEmpty(map.get("id_"))) {
+            String parentId = (String) map.get("id_");
+            StringBuilder conditionBuilder = new StringBuilder();
+            String[] types = type.split(",");
+            for (int i = 0; i < types.length; i++) {
+                if (i > 0) {
+                    conditionBuilder.append(" OR ");
+                }
+                conditionBuilder.append("lei_xing_ LIKE '%").append(types[i].trim().replace("'", "''")).append("%'");
+            }
+            String sql2 = "SELECT * FROM t_mjgyskhnrpzzb WHERE parent_id_='%s' AND (%s) ORDER BY id_ DESC";
+            sql2 = String.format(sql2, parentId , conditionBuilder);
+            list = (List<Map<String, Object>>) commonDao.query(sql2);
+            data.put("data", list);
+        }
+        result.setVariables(data);
+        return result;
+    }
+
+    @ApiOperation(value = "根据流程定义key和业务主键id查询附件和快照", notes = "根据流程定义key和业务主键id查询附件和快照")
+    @Override
+    public APIResult getFileInfo(
+            @ApiParam(name = "procDefKey", value = "流程定义key", required = true) String procDefKey,
+            @ApiParam(name = "id", value = "业务表主键id", required = true) String id) {
+        APIResult result = new APIResult<>();
+        List<String> kuaiZhao = new ArrayList<>();
+        List<String> fuJian = new ArrayList<>();
+        Map<String, Object> data = new HashMap<>();
+        String sql = "SELECT fu_jian_nei_rong_,shi_fou_zi_biao_,guan_lian_zi_duan from t_lcidglbdbb WHERE liu_cheng_xuan_ze='%s' limit 1";
+        sql = String.format(sql, procDefKey);
+        Map<String, Object> map = commonDao.queryOne(sql);
+        if (BeanUtils.isNotEmpty(map) && BeanUtils.isNotEmpty(map.get("fu_jian_nei_rong_")) && BeanUtils.isNotEmpty(map.get("shi_fou_zi_biao_"))) {
+            String[] fields = map.get("fu_jian_nei_rong_").toString().split("\\.");
+            String[] tables = map.get("shi_fou_zi_biao_").toString().split("\\.");
+            String[] links = new String[]{"id_"};
+            if (BeanUtils.isNotEmpty(map.get("guan_lian_zi_duan"))) {
+                links = map.get("guan_lian_zi_duan").toString().split("\\.");
+            }
+            int length = tables.length;
+            if (tables.length > fields.length) {
+                length = fields.length;
+            }
+            for (int j = 0; j < length; j++) {
+                String sql2 = "select " + fields[j] +" from "+ tables[j] +" where id_='"+id+"'";
+                if (BeanUtils.isNotEmpty(map.get("guan_lian_zi_duan"))){
+                    sql2 = "select " + fields[j] +" from "+ tables[j] +" where "+ links[j] +"='"+id+"'";
+                }
+                List<Map<String, Object>> fileList = (List<Map<String, Object>>) commonDao.query(sql2);
+                for (Map<String, Object> file : fileList) {
+                    for (Map.Entry<String, Object> entry : file.entrySet()) {
+                        if (BeanUtils.isEmpty(entry.getValue())) {
+                            continue;
+                        }
+                        if ("kuai_zhao_".equals(entry.getKey())) {
+                            kuaiZhao.add(entry.getValue().toString());
+                        } else {
+                            fuJian.add(entry.getValue().toString());
+                        }
+                    }
+                }
+            }
+        }
+        data.put("kuaiZhao", kuaiZhao);
+        data.put("fuJian", fuJian);
+        result.setVariables(data);
+        return result;
+    }
+
+    private String getCatTypeIds(List<Map<String, Object>> data,String type){
+        List<String> typeIdList = new ArrayList<>();
+        for (Map<String, Object> file : data) {
+            if (file.get("AUTHORITY_NAME").toString().contains(type)){
+                typeIdList.add(file.get("id_").toString());
+            }
+        }
+        return String.join(",", typeIdList);
+    }
+
+    @Override
+    public APIResult getDocumentsInfo(String folderId, String fileCode, String fileName, String version, String startDate, String endDate, String order) {
+        APIResult result = new APIResult<>();
+
+        String conditions = "";
+        if (BeanUtils.isNotEmpty(fileCode)){
+            conditions = conditions + " and wj.wen_jian_bian_hao LIKE '%"+fileCode+"%' ";
+        }
+        if (BeanUtils.isNotEmpty(fileName)){
+            conditions = conditions + " and wj.wen_jian_ming_che LIKE '%"+fileName+"%' ";
+        }
+        if (BeanUtils.isNotEmpty(version)){
+            conditions = conditions + " and wj.ban_ben_ LIKE '%"+version+"%' ";
+        }
+        if (BeanUtils.isNotEmpty(startDate)){
+            conditions = conditions + " and DATE_FORMAT(wj.fa_bu_shi_jian_,'%Y-%m-%d')>='"+startDate+"'";
+        }
+        if (BeanUtils.isNotEmpty(endDate)){
+            conditions = conditions + " and DATE_FORMAT(wj.fa_bu_shi_jian_,'%Y-%m-%d')<='"+endDate+"'";
+        }
+
+        String sorts = " order by wj.wen_jian_bian_hao desc,wj.wen_jian_ming_che desc";
+        if (BeanUtils.isNotEmpty(order)){
+            sorts = " order by "+order;
+        }
+
+        String userId = ContextUtil.getCurrentUserId();
+        String cat = "SELECT id_,DEPTH_,AUTHORITY_NAME from ibps_cat_type where CATEGORY_KEY_='FILE_TYPE' and AUTHORITY_NAME like '%"+getDiDian()+"%' ";
+        List<Map<String, Object>> data = (List<Map<String, Object>>) commonDao.query(cat);
+        if (BeanUtils.isNotEmpty(folderId)){
+            cat = cat + "and PATH_ like '%"+folderId+"%'";
+            data = (List<Map<String, Object>>) commonDao.query(cat);
+        }
+
+        String comIds = getCatTypeIds(data,"公用查阅");
+        String bmIds = getCatTypeIds(data,"部门查阅");
+        String kzIds = getCatTypeIds(data,"受限查阅");
+
+        String sql = "select  wj.id_ as id,cy.id_ as cy_id_,sc.id_ as sc_id_,wj.shu_ju_lai_yuan_ AS shu_ju_lai_yuan_,file.ext_ AS ext_," +
+                " file.FILE_PATH_ AS file_path_,concat(file.file_name_,'.',file.ext_,'（大小：',CASE" +
+                " WHEN file.total_bytes_ >= 1024 * 1024 THEN CONCAT(ROUND(file.total_bytes_ / (1024.0 * 1024), 2), ' M')" +
+                " WHEN file.total_bytes_ >= 1024 THEN CONCAT(ROUND(file.total_bytes_ / 1024.0, 2), ' K')" +
+                " ELSE CONCAT(file.total_bytes_, 'B') END ,'）') as file_info_," +
+                " wj.wen_jian_xi_lei_,wj.wen_jian_bian_hao,wj.wen_jian_ming_che,wj.ban_ben_,wj.wen_jian_fu_jian_ AS fu_jian_," +
+                " wj.fa_bu_shi_jian_ as fa_fang_shi_jian_,'' AS cha_yue_jie_zhi_s  from t_wjxxb wj " +
+                " left join (select id_,parent_id_ from t_wjcyjl group by parent_id_) cy on cy.parent_id_ = wj.id_ " +
+                " left join (select id_,parent_id_ from t_wjscjl group by parent_id_) sc on sc.parent_id_ = wj.id_ " +
+                " left join ibps_file_attachment file on file.id_ = wj.wen_jian_fu_jian_";
+
+        // 共用文件
+        // shi_fou_guo_shen_ ='有效'  and  di_dian_
+        String comSql = sql + " where wj.shi_fou_guo_shen_ ='有效' and wj.di_dian_='%s' and FIND_IN_SET (wj.xi_lei_id_,'%s') ";
+        comSql = String.format(comSql , getDiDian() , comIds );
+        comSql = comSql + conditions + sorts;
+        List<Map<String, Object>> comList = (List<Map<String, Object>>) commonDao.query(comSql);
+
+
+        // 部门权限文件
+        // shi_fou_guo_shen_ in ('有效','使用')
+        String buMenSql = sql + " where wj.shi_fou_guo_shen_ in ('有效','使用') and  FIND_IN_SET(wj.quan_xian_xin_xi_ ,'%s') and FIND_IN_SET (wj.xi_lei_id_,'%s') ";
+        IPartyPositionService partyPositionService = AppUtil.getBean(IPartyPositionService.class);
+        APIResult<List<PartyPositionPo>> result1 = partyPositionService.findByUserId(userId);
+        if (result1.isFailed() || Collections.isEmpty(result1.getData())) {
+            throw new IllegalArgumentException("buMen not match!");
+        }
+        String currBuMen = result1.getData().stream().map(PartyPositionTbl::getId).collect(Collectors.joining(","));
+        buMenSql = String.format(buMenSql , currBuMen , bmIds);
+        buMenSql = buMenSql + conditions + sorts;
+        List<Map<String, Object>> buMenList = (List<Map<String, Object>>) commonDao.query(buMenSql);
+
+
+        //  受限文件
+        // 超管 和 文件管理员 查询所有 否则根据当前用户匹配查询
+        String role = "SELECT id_ from ibps_party_user_role WHERE ROLE_ID_ in(SELECT id_ from ibps_party_role where NAME_='wjgly') and USER_ID_='%s' limit 1";
+        Map<String, Object> roleMap = commonDao.queryOne(role);
+        String sxsql = "select wj.id_ as id,cy.id_ as cy_id_,sc.id_ as sc_id_,wj.shu_ju_lai_yuan_ AS shu_ju_lai_yuan_,file.ext_ AS ext_,file.FILE_PATH_ AS file_path_," +
+                "  CONCAT(file.file_name_, '.', file.ext_, '（',CASE WHEN file.total_bytes_ >= 1024 * 1024 THEN CONCAT(ROUND(file.total_bytes_ / (1024.0 * 1024), 2), ' M') " +
+                "  WHEN file.total_bytes_ >= 1024 THEN CONCAT(ROUND(file.total_bytes_ / 1024.0, 2), ' K') ELSE CONCAT(file.total_bytes_, 'B') END , '）') as file_info_," +
+                "  wj.wen_jian_xi_lei_,wj.wen_jian_bian_hao,wj.wen_jian_ming_che,wj.ban_ben_,wj.wen_jian_fu_jian_ AS fu_jian_,wj.fa_bu_shi_jian_ as fa_fang_shi_jian_,sq.cha_yue_jie_zhi_s FROM t_wjxxb wj " +
+                "  LEFT JOIN (SELECT * FROM t_skwjcysqsqzb WHERE parent_id_ in (SELECT id_ from t_skwjcysqsq WHERE shi_fou_guo_shen_='已完成' and bian_zhi_ren_='%s')) sq ON wj.id_ = sq.wen_jian_id_ " +
+                "  left join (select id_,parent_id_ from t_wjcyjl group by parent_id_) cy on cy.parent_id_ = wj.id_ " +
+                "  left join (select id_,parent_id_ from t_wjscjl group by parent_id_) sc on sc.parent_id_ = wj.id_ " +
+                "  left join ibps_file_attachment file on file.id_ = wj.wen_jian_fu_jian_ WHERE wj.shi_fou_guo_shen_ = '有效' AND (%s OR %s " +
+                "  OR EXISTS (SELECT 1 FROM t_wjxdzb wjxdzb JOIN t_wjxzxdjlb wjxzxdjlb ON wjxdzb.id_ = wjxzxdjlb.parent_id_ JOIN t_wjxxb wjxxb ON wjxxb.shu_ju_lai_yuan_ = wjxzxdjlb.id_ " +
+                "  WHERE wjxxb.id_ = wj.id_ AND CONCAT_WS(',',IF( wjxdzb.bian_zhi_ren_ != '', wjxdzb.bian_zhi_ren_, NULL )," +
+                "  IF( wjxdzb.zhu_shen_he_ren_ != '', wjxdzb.zhu_shen_he_ren_, NULL ), " +
+                "  IF( wjxdzb.zhu_shen_pi_ren_ != '', wjxdzb.zhu_shen_pi_ren_, NULL ) " +
+                "  ) LIKE '%%%s%%' ))  and FIND_IN_SET (wj.xi_lei_id_,'%s') ";
+        sxsql = String.format(sxsql, userId, ContextUtil.isSuper() , BeanUtils.isNotEmpty(roleMap) , userId , kzIds);
+        sxsql = sxsql + conditions + sorts;
+        List<Map<String, Object>> limitLists = (List<Map<String, Object>>) commonDao.query(sxsql);
+        List<Map<String, Object>> mergedList = Stream.concat(Stream.concat(limitLists.stream(), buMenList.stream()),comList.stream()).collect(Collectors.toList());
+        Map<String, Object> map = new HashMap<>();
+        map.put("data", mergedList);
+        result.setVariables(map);
+        return result;
+    }
+
+
+    private String getDiDian() {
+        IPartyPositionService partyPositionService = AppUtil.getBean(IPartyPositionService.class);
+        APIResult<List<PartyPositionPo>> result = partyPositionService.findByUserId(ContextUtil.getCurrentUserId());
+        String diDian ="";
+        try {
+            diDian = result.getData().get(0).getPath().split(StringPool.BACK_SLASH + StringPool.DOT)[1];
+        }catch (Exception ex){
+            log.error("Can't get didian information",ex);
+            return null;
+        }
+        return diDian;
+    }
+}

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/sysdata/services/impl/UpdateDataTableImpl.java

@@ -31,6 +31,7 @@ import com.lc.ibps.sysdata.entity.User;
 import com.lc.ibps.sysdata.services.UpdateDataTableService;
 import io.swagger.annotations.ApiParam;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.ArrayUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -85,7 +86,11 @@ public class UpdateDataTableImpl extends GenericProvider implements UpdateDataTa
         Map<String, Object> map = commonDao.queryOne(sql);
         List<Map<String, Object>> list = new ArrayList<>();
         if (BeanUtils.isNotEmpty(map) && BeanUtils.isNotEmpty(map.get("sql_"))) {
-            Object[] params = queryDTO.getParams().toArray();
+            Object[] origin = queryDTO.getParams().toArray();
+            Object[] params = new Object[origin.length];
+            for(Object o : origin) {
+                params = ArrayUtils.add(params, RequestUtil.filterInjectQuery(o.toString()));
+            }
             list = (List<Map<String, Object>>) commonDao.query( map.get("sql_").toString(), params);
         }
         Map<String, Object> datas = new HashMap<>();