sql injection violation, part alway true condition

Blade 2 2705
阿耀
阿耀 2020-01-13 19:56

一、该问题的重现步骤是什么?

1. 添加mybatis-plus 多数据源后,报以下错误

Caused by: java.sql.SQLException: sql injection violation, part alway true condition not allow : SELECT id, code, update_user, update_time, sort, source, is_deleted, create_dept, create_time, name, tenant_id, create_user, status FROM blade_top_menu WHERE is_deleted = 0 AND '1' = '1'
 at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:808)
 at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:259)
 at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:568)
 at com.alibaba.druid.filter.FilterAdapter.connection_prepareStatement(FilterAdapter.java:930)
 at com.alibaba.druid.filter.FilterEventAdapter.connection_prepareStatement(FilterEventAdapter.java:122)
 at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:568)
 at com.alibaba.druid.proxy.jdbc.ConnectionProxyImpl.prepareStatement(ConnectionProxyImpl.java:341)
 at com.alibaba.druid.pool.DruidPooledConnection.prepareStatement(DruidPooledConnection.java:350)
 at sun.reflect.GeneratedMethodAccessor295.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.apache.ibatis.logging.jdbc.ConnectionLogger.invoke(ConnectionLogger.java:55)
 at com.sun.proxy.$Proxy275.prepareStatement(Unknown Source)
 at org.apache.ibatis.executor.statement.PreparedStatementHandler.instantiateStatement(PreparedStatementHandler.java:86)
 at org.apache.ibatis.executor.statement.BaseStatementHandler.prepare(BaseStatementHandler.java:88)
 at org.apache.ibatis.executor.statement.RoutingStatementHandler.prepare(RoutingStatementHandler.java:59)
 at sun.reflect.GeneratedMethodAccessor383.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.apache.ibatis.plugin.Invocation.proceed(Invocation.java:49)
 at org.springblade.core.datascope.interceptor.DataScopeInterceptor.intercept(DataScopeInterceptor.java:111)
 at org.springblade.core.mp.plugins.QueryInterceptorExecutor.exec(QueryInterceptorExecutor.java:46)
 at org.springblade.core.mp.plugins.PaginationInterceptor.intercept(PaginationInterceptor.java:164)
 at org.apache.ibatis.plugin.Plugin.invoke(Plugin.java:61)
 at com.sun.proxy.$Proxy274.prepare(Unknown Source)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.apache.ibatis.plugin.Plugin.invoke(Plugin.java:63)
 at com.sun.proxy.$Proxy274.prepare(Unknown Source)
 at com.baomidou.mybatisplus.core.executor.MybatisSimpleExecutor.prepareStatement(MybatisSimpleExecutor.java:94)
 at com.baomidou.mybatisplus.core.executor.MybatisSimpleExecutor.doQuery(MybatisSimpleExecutor.java:66)
 at org.apache.ibatis.executor.BaseExecutor.queryFromDatabase(BaseExecutor.java:324)
 at org.apache.ibatis.executor.BaseExecutor.query(BaseExecutor.java:156)
 at org.apache.ibatis.executor.BaseExecutor.query(BaseExecutor.java:136)
 at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:147)
 at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:140)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:426)
 ... 111 more

尝试添加数据库URL参数conditionAndAlwayTrueAllow=true,依然报错。

再尝试添加druid配置filters: config,stat,log4j ,也还是报错。


二、你期待的结果是什么?实际看到的又是什么?



三、你正在使用的是什么产品,什么版本?在什么操作系统上?

Bladex-Boot 2.3.0


四、请提供详细的错误堆栈信息,这很重要。



五、若有更多详细信息,请在下面提供。



2条回答
  •  1649249
    1649249 (楼主)
    2020-10-23 15:34

    多数据源的配置是这个:

    spring.datasource.dynamic.druid.wall.condition-and-alway-true-allow=true

提交回复