refactor(curd): 重构排序字段处理，预防 SQL 注入问题

continew-starter-data/continew-starter-data-core/pom.xml

@@ -18,5 +18,10 @@
             <groupId>cn.hutool</groupId>
             <artifactId>hutool-db</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>org.springframework.data</groupId>
+            <artifactId>spring-data-commons</artifactId>
+        </dependency>
     </dependencies>
 </project>

continew-starter-data/continew-starter-data-core/src/main/java/top/continew/starter/data/core/util/SqlInjectionUtils.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2022-present Charles7c Authors. All Rights Reserved.
+ * <p>
+ * Licensed under the GNU LESSER GENERAL PUBLIC LICENSE 3.0;
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.gnu.org/licenses/lgpl.html
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package top.continew.starter.data.core.util;
+
+import java.util.Objects;
+import java.util.regex.Pattern;
+
+/**
+ * SQL 注入验证工具类
+ *
+ * @author hubin
+ * @since 2.5.2
+ */
+public class SqlInjectionUtils {
+
+    /**
+     * SQL语法检查正则：符合两个关键字（有先后顺序）才算匹配
+     */
+    private static final Pattern SQL_SYNTAX_PATTERN = Pattern
+        .compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" + "\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)|(and|or)\\s+.*", Pattern.CASE_INSENSITIVE);
+
+    /**
+     * 使用'、;或注释截断SQL检查正则
+     */
+    private static final Pattern SQL_COMMENT_PATTERN = Pattern
+        .compile("'.*(or|union|--|#|/\\*|;)", Pattern.CASE_INSENSITIVE);
+
+    /**
+     * 检查参数是否存在 SQL 注入
+     *
+     * @param value 检查参数
+     * @return true：非法；false：合法
+     */
+    public static boolean check(String value) {
+        Objects.requireNonNull(value);
+        // 处理是否包含 SQL 注释字符 || 检查是否包含 SQ L注入敏感字符
+        return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find();
+    }
+}

continew-starter-data/continew-starter-data-mybatis-flex/src/main/java/top/continew/starter/data/mybatis/flex/util/QueryWrapperHelper.java

@@ -14,21 +14,23 @@
  * limitations under the License.
  */
 
-package top.continew.starter.data.mybatis.flex.query;
+package top.continew.starter.data.mybatis.flex.util;
 
+import cn.hutool.core.collection.CollUtil;
+import cn.hutool.core.text.CharSequenceUtil;
+import cn.hutool.core.util.ArrayUtil;
+import cn.hutool.core.util.ObjectUtil;
 import com.mybatisflex.core.query.QueryWrapper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import cn.hutool.core.collection.CollUtil;
-import cn.hutool.core.util.ArrayUtil;
-import cn.hutool.core.util.ObjectUtil;
-import cn.hutool.core.text.CharSequenceUtil;
+import org.springframework.data.domain.Sort;
 import top.continew.starter.core.exception.BadRequestException;
 import top.continew.starter.core.util.ReflectUtils;
 import top.continew.starter.core.util.validate.ValidationUtils;
 import top.continew.starter.data.core.annotation.Query;
 import top.continew.starter.data.core.annotation.QueryIgnore;
 import top.continew.starter.data.core.enums.QueryType;
+import top.continew.starter.data.core.util.SqlInjectionUtils;
 
 import java.lang.reflect.Field;
 import java.util.ArrayList;
@@ -56,10 +58,9 @@ public class QueryWrapperHelper {
      *
      * @param query 查询条件
      * @param <Q>   查询条件数据类型
-     * @param <R>   查询数据类型
      * @return QueryWrapper
      */
-    public static <Q, R> QueryWrapper build(Q query) {
+    public static <Q> QueryWrapper build(Q query) {
         QueryWrapper queryWrapper = QueryWrapper.create();
         // 没有查询条件，直接返回
         if (null == query) {
@@ -70,6 +71,34 @@ public class QueryWrapperHelper {
         return build(query, fieldList, queryWrapper);
     }
 
+    /**
+     * 构建 QueryWrapper
+     *
+     * @param query 查询条件
+     * @param sort  排序条件
+     * @param <Q>   查询条件数据类型
+     * @return QueryWrapper
+     * @since 2.5.2
+     */
+    public static <Q> QueryWrapper build(Q query, Sort sort) {
+        QueryWrapper queryWrapper = QueryWrapper.create();
+        // 没有查询条件，直接返回
+        if (null == query) {
+            return queryWrapper;
+        }
+        // 设置排序条件
+        if (sort != null && sort.isSorted()) {
+            for (Sort.Order order : sort) {
+                String field = CharSequenceUtil.toUnderlineCase(order.getProperty());
+                ValidationUtils.throwIf(SqlInjectionUtils.check(field), "排序字段包含非法字符");
+                queryWrapper.orderBy(field, order.isAscending());
+            }
+        }
+        // 获取查询条件中所有的字段
+        List<Field> fieldList = ReflectUtils.getNonStaticFields(query.getClass());
+        return build(query, fieldList, queryWrapper);
+    }
+
     /**
      * 构建 QueryWrapper
      *

continew-starter-data/continew-starter-data-mybatis-plus/src/main/java/top/continew/starter/data/mybatis/plus/util/QueryWrapperHelper.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package top.continew.starter.data.mybatis.plus.query;
+package top.continew.starter.data.mybatis.plus.util;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -23,18 +23,17 @@ import cn.hutool.core.util.ArrayUtil;
 import cn.hutool.core.util.ObjectUtil;
 import cn.hutool.core.text.CharSequenceUtil;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
+import org.springframework.data.domain.Sort;
 import top.continew.starter.core.exception.BadRequestException;
 import top.continew.starter.core.util.ReflectUtils;
 import top.continew.starter.core.util.validate.ValidationUtils;
 import top.continew.starter.data.core.annotation.Query;
 import top.continew.starter.data.core.annotation.QueryIgnore;
 import top.continew.starter.data.core.enums.QueryType;
+import top.continew.starter.data.core.util.SqlInjectionUtils;
 
 import java.lang.reflect.Field;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
+import java.util.*;
 import java.util.function.Consumer;
 
 /**
@@ -60,11 +59,33 @@ public class QueryWrapperHelper {
      * @return QueryWrapper
      */
     public static <Q, R> QueryWrapper<R> build(Q query) {
+        return build(query, Sort.unsorted());
+    }
+
+    /**
+     * 构建 QueryWrapper
+     *
+     * @param query 查询条件
+     * @param sort  排序条件
+     * @param <Q>   查询条件数据类型
+     * @param <R>   查询数据类型
+     * @return QueryWrapper
+     * @since 2.5.2
+     */
+    public static <Q, R> QueryWrapper<R> build(Q query, Sort sort) {
         QueryWrapper<R> queryWrapper = new QueryWrapper<>();
         // 没有查询条件，直接返回
         if (null == query) {
             return queryWrapper;
         }
+        // 设置排序条件
+        if (sort != null && sort.isSorted()) {
+            for (Sort.Order order : sort) {
+                String field = CharSequenceUtil.toUnderlineCase(order.getProperty());
+                ValidationUtils.throwIf(SqlInjectionUtils.check(field), "排序字段包含非法字符");
+                queryWrapper.orderBy(true, order.isAscending(), field);
+            }
+        }
         // 获取查询条件中所有的字段
         List<Field> fieldList = ReflectUtils.getNonStaticFields(query.getClass());
         return build(query, fieldList, queryWrapper);