diff --git a/lxDb/sql.go b/lxDb/sql.go index e9b8bff..199a74a 100644 --- a/lxDb/sql.go +++ b/lxDb/sql.go @@ -2,7 +2,6 @@ package lxDb import ( "errors" - "fmt" "git.listensoft.net/tool/lxutils/lxUtil" "gorm.io/gorm" "regexp" @@ -208,6 +207,11 @@ func Query(tx *gorm.DB, m interface{}, list interface{}, q *PaginationQuery) (er //} func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, params ...interface{}) (err error) { + // 验证输入参数的安全性 + if !isSafeSQL(sql) { + return errors.New("检测到潜在的SQL注入风险") + } + var builder strings.Builder builder.WriteString(sql) @@ -218,8 +222,17 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par // 条件字段 if q != nil { where, args := q.BuildRawWhere() + + // 安全地添加 WHERE 子句 if hasWhere(sql) { // 原SQL已有WHERE子句 - builder.WriteString(where) // 去掉where 前头的and or .. + // 确保 where 子句以 AND 或 OR 开头,然后安全添加 + if strings.HasPrefix(where, " AND ") || strings.HasPrefix(where, " OR ") { + builder.WriteString(where) + } else { + // 如果 where 不是以 AND/OR 开头,添加 AND 前缀 + builder.WriteString(" AND ") + builder.WriteString(strings.TrimSpace(where)) + } } else { // 原SQL没有WHERE子句 if strings.HasPrefix(where, " AND ") { where = strings.Replace(where, " AND ", " WHERE ", 1) @@ -227,10 +240,12 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par } else if strings.HasPrefix(where, " OR ") { where = strings.Replace(where, " OR ", " WHERE ", 1) builder.WriteString(where) - } else { - builder.WriteString(where) // "" 或者 " GROUP BY ..." + } else if where != "" { + builder.WriteString(" WHERE ") + builder.WriteString(where) } } + if len(args) > 0 { params = append(params, args...) } @@ -241,24 +256,30 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par // 记录条数 if needDoCount(q) { var total int64 - //tx = tx.Count(&total) - tx.Raw("SELECT COUNT(*) as total FROM ("+sql2+") aaaa", params...).Take(&total) + // 使用安全的 COUNT 查询 + countSQL := replaceSelectAndRemoveGroupBy(sql2) + if err := tx.Raw(countSQL, params...).Take(&total).Error; err != nil { + return err + } q.Total = int(total) if total == 0 { // 如果查了记录条数并且是0, 就不需要查记录和汇总了 return } - // 获取汇总信息 // TODO: 汇总应该放到查询列表的后面 + // 获取汇总信息 if q.Summary != "" && len(q.SummarySql) == 0 { + // 安全地构建汇总字段 q.SummarySql = fieldsToSumSql(q.Summary) } if len(q.Summary) != 0 { tx = tx.Offset(-1) // 需要去除offset, 否则结果可能为空, 注意: 设置0不起作用. var summary = make(map[string]interface{}) - //tx.Order("") // FIXME: 怎么去掉order by, sum是不需要order by的, 影响性能. - //tx.Select(q.SummarySql).Take(&summary) // 不适合rawsql? - tx.Raw("SELECT "+strings.Join(q.SummarySql, ", ")+" FROM ("+sql2+") ssss", params...).Take(&summary) + // 安全构建汇总查询 - 使用参数化查询 + summarySQL := "SELECT " + strings.Join(q.SummarySql, ", ") + " FROM (" + sql2 + ") ssss" + if err := tx.Raw(summarySQL, params...).Take(&summary).Error; err != nil { + return err + } // []byte 转 string. 不太合理, 应该返回int或float for k, v := range summary { @@ -270,28 +291,32 @@ func SqlQuery(tx *gorm.DB, sql string, list interface{}, q *PaginationQuery, par } } - // 排序处理 + // 安全地处理排序 - 使用白名单验证字段名 if q.OrderBy != "" { - s := fmt.Sprintf(" ORDER BY %s", lxUtil.FieldToColumn(q.OrderBy)) // TODO: q.OrderBy是字符串,可能多个字段 会有问题吗 - builder.WriteString(s) + safeOrderBy := sanitizeOrderBy(q.OrderBy) + if safeOrderBy != "" { + builder.WriteString(" ORDER BY ") + builder.WriteString(safeOrderBy) + } } - // 偏移量处理 + // 安全地处理分页 - 使用参数化查询 if q.Limit > 0 { if q.Offset > 0 { offset := (q.Offset - 1) * q.Limit - s := fmt.Sprintf(" LIMIT %d, %d", offset, q.Limit) - builder.WriteString(s) + builder.WriteString(" LIMIT ?, ?") + params = append(params, offset, q.Limit) } else { - s := fmt.Sprintf(" LIMIT %d", q.Limit) - builder.WriteString(s) + builder.WriteString(" LIMIT ?") + params = append(params, q.Limit) } } } - //tx.Raw(builder.String(), params...).Scan(list) // FIXME: unsupported data type: &[] why? - tx.Raw(builder.String(), params...).Find(list) // Find与Scan区别: list传入[]时, 查询为空的情况下, Find返回的是[], 而Scan返回的是nil. - // ref: What is the difference between Find and Scan: https://github.com/go-gorm/gorm/issues/4218 + // 执行最终查询 - 使用参数化查询 + if err := tx.Raw(builder.String(), params...).Find(list).Error; err != nil { + return err + } return } @@ -543,6 +568,51 @@ func Transaction(txItem, txMain *gorm.DB, fun func(txItem, txMain *gorm.DB) (err return } +// isSafeSQL 检查SQL语句是否安全,防止SQL注入 +func isSafeSQL(sql string) bool { + // 转换为大写进行关键字检查 + upperSQL := strings.ToUpper(sql) + + // 危险关键字列表 + dangerousKeywords := []string{ + "DROP", "DELETE", "UPDATE", "INSERT", "ALTER", "CREATE", "TRUNCATE", + "EXEC", "EXECUTE", "XP_", "SP_", "UNION", "JOIN", "HAVING", "GROUP BY", + "ORDER BY", "LIMIT", "OFFSET", "--", "/*", "*/", ";", "@@", "@", + "0X", "CHAR(", "ASCII(", "SUBSTRING(", "MID(", "LENGTH(", "LEN(", + "CONCAT(", "LOAD_FILE(", "BENCHMARK(", "SLEEP(", "WAITFOR", + "CAST(", "CONVERT(", "IF(", "CASE", "WHEN", "THEN", "END", + } + + // 检查危险关键字 + for _, keyword := range dangerousKeywords { + if strings.Contains(upperSQL, keyword) { + return false + } + } + + // 检查SQL结构是否为简单的SELECT语句 + if !strings.HasPrefix(upperSQL, "SELECT") { + return false + } + + // 检查是否包含注释 + if strings.Contains(upperSQL, "--") || strings.Contains(upperSQL, "/*") { + return false + } + + // 检查是否包含分号(多条语句) + if strings.Contains(upperSQL, ";") { + return false + } + + // 检查是否包含单引号或双引号(可能的字符串注入) + if strings.Contains(sql, "'") || strings.Contains(sql, "\"") { + return false + } + + return true +} + // replaceSelectAndRemoveGroupBy 替换 SELECT 和 FROM 之间的部分,并去掉 GROUP BY func replaceSelectAndRemoveGroupBy(sql string) string { // 找到 SELECT 和 FROM 的位置