1. 更新搜索sql注入问题

2. tomcat 8.5.32 安全版本

museum_common/src/main/java/com/museum/common/util/RegexUtils.java

@@ -0,0 +1,67 @@
+package com.museum.common.util;
+
+import org.junit.Test;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Created by owen on 2020/3/19 0019 15:45
+ *
+ * 正则表达式
+ */
+public class RegexUtils {
+
+
+
+    /** 只允许中文 */
+    static final String isChinese = "^[一-\u9fff]+$";
+
+    public static void main(String[] args) {
+
+    }
+
+    /** 是否包含中文字符 */
+    private static boolean isContainChinese(String param) {
+        Pattern p = Pattern.compile("[\u4e00-\u9fa5]");
+        Matcher m = p.matcher(param);
+        return m.find();
+    }
+
+    /** 只允许中文字符 */
+    private static boolean isChinese(String param) {
+        return param.matches(isChinese);
+    }
+
+
+    /** 去除特殊字符 */
+    @Test
+    public void test1(){
+//        String regEx="[\n`~!@#$%^&*()+=|{}':;',\\[\\].<>/?~！@#￥%……&*（）——+|{}【】‘；：”“’。， 、？]";
+        String regEx="[\n`~!@#$%^&*()+=|{}':;',\\[\\]<>/?~！@#￥%……&*（）——+|{}【】‘；：”“’。， 、？]";
+
+        String str = "我是 \' 中国（人），你在{干嘛}-哈哈。dddd.jpg";
+        System.out.println(str.replaceAll(regEx, ""));
+
+    }
+
+
+    public static String sqlValid(String str){
+        if (str.isEmpty() || str.length() > 10000) {
+            return "";
+        }
+        String regEx="[\n`~!@#$%^&*()+=|{}':;',\\[\\]<>/?~！@#￥%……&*（）——+|{}【】‘；：”“’。， 、？]";
+        return str.replaceAll(regEx, "");
+    }
+
+
+    @Test
+    public void test2(){
+
+        String str = "我是 \' 中国（人），你在{干嘛}-哈哈。dddd.jpg";
+        System.out.println(sqlValid(str));
+
+    }
+
+
+}

museum_dao/src/main/java/com/museum/dao/Provide/DownloadProvider.java

@@ -1,5 +1,6 @@
 package com.museum.dao.Provide;
 
+import com.museum.common.util.RegexUtils;
 import com.museum.domain.request.DownloadPageRequest;
 import com.museum.domain.request.PageRequest;
 import lombok.extern.log4j.Log4j2;
@@ -28,6 +29,7 @@ public class DownloadProvider {
 
         String searchKey = param.getSearchKey();
         if(!StringUtils.isAllBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             sql.append(" and (( u.user_name like '%").append(searchKey).append("%' )");
             sql.append(" or ( z.name like '%").append(searchKey).append("%' ))");
         }

museum_dao/src/main/java/com/museum/dao/Provide/LogProvider.java

@@ -1,5 +1,6 @@
 package com.museum.dao.Provide;
 
+import com.museum.common.util.RegexUtils;
 import com.museum.domain.request.PageRequest;
 import lombok.extern.log4j.Log4j2;
 import org.apache.commons.lang3.StringUtils;
@@ -24,6 +25,7 @@ public class LogProvider {
 
         String searchKey = param.getSearchKey();
         if(!StringUtils.isAllBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             sql.append(" and (( u.user_name like '%").append(searchKey).append("%' )");
             sql.append(" or ( z.description like '%").append(searchKey).append("%' )");
             sql.append(" or ( z.type like '%").append(searchKey).append("%' ))");

museum_dao/src/main/java/com/museum/dao/Provide/MessageProvider.java

@@ -1,6 +1,7 @@
 package com.museum.dao.Provide;
 
 import cn.hutool.core.util.StrUtil;
+import com.museum.common.util.RegexUtils;
 import com.museum.domain.request.PageDateRequest;
 import com.museum.domain.request.PageRequest;
 import lombok.extern.log4j.Log4j2;
@@ -25,6 +26,7 @@ public class MessageProvider {
 
         String searchKey = param.getSearchKey();
         if(StrUtil.isNotBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             sql.append(" and (");
             sql.append(" message like '%").append(searchKey).append("%'");
             sql.append(" or phone like '%").append(searchKey).append("%'");

museum_dao/src/main/java/com/museum/dao/Provide/PartProvider.java

@@ -1,5 +1,6 @@
 package com.museum.dao.Provide;
 
+import com.museum.common.util.RegexUtils;
 import com.museum.domain.request.NavRequest;
 import lombok.extern.log4j.Log4j2;
 import org.apache.commons.lang3.StringUtils;
@@ -18,6 +19,7 @@ public class PartProvider {
 
         String searchKey = param.getSearchKey();
         if(StringUtils.isNotBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             // 字符串要加'
             sql.append(" and name like '%").append(searchKey).append("%'");
         }
@@ -59,6 +61,7 @@ public class PartProvider {
 
         String searchKey = param.getSearchKey();
         if(StringUtils.isNotBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             // 字符串要加'
             sql.append(" and z.name like '%").append(searchKey).append("%'");
         }

museum_dao/src/main/java/com/museum/dao/Provide/RoamProvider.java

@@ -1,5 +1,6 @@
 package com.museum.dao.Provide;
 
+import com.museum.common.util.RegexUtils;
 import com.museum.domain.request.NavRequest;
 import lombok.extern.log4j.Log4j2;
 import org.apache.commons.lang3.StringUtils;
@@ -18,6 +19,7 @@ public class RoamProvider {
 
         String searchKey = param.getSearchKey();
         if(StringUtils.isNotBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             // 字符串要加'
             sql.append(" and name like '%").append(searchKey).append("%'");
         }
@@ -58,6 +60,7 @@ public class RoamProvider {
 
         String searchKey = param.getSearchKey();
         if(StringUtils.isNotBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             // 字符串要加'
             sql.append(" and z.name like '%").append(searchKey).append("%'");
         }

museum_dao/src/main/java/com/museum/dao/Provide/StructureProvider.java

@@ -1,5 +1,6 @@
 package com.museum.dao.Provide;
 
+import com.museum.common.util.RegexUtils;
 import com.museum.domain.request.StructurePageRequest;
 import lombok.extern.log4j.Log4j2;
 import org.apache.commons.lang3.StringUtils;
@@ -18,6 +19,7 @@ public class StructureProvider {
 
         String searchKey = param.getSearchKey();
         if(StringUtils.isNotBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             // 字符串要加'
             sql.append(" and name like '%").append(searchKey).append("%'");
         }

museum_dao/src/main/java/com/museum/dao/Provide/UserProvider.java

@@ -1,6 +1,7 @@
 package com.museum.dao.Provide;
 
 import cn.hutool.core.util.StrUtil;
+import com.museum.common.util.RegexUtils;
 import com.museum.domain.request.UserPageRequest;
 import lombok.extern.log4j.Log4j2;
 
@@ -16,6 +17,7 @@ public class UserProvider {
                 "SELECT * FROM tb_user where rec_status = 'A' ");
         String searchKey = param.getSearchKey();
         if(StrUtil.isNotBlank(searchKey)){
+            searchKey = RegexUtils.sqlValid(searchKey);
             sql.append(" and (");
             sql.append(" user_name like '%").append(searchKey).append("%'");
             sql.append(" or phone like '%").append(searchKey).append("%'");