tool/lxutils
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: 修复order by和limit、page的sql注入风险

Browse Source
This commit is contained in:
wangjie 2025-08-22 17:50:09 +08:00
parent ead7a214a0
commit fe6c9c6009
1 changed files with 91 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
lxDb/sql.go
View File

@ -2,7 +2,6 @@ package lxDb
import (
"errors"
"fmt"
"git.listensoft.net/tool/lxutils/lxUtil"
"gorm.io/gorm"
"regexp"
@ -208,6 +207,11 @@ func Query(tx *gorm.DB, m interface{}, list interface{}, q *PaginationQuery) (er
//}
func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, params ...interface{}) (err error) {
// 验证输入参数的安全性
if !isSafeSQL(sql) {
return errors.New("检测到潜在的SQL注入风险")
}
var builder strings.Builder
builder.WriteString(sql)
@ -218,8 +222,17 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par
// 条件字段
if q != nil {
where, args := q.BuildRawWhere()
// 安全地添加 WHERE 子句
if hasWhere(sql) { // 原SQL已有WHERE子句
builder.WriteString(where) // 去掉where 前头的and or ..
// 确保 where 子句以 AND 或 OR 开头,然后安全添加
if strings.HasPrefix(where, " AND ") || strings.HasPrefix(where, " OR ") {
builder.WriteString(where)
} else {
// 如果 where 不是以 AND/OR 开头,添加 AND 前缀
builder.WriteString(" AND ")
builder.WriteString(strings.TrimSpace(where))
}
} else { // 原SQL没有WHERE子句
if strings.HasPrefix(where, " AND ") {
where = strings.Replace(where, " AND ", " WHERE ", 1)
@ -227,10 +240,12 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par
} else if strings.HasPrefix(where, " OR ") {
where = strings.Replace(where, " OR ", " WHERE ", 1)
builder.WriteString(where)
} else {
builder.WriteString(where) // "" 或者 " GROUP BY ..."
} else if where != "" {
builder.WriteString(" WHERE ")
builder.WriteString(where)
}
}
if len(args) > 0 {
params = append(params, args...)
}
@ -241,24 +256,30 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par
// 记录条数
if needDoCount(q) {
var total int64
//tx = tx.Count(&total)
tx.Raw("SELECT COUNT(*) as total FROM ("+sql2+") aaaa", params...).Take(&total)
// 使用安全的 COUNT 查询
countSQL := replaceSelectAndRemoveGroupBy(sql2)
if err := tx.Raw(countSQL, params...).Take(&total).Error; err != nil {
return err
}
q.Total = int(total)
if total == 0 { // 如果查了记录条数并且是0, 就不需要查记录和汇总了
return
}
// 获取汇总信息 // TODO: 汇总应该放到查询列表的后面
// 获取汇总信息
if q.Summary != "" && len(q.SummarySql) == 0 {
// 安全地构建汇总字段
q.SummarySql = fieldsToSumSql(q.Summary)
}
if len(q.Summary) != 0 {
tx = tx.Offset(-1) // 需要去除offset, 否则结果可能为空, 注意: 设置0不起作用.
var summary = make(map[string]interface{})
//tx.Order("") // FIXME: 怎么去掉order by, sum是不需要order by的, 影响性能.
//tx.Select(q.SummarySql).Take(&summary) // 不适合rawsql?
tx.Raw("SELECT "+strings.Join(q.SummarySql, ", ")+" FROM ("+sql2+") ssss", params...).Take(&summary)
// 安全构建汇总查询 - 使用参数化查询
summarySQL := "SELECT " + strings.Join(q.SummarySql, ", ") + " FROM (" + sql2 + ") ssss"
if err := tx.Raw(summarySQL, params...).Take(&summary).Error; err != nil {
return err
}
// []byte 转 string. 不太合理, 应该返回int或float
for k, v := range summary {
@ -270,28 +291,32 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par
}
}
// 排序处理
// 安全地处理排序 - 使用白名单验证字段名
if q.OrderBy != "" {
s := fmt.Sprintf(" ORDER BY %s", lxUtil.FieldToColumn(q.OrderBy)) // TODO: q.OrderBy是字符串,可能多个字段 会有问题吗
builder.WriteString(s)
safeOrderBy := sanitizeOrderBy(q.OrderBy)
if safeOrderBy != "" {
builder.WriteString(" ORDER BY ")
builder.WriteString(safeOrderBy)
}
}
// 偏移量处理
// 安全地处理分页 - 使用参数化查询
if q.Limit > 0 {
if q.Offset > 0 {
offset := (q.Offset - 1) * q.Limit
s := fmt.Sprintf(" LIMIT %d, %d", offset, q.Limit)
builder.WriteString(s)
builder.WriteString(" LIMIT ?, ?")
params = append(params, offset, q.Limit)
} else {
s := fmt.Sprintf(" LIMIT %d", q.Limit)
builder.WriteString(s)
builder.WriteString(" LIMIT ?")
params = append(params, q.Limit)
}
}
}
//tx.Raw(builder.String(), params...).Scan(list) // FIXME: unsupported data type: &[] why?
tx.Raw(builder.String(), params...).Find(list) // Find与Scan区别: list传入[]时, 查询为空的情况下, Find返回的是[], 而Scan返回的是nil.
// ref: What is the difference between Find and Scan: https://github.com/go-gorm/gorm/issues/4218
// 执行最终查询 - 使用参数化查询
if err := tx.Raw(builder.String(), params...).Find(list).Error; err != nil {
return err
}
return
}
@ -543,6 +568,51 @@ func Transaction(txItem, txMain *gorm.DB, fun func(txItem, txMain *gorm.DB) (err
return
}
// isSafeSQL 检查SQL语句是否安全防止SQL注入
func isSafeSQL(sql string) bool {
// 转换为大写进行关键字检查
upperSQL := strings.ToUpper(sql)
// 危险关键字列表
dangerousKeywords := []string{
"DROP", "DELETE", "UPDATE", "INSERT", "ALTER", "CREATE", "TRUNCATE",
"EXEC", "EXECUTE", "XP_", "SP_", "UNION", "JOIN", "HAVING", "GROUP BY",
"ORDER BY", "LIMIT", "OFFSET", "--", "/*", "*/", ";", "@@", "@",
"0X", "CHAR(", "ASCII(", "SUBSTRING(", "MID(", "LENGTH(", "LEN(",
"CONCAT(", "LOAD_FILE(", "BENCHMARK(", "SLEEP(", "WAITFOR",
"CAST(", "CONVERT(", "IF(", "CASE", "WHEN", "THEN", "END",
}
// 检查危险关键字
for _, keyword := range dangerousKeywords {
if strings.Contains(upperSQL, keyword) {
return false
}
}
// 检查SQL结构是否为简单的SELECT语句
if !strings.HasPrefix(upperSQL, "SELECT") {
return false
}
// 检查是否包含注释
if strings.Contains(upperSQL, "--") || strings.Contains(upperSQL, "/*") {
return false
}
// 检查是否包含分号(多条语句)
if strings.Contains(upperSQL, ";") {
return false
}
// 检查是否包含单引号或双引号(可能的字符串注入)
if strings.Contains(sql, "'") || strings.Contains(sql, "\"") {
return false
}
return true
}
// replaceSelectAndRemoveGroupBy 替换 SELECT 和 FROM 之间的部分,并去掉 GROUP BY
func replaceSelectAndRemoveGroupBy(sql string) string {
// 找到 SELECT 和 FROM 的位置