jwy
/
aeon_business_back
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

SQL injection问题

zhc
review512jwy@163.com 1 week ago
parent
4f01c02203
commit
0653e5887b
4 changed files with 32 additions and 22 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
  2. 2
      data-center-business-model/src/main/java/com/techsor/datacenter/business/entity/RedisAlarmDTO.java
  3. 20
      data-center-business-service/src/main/java/com/techsor/datacenter/business/service/impl/CommonServiceImpl.java
  4. 8
      data-center-business-service/src/main/java/com/techsor/datacenter/business/service/impl/DeviceServiceImpl.java

2
data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
View File

@ -62,7 +62,7 @@ public class CrosXssFilter implements Filter {
httpServletResponse.setHeader("Pragma", "no-cache"); httpServletResponse.setHeader("Pragma", "no-cache");
httpServletResponse.setDateHeader("Expires", 0); httpServletResponse.setDateHeader("Expires", 0);
httpServletResponse.setHeader("X-Frame-Options", "deny"); httpServletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
String nonce = UUID.randomUUID().toString().replace("-", "").substring(0, 16); // 生成随机 nonce String nonce = UUID.randomUUID().toString().replace("-", "").substring(0, 16); // 生成随机 nonce
httpServletResponse.setHeader("Content-Security-Policy", httpServletResponse.setHeader("Content-Security-Policy",

2
data-center-business-model/src/main/java/com/techsor/datacenter/business/entity/RedisAlarmDTO.java
View File

@ -14,6 +14,8 @@ import lombok.NoArgsConstructor;
@NoArgsConstructor @NoArgsConstructor
public class RedisAlarmDTO{ public class RedisAlarmDTO{
private String deviceId;
@Schema(description ="roid接口返回的id",example = "1") @Schema(description ="roid接口返回的id",example = "1")
private Long problemReportId; private Long problemReportId;

20
data-center-business-service/src/main/java/com/techsor/datacenter/business/service/impl/CommonServiceImpl.java
View File

@ -439,11 +439,13 @@ public class CommonServiceImpl implements CommonService {
DESUtil.decrypt(apikeyInfo.getAuroraPassword(), Constants.DES_SALT))) { DESUtil.decrypt(apikeyInfo.getAuroraPassword(), Constants.DES_SALT))) {
for (ApiDeviceInfoVO apiDeviceInfoVO : deviceInfos) { for (ApiDeviceInfoVO apiDeviceInfoVO : deviceInfos) {
String sql = " select rawData, receive_ts from rawData_realtime where deviceId = '" + apiDeviceInfoVO.getDeviceId() + "' limit 1" ; String sql = "select rawData, receive_ts from rawData_realtime where deviceId = ? limit 1";
logger.info("queryAssetInfo aurora sql:" + sql); logger.info("queryAssetInfo aurora sql:" + sql);
try (PreparedStatement preparedStatement = conn.prepareStatement(sql)) { try (PreparedStatement preparedStatement = conn.prepareStatement(sql)) {
ResultSet retult = preparedStatement.executeQuery(sql); preparedStatement.setString(1, apiDeviceInfoVO.getDeviceId());
ResultSet retult = preparedStatement.executeQuery();
while (retult.next()) { while (retult.next()) {
String rawData = retult.getString("rawData"); String rawData = retult.getString("rawData");
@ -970,11 +972,13 @@ public class CommonServiceImpl implements CommonService {
for (ApiAlarmDeviceInfoVO apiAlarmDeviceInfoVO : deviceInfoVOs) { for (ApiAlarmDeviceInfoVO apiAlarmDeviceInfoVO : deviceInfoVOs) {
// String sql = " select rawData, receive_ts, alertTitle, alertLevel,alertLevelName,alertTypeName from "+formatRawDataWithDate()+" where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ; // String sql = " select rawData, receive_ts, alertTitle, alertLevel,alertLevelName,alertTypeName from "+formatRawDataWithDate()+" where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ;
// String sql = " select rawData, receive_ts, alertTitle, alertLevel, alertTypeName from "+formatRawDataWithDate()+" where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ; // String sql = " select rawData, receive_ts, alertTitle, alertLevel, alertTypeName from "+formatRawDataWithDate()+" where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ;
String sql = " select rawData, receive_ts, alertTitle, alertLevel,alertLevelName, alertTypeName from alertData where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ; String sql = "select rawData, receive_ts, alertTitle, alertLevel, alertLevelName, alertTypeName from alertData where deviceId = ? order by receive_ts desc limit 1";
logger.info("queryAlarmDevice aurora sql:" + sql); logger.info("queryAlarmDevice aurora sql:" + sql);
try (PreparedStatement preparedStatement = conn.prepareStatement(sql)) { try (PreparedStatement preparedStatement = conn.prepareStatement(sql)) {
ResultSet retult = preparedStatement.executeQuery(sql); preparedStatement.setString(1, apiAlarmDeviceInfoVO.getDeviceId());
ResultSet retult = preparedStatement.executeQuery();
while (retult.next()) { while (retult.next()) {
String rawData = retult.getString("rawData"); String rawData = retult.getString("rawData");
@ -2069,11 +2073,13 @@ public class CommonServiceImpl implements CommonService {
for (ApiCancelAlarmDeviceInfoVO apiCancelAlarmDeviceInfoVO : deviceInfoVOs) { for (ApiCancelAlarmDeviceInfoVO apiCancelAlarmDeviceInfoVO : deviceInfoVOs) {
// String sql = " select rawData, receive_ts, alertTitle, alertLevel,alertLevelName,alertTypeName from "+formatRawDataWithDate()+" where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ; // String sql = " select rawData, receive_ts, alertTitle, alertLevel,alertLevelName,alertTypeName from "+formatRawDataWithDate()+" where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ;
// String sql = " select rawData, receive_ts, alertTitle, alertLevel, alertTypeName from "+formatRawDataWithDate()+" where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ; // String sql = " select rawData, receive_ts, alertTitle, alertLevel, alertTypeName from "+formatRawDataWithDate()+" where deviceId = '" + apiAlarmDeviceInfoVO.getDeviceId() + "' order by receive_ts desc limit 1" ;
String sql = " select rawData, receive_ts, alertCancelTitle, alertLevel,alertLevelName, alertTypeName from rawData_realtime where deviceId = '" + apiCancelAlarmDeviceInfoVO.getDeviceId() + "' limit 1" ; String sql = "select rawData, receive_ts, alertCancelTitle, alertLevel, alertLevelName, alertTypeName from rawData_realtime where deviceId = ? limit 1";
logger.info("queryAlarmDevice aurora sql:" + sql); logger.info("queryAlarmDevice aurora sql: " + sql);
try (PreparedStatement preparedStatement = conn.prepareStatement(sql)) { try (PreparedStatement preparedStatement = conn.prepareStatement(sql)) {
ResultSet retult = preparedStatement.executeQuery(sql); preparedStatement.setString(1, apiCancelAlarmDeviceInfoVO.getDeviceId());
ResultSet retult = preparedStatement.executeQuery();
while (retult.next()) { while (retult.next()) {
String rawData = retult.getString("rawData"); String rawData = retult.getString("rawData");

8
data-center-business-service/src/main/java/com/techsor/datacenter/business/service/impl/DeviceServiceImpl.java
View File

@ -2434,11 +2434,13 @@ public class DeviceServiceImpl implements IDeviceService {
Class.forName("com.mysql.cj.jdbc.Driver"); Class.forName("com.mysql.cj.jdbc.Driver");
try (Connection conn = DriverManager.getConnection(MessageFormat.format(Constants.AURORA_URL_FORMAT, apikeyInfo.getAuroraUrl()), try (Connection conn = DriverManager.getConnection(MessageFormat.format(Constants.AURORA_URL_FORMAT, apikeyInfo.getAuroraUrl()),
apikeyInfo.getAuroraUsername(), apikeyInfo.getAuroraPassword())) { apikeyInfo.getAuroraUsername(), apikeyInfo.getAuroraPassword())) {
String sql = "select * from " + table + " where deviceId = '" + auroraDataParam.getDeviceId() +"' and " + String sql = "select * from " + table + " where deviceId = ? and ? <= receive_ts and receive_ts <= ? order by receive_ts desc, hashId desc ";
auroraDataParam.getStartTime() + " <= receive_ts and receive_ts <= " + auroraDataParam.getEndTime() + " order by receive_ts desc, hashId desc ";
logger.info("getAuroraData sql:{}", sql); logger.info("getAuroraData sql:{}", sql);
try (PreparedStatement preparedStatement = conn.prepareStatement(sql)) { try (PreparedStatement preparedStatement = conn.prepareStatement(sql)) {
ResultSet retult = preparedStatement.executeQuery(sql); preparedStatement.setString(1, auroraDataParam.getDeviceId()); // 绑定 deviceId 参数
preparedStatement.setLong(2, auroraDataParam.getStartTime()); // 绑定 startTime 参数
preparedStatement.setLong(3, auroraDataParam.getEndTime()); // 绑定 endTime 参数
ResultSet retult = preparedStatement.executeQuery();
// 遍历结果集 // 遍历结果集
while (retult.next()) { while (retult.next()) {

Write Preview
Loading…
Cancel
Save