猿问

使用后格雷SQL副本JDBC防止SQL注入

我有以下代码来使用PG COPY将表格下载为文件:


    public void download(String table, Writer responseWriter) throws SQLException, IOException {

        try (Connection conn = dataSource.getConnection()) {

            CopyManager copyManager = new CopyManager(conn.unwrap(BaseConnection.class));

            // SQL Injection can happen here!

            String statement = "COPY " + table + " TO STDOUT WITH NULL ''";

            copyManager.copyOut(statement, responseWriter);

        }

    }

显然,此代码容易发生 SQL 注入(表参数是从弹簧 REST 控制器传递的)。当然,我可以做一些手动卫生,但如果有一个“准备声明”的方式在CopyManager中做到这一点,我会更喜欢它。使用春季Jdbc模板的奖励积分。


暮色呼如
浏览 224回答 1
1回答

德玛西亚99

除了一揽子SQL注入(恶意人员试图执行诸如向命令中添加语句之类的操作)之外,还有另一个问题。由于您的代码允许运行任何有效的表名,因此它仍然存在泄露架构中任何表中包含的数据的风险。DELETECOPY因此,这里安全的做法可能是维护您希望允许用户访问的表的白名单。任何与列表不匹配的输入表名称都将被拒绝。假设您的表列表驻留在 中,我们可以对您的代码进行以下更改:Listpublic void download(String table, Writer responseWriter) throws SQLException, IOException {&nbsp; &nbsp; // get list of all allowed tables&nbsp; &nbsp; List<String> fileList = getAllowedTables();&nbsp; &nbsp; if (!fileList.contains(table)) {&nbsp; &nbsp; &nbsp; &nbsp; throw new IllegalAccessException("Someone tried to access a forbidden table.");&nbsp; &nbsp; }&nbsp; &nbsp; try (Connection conn = dataSource.getConnection()) {&nbsp; &nbsp; &nbsp; &nbsp; CopyManager copyManager = new CopyManager(conn.unwrap(BaseConnection.class));&nbsp; &nbsp; &nbsp; &nbsp; // SQL Injection can happen here!&nbsp; &nbsp; &nbsp; &nbsp; String statement = "COPY " + table + " TO STDOUT WITH NULL ''";&nbsp; &nbsp; &nbsp; &nbsp; copyManager.copyOut(statement, responseWriter);&nbsp; &nbsp; }}
0
随时随地看视频慕课网APP

相关分类

Java
我要回答