Druid-排查conditionDoubleConstAllow配置问题(double const condition)
报错信息
Caused by: java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, double const condition : SELECT * FROM test where 1=1 AND TRUE AND TRUE
关键词:double const condition
Druid进行SQL检查,发现了重复的常量条件
排查过程
- 下载druid源码 https://github.com/alibaba/druid
- 阅读相关文档 文档
- 代码断点调试排查
编写代码复现问题
@RestController
@Slf4j
public class TestController {@Autowiredprivate JdbcTemplate jdbcTemplate;@GetMapping("test")public String test(){String sql = "SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1 ";jdbcTemplate.execute(sql);return "Test";}}Druid配置关键信息:wall
spring:datasource:druid:filters: config,wall,stat
运行错误:
java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, part alway true condition not allow : SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1 at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:836)at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:801)at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:433)at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2991)at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:143)at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:635)at org.springframework.jdbc.core.JdbcTemplate$1ExecuteStatementCallback.doInStatement(JdbcTemplate.java:422)at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:381)at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:431)
通过文档 https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter 可以看到相关存在相关配置:conditionDoubleConstAllow , 默认为false,既不允许Where条件中有两个以上的常量。
接下来打开源码,搜索conditionDoubleConstAllow,找到以下线索:
- com.alibaba.druid.wall.WallConfig#conditionDoubleConstAllow
- com.alibaba.druid.spring.boot.autoconfigure.stat.DruidFilterConfiguration#wallConfig
解决方法一:将配置filters: config,wall,stat 中的wall去掉,既不进行一些防注入检查,修改有效,但安全性降低,暂不采用
解决方法二:重点关注wallConfig()方法:
private static final String FILTER_WALL_PREFIX = "spring.datasource.druid.filter.wall";private static final String FILTER_WALL_CONFIG_PREFIX = FILTER_WALL_PREFIX + ".config";@Bean@ConfigurationProperties(FILTER_WALL_CONFIG_PREFIX)@ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")@ConditionalOnMissingBeanpublic WallConfig wallConfig() {return new WallConfig();}@Bean@ConfigurationProperties(FILTER_WALL_PREFIX)@ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")@ConditionalOnMissingBeanpublic WallFilter wallFilter(WallConfig wallConfig) {WallFilter filter = new WallFilter();filter.setConfig(wallConfig);return filter;}
发现可以通过配置修改WallConfig#conditionDoubleConstAllow的值,于是进行配置修改:
spring:datasource:druid:filters: config,wall,statfilter:wall:enabled: trueconfig:condition-double-const-allow: true
测试结果:(依旧报错…)
java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, part alway true condition not allow : SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1 at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:836)at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:801)at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:433)at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2991)at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:143)at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:635)at org.springframework.jdbc.core.JdbcTemplate$1ExecuteStatementCallback.doInStatement(JdbcTemplate.java:422)at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:381)at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:431)
进一步断点调试:
发现在com.alibaba.druid.spring.boot.autoconfigure.stat.DruidFilterConfiguration#wallFilter方法中,filter.setConfig(wallConfig)时,注入的wallConfig,其conditionDoubleConstAllow属性已经是true,说明配置生效了。
但还是报上述异常,继续调试分析。
@Bean@ConfigurationProperties(FILTER_WALL_PREFIX)@ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")@ConditionalOnMissingBeanpublic WallFilter wallFilter(WallConfig wallConfig) {WallFilter filter = new WallFilter();filter.setConfig(wallConfig);return filter;}
继续调试,关注方法com.alibaba.druid.wall.WallFilter#checkInternal
private WallCheckResult checkInternal(String sql) throws SQLException {WallCheckResult checkResult = provider.check(sql);List<Violation> violations = checkResult.getViolations();if (violations.size() > 0) {Violation firstViolation = violations.get(0);if (isLogViolation()) {LOG.error("sql injection violation, dbType "+ getDbType()+ ", druid-version "+ VERSION.getVersionNumber()+ ", "+ firstViolation.getMessage() + " : " + sql);}if (throwException) {if (violations.get(0) instanceof SyntaxErrorViolation) {SyntaxErrorViolation violation = (SyntaxErrorViolation) violations.get(0);throw new SQLException("sql injection violation, dbType "+ getDbType() + ", "+ ", druid-version "+ VERSION.getVersionNumber()+ ", "+ firstViolation.getMessage() + " : " + sql,violation.getException());} else {throw new SQLException("sql injection violation, dbType "+ getDbType()+ ", druid-version "+ VERSION.getVersionNumber()+ ", "+ firstViolation.getMessage()+ " : " + sql);}}}return checkResult;}com.alibaba.druid.sql.ast.SQLObjectImpl#accept 方法
public final void accept(SQLASTVisitor visitor) {if (visitor == null) {throw new IllegalArgumentException();}visitor.preVisit(this);accept0(visitor);visitor.postVisit(this);}
com.alibaba.druid.wall.spi.WallVisitorUtils#getValue_and方法
public static Object getConditionValue(WallVisitor visitor, SQLExpr x, boolean alwayTrueCheck) {final WallConditionContext old = wallConditionContextLocal.get();try {wallConditionContextLocal.set(new WallConditionContext());final Object value = getValue(visitor, x);final WallConditionContext current = wallConditionContextLocal.get();WallContext context = WallContext.current();if (context != null) {if (current.hasPartAlwayTrue() || Boolean.TRUE == value) {if (!isFirst(x)) {context.incrementWarnings();}}}if (current.hasPartAlwayTrue()&& !visitor.getConfig().isConditionAndAlwayTrueAllow()) {addViolation(visitor, ErrorCode.ALWAYS_TRUE, "part alway true condition not allow", x);}if (current.hasPartAlwayFalse()&& !visitor.getConfig().isConditionAndAlwayFalseAllow()) {addViolation(visitor, ErrorCode.ALWAYS_FALSE, "part alway false condition not allow", x);}if (current.hasConstArithmetic()&& !visitor.getConfig().isConstArithmeticAllow()) {addViolation(visitor, ErrorCode.CONST_ARITHMETIC, "const arithmetic not allow", x);}if (current.hasXor() && !visitor.getConfig().isConditionOpXorAllow()) {addViolation(visitor, ErrorCode.XOR, "xor not allow", x);}if (current.hasBitwise() && !visitor.getConfig().isConditionOpBitwseAllow()) {addViolation(visitor, ErrorCode.BITWISE, "bitwise operator not allow", x);}return value;} finally {wallConditionContextLocal.set(old);}}
发现到以下代码时,执行了addViolation
if (current.hasPartAlwayTrue()&& !visitor.getConfig().isConditionAndAlwayTrueAllow()) {addViolation(visitor, ErrorCode.ALWAYS_TRUE, "part alway true condition not allow", x);}
于是再次修改配置:将condition-and-alway-true-allow也改为true
spring:datasource:druid:filters: config,wall,statfilter:wall:enabled: trueconfig:condition-and-alway-true-allow: truecondition-double-const-allow: true
再次测试:执行成功!!!
)
吗?)
-- 算法导论6.4 2题)
