Druid-排查conditionDoubleConstAllow配置问题(double const condition)

Druid-排查conditionDoubleConstAllow配置问题(double const condition)

报错信息

Caused by: java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, double const condition : SELECT * FROM test where 1=1 AND TRUE AND TRUE

关键词:double const condition
Druid进行SQL检查,发现了重复的常量条件

排查过程

  • 下载druid源码 https://github.com/alibaba/druid
  • 阅读相关文档 文档
  • 代码断点调试排查

编写代码复现问题

@RestController
@Slf4j
public class TestController {

    @Autowired
    private JdbcTemplate jdbcTemplate;

    @GetMapping("test")
    public String test(){
        String sql = "SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1 ";
        jdbcTemplate.execute(sql);
        return "Test";
    }

}

Druid配置关键信息:wall

spring:
  datasource:
    druid:
      filters: config,wall,stat

运行错误:

java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, part alway true condition not allow : SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1 
	at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:836)
	at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:801)
	at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:433)
	at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2991)
	at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:143)
	at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:635)
	at org.springframework.jdbc.core.JdbcTemplate$1ExecuteStatementCallback.doInStatement(JdbcTemplate.java:422)
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:381)
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:431)

通过文档 https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter 可以看到相关存在相关配置:conditionDoubleConstAllow , 默认为false,既不允许Where条件中有两个以上的常量。
在这里插入图片描述
接下来打开源码,搜索conditionDoubleConstAllow,找到以下线索:

  1. com.alibaba.druid.wall.WallConfig#conditionDoubleConstAllow
  2. com.alibaba.druid.spring.boot.autoconfigure.stat.DruidFilterConfiguration#wallConfig

解决方法一:将配置filters: config,wall,stat 中的wall去掉,既不进行一些防注入检查,修改有效,但安全性降低,暂不采用

解决方法二:重点关注wallConfig()方法:

    private static final String FILTER_WALL_PREFIX = "spring.datasource.druid.filter.wall";
    private static final String FILTER_WALL_CONFIG_PREFIX = FILTER_WALL_PREFIX + ".config";

    @Bean
    @ConfigurationProperties(FILTER_WALL_CONFIG_PREFIX)
    @ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")
    @ConditionalOnMissingBean
    public WallConfig wallConfig() {
        return new WallConfig();
    }
    
    @Bean
    @ConfigurationProperties(FILTER_WALL_PREFIX)
    @ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")
    @ConditionalOnMissingBean
    public WallFilter wallFilter(WallConfig wallConfig) {
        WallFilter filter = new WallFilter();
        filter.setConfig(wallConfig);
        return filter;
    }

发现可以通过配置修改WallConfig#conditionDoubleConstAllow的值,于是进行配置修改:

spring:
  datasource:
    druid:
      filters: config,wall,stat
      filter:
        wall:
          enabled: true
          config:
            condition-double-const-allow: true

测试结果:(依旧报错…)

java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, part alway true condition not allow : SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1 
	at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:836)
	at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:801)
	at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:433)
	at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2991)
	at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:143)
	at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:635)
	at org.springframework.jdbc.core.JdbcTemplate$1ExecuteStatementCallback.doInStatement(JdbcTemplate.java:422)
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:381)
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:431)

进一步断点调试
发现在com.alibaba.druid.spring.boot.autoconfigure.stat.DruidFilterConfiguration#wallFilter方法中,filter.setConfig(wallConfig)时,注入的wallConfig,其conditionDoubleConstAllow属性已经是true,说明配置生效了。
但还是报上述异常,继续调试分析。

    @Bean
    @ConfigurationProperties(FILTER_WALL_PREFIX)
    @ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")
    @ConditionalOnMissingBean
    public WallFilter wallFilter(WallConfig wallConfig) {
        WallFilter filter = new WallFilter();
        filter.setConfig(wallConfig);
        return filter;
    }

继续调试,关注方法com.alibaba.druid.wall.WallFilter#checkInternal

private WallCheckResult checkInternal(String sql) throws SQLException {
        WallCheckResult checkResult = provider.check(sql);
        List<Violation> violations = checkResult.getViolations();

        if (violations.size() > 0) {
            Violation firstViolation = violations.get(0);
            if (isLogViolation()) {
                LOG.error("sql injection violation, dbType "
                        + getDbType()
                        + ", druid-version "
                        + VERSION.getVersionNumber()
                        + ", "
                        + firstViolation.getMessage() + " : " + sql);
            }

            if (throwException) {
                if (violations.get(0) instanceof SyntaxErrorViolation) {
                    SyntaxErrorViolation violation = (SyntaxErrorViolation) violations.get(0);
                    throw new SQLException("sql injection violation, dbType "
                            + getDbType() + ", "
                            + ", druid-version "
                            + VERSION.getVersionNumber()
                            + ", "
                            + firstViolation.getMessage() + " : " + sql,
                            violation.getException());
                } else {
                    throw new SQLException("sql injection violation, dbType "
                            + getDbType()
                            + ", druid-version "
                            + VERSION.getVersionNumber()
                            + ", "
                            + firstViolation.getMessage()
                            + " : " + sql);
                }
            }
        }

        return checkResult;
    }

com.alibaba.druid.sql.ast.SQLObjectImpl#accept 方法

public final void accept(SQLASTVisitor visitor) {
        if (visitor == null) {
            throw new IllegalArgumentException();
        }

        visitor.preVisit(this);

        accept0(visitor);

        visitor.postVisit(this);
    }

com.alibaba.druid.wall.spi.WallVisitorUtils#getValue_and方法

public static Object getConditionValue(WallVisitor visitor, SQLExpr x, boolean alwayTrueCheck) {
        final WallConditionContext old = wallConditionContextLocal.get();
        try {
            wallConditionContextLocal.set(new WallConditionContext());
            final Object value = getValue(visitor, x);

            final WallConditionContext current = wallConditionContextLocal.get();
            WallContext context = WallContext.current();
            if (context != null) {
                if (current.hasPartAlwayTrue() || Boolean.TRUE == value) {
                    if (!isFirst(x)) {
                        context.incrementWarnings();
                    }
                }
            }

            if (current.hasPartAlwayTrue()
                    && !visitor.getConfig().isConditionAndAlwayTrueAllow()) {
                addViolation(visitor, ErrorCode.ALWAYS_TRUE, "part alway true condition not allow", x);
            }

            if (current.hasPartAlwayFalse()
                    && !visitor.getConfig().isConditionAndAlwayFalseAllow()) {
                addViolation(visitor, ErrorCode.ALWAYS_FALSE, "part alway false condition not allow", x);
            }

            if (current.hasConstArithmetic()
                    && !visitor.getConfig().isConstArithmeticAllow()) {
                addViolation(visitor, ErrorCode.CONST_ARITHMETIC, "const arithmetic not allow", x);
            }

            if (current.hasXor() && !visitor.getConfig().isConditionOpXorAllow()) {
                addViolation(visitor, ErrorCode.XOR, "xor not allow", x);
            }

            if (current.hasBitwise() && !visitor.getConfig().isConditionOpBitwseAllow()) {
                addViolation(visitor, ErrorCode.BITWISE, "bitwise operator not allow", x);
            }

            return value;
        } finally {
            wallConditionContextLocal.set(old);
        }
    }

发现到以下代码时,执行了addViolation

if (current.hasPartAlwayTrue()
                    && !visitor.getConfig().isConditionAndAlwayTrueAllow()) {
                addViolation(visitor, ErrorCode.ALWAYS_TRUE, "part alway true condition not allow", x);
            }

于是再次修改配置:将condition-and-alway-true-allow也改为true

spring:
  datasource:
    druid:
      filters: config,wall,stat
      filter:
        wall:
          enabled: true
          config:
            condition-and-alway-true-allow: true
            condition-double-const-allow: true

再次测试:执行成功!!!

你可能感兴趣的:(Druid,JAVA,spring,boot)