Druid-排查conditionDoubleConstAllow配置问题(double const condition)
报错信息
Caused by: java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, double const condition : SELECT * FROM test where 1=1 AND TRUE AND TRUE
关键词:double const condition
Druid进行SQL检查,发现了重复的常量条件
排查过程
- 下载druid源码 https://github.com/alibaba/druid
- 阅读相关文档 文档
- 代码断点调试排查
编写代码复现问题
@RestController
@Slf4j
public class TestController {
@Autowired
private JdbcTemplate jdbcTemplate;
@GetMapping("test")
public String test(){
String sql = "SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1 ";
jdbcTemplate.execute(sql);
return "Test";
}
}
Druid配置关键信息:wall
spring:
datasource:
druid:
filters: config,wall,stat
运行错误:
java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, part alway true condition not allow : SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1
at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:836)
at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:801)
at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:433)
at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2991)
at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:143)
at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:635)
at org.springframework.jdbc.core.JdbcTemplate$1ExecuteStatementCallback.doInStatement(JdbcTemplate.java:422)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:381)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:431)
通过文档 https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter 可以看到相关存在相关配置:conditionDoubleConstAllow , 默认为false,既不允许Where条件中有两个以上的常量。
接下来打开源码,搜索conditionDoubleConstAllow,找到以下线索:
- com.alibaba.druid.wall.WallConfig#conditionDoubleConstAllow
- com.alibaba.druid.spring.boot.autoconfigure.stat.DruidFilterConfiguration#wallConfig
解决方法一:将配置filters: config,wall,stat 中的wall去掉,既不进行一些防注入检查,修改有效,但安全性降低,暂不采用
解决方法二:重点关注wallConfig()方法:
private static final String FILTER_WALL_PREFIX = "spring.datasource.druid.filter.wall";
private static final String FILTER_WALL_CONFIG_PREFIX = FILTER_WALL_PREFIX + ".config";
@Bean
@ConfigurationProperties(FILTER_WALL_CONFIG_PREFIX)
@ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")
@ConditionalOnMissingBean
public WallConfig wallConfig() {
return new WallConfig();
}
@Bean
@ConfigurationProperties(FILTER_WALL_PREFIX)
@ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")
@ConditionalOnMissingBean
public WallFilter wallFilter(WallConfig wallConfig) {
WallFilter filter = new WallFilter();
filter.setConfig(wallConfig);
return filter;
}
发现可以通过配置修改WallConfig#conditionDoubleConstAllow的值,于是进行配置修改:
spring:
datasource:
druid:
filters: config,wall,stat
filter:
wall:
enabled: true
config:
condition-double-const-allow: true
测试结果:(依旧报错…)
java.sql.SQLException: sql injection violation, dbType postgresql, druid-version 1.2.18, part alway true condition not allow : SELECT * FROM test WHERE 1=1 AND TRUE AND id = 1
at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:836)
at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:801)
at com.alibaba.druid.wall.WallFilter.statement_execute(WallFilter.java:433)
at com.alibaba.druid.filter.FilterChainImpl.statement_execute(FilterChainImpl.java:2991)
at com.alibaba.druid.proxy.jdbc.StatementProxyImpl.execute(StatementProxyImpl.java:143)
at com.alibaba.druid.pool.DruidPooledStatement.execute(DruidPooledStatement.java:635)
at org.springframework.jdbc.core.JdbcTemplate$1ExecuteStatementCallback.doInStatement(JdbcTemplate.java:422)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:381)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:431)
进一步断点调试:
发现在com.alibaba.druid.spring.boot.autoconfigure.stat.DruidFilterConfiguration#wallFilter方法中,filter.setConfig(wallConfig)时,注入的wallConfig,其conditionDoubleConstAllow属性已经是true,说明配置生效了。
但还是报上述异常,继续调试分析。
@Bean
@ConfigurationProperties(FILTER_WALL_PREFIX)
@ConditionalOnProperty(prefix = FILTER_WALL_PREFIX, name = "enabled")
@ConditionalOnMissingBean
public WallFilter wallFilter(WallConfig wallConfig) {
WallFilter filter = new WallFilter();
filter.setConfig(wallConfig);
return filter;
}
继续调试,关注方法com.alibaba.druid.wall.WallFilter#checkInternal
private WallCheckResult checkInternal(String sql) throws SQLException {
WallCheckResult checkResult = provider.check(sql);
List<Violation> violations = checkResult.getViolations();
if (violations.size() > 0) {
Violation firstViolation = violations.get(0);
if (isLogViolation()) {
LOG.error("sql injection violation, dbType "
+ getDbType()
+ ", druid-version "
+ VERSION.getVersionNumber()
+ ", "
+ firstViolation.getMessage() + " : " + sql);
}
if (throwException) {
if (violations.get(0) instanceof SyntaxErrorViolation) {
SyntaxErrorViolation violation = (SyntaxErrorViolation) violations.get(0);
throw new SQLException("sql injection violation, dbType "
+ getDbType() + ", "
+ ", druid-version "
+ VERSION.getVersionNumber()
+ ", "
+ firstViolation.getMessage() + " : " + sql,
violation.getException());
} else {
throw new SQLException("sql injection violation, dbType "
+ getDbType()
+ ", druid-version "
+ VERSION.getVersionNumber()
+ ", "
+ firstViolation.getMessage()
+ " : " + sql);
}
}
}
return checkResult;
}
com.alibaba.druid.sql.ast.SQLObjectImpl#accept 方法
public final void accept(SQLASTVisitor visitor) {
if (visitor == null) {
throw new IllegalArgumentException();
}
visitor.preVisit(this);
accept0(visitor);
visitor.postVisit(this);
}
com.alibaba.druid.wall.spi.WallVisitorUtils#getValue_and方法
public static Object getConditionValue(WallVisitor visitor, SQLExpr x, boolean alwayTrueCheck) {
final WallConditionContext old = wallConditionContextLocal.get();
try {
wallConditionContextLocal.set(new WallConditionContext());
final Object value = getValue(visitor, x);
final WallConditionContext current = wallConditionContextLocal.get();
WallContext context = WallContext.current();
if (context != null) {
if (current.hasPartAlwayTrue() || Boolean.TRUE == value) {
if (!isFirst(x)) {
context.incrementWarnings();
}
}
}
if (current.hasPartAlwayTrue()
&& !visitor.getConfig().isConditionAndAlwayTrueAllow()) {
addViolation(visitor, ErrorCode.ALWAYS_TRUE, "part alway true condition not allow", x);
}
if (current.hasPartAlwayFalse()
&& !visitor.getConfig().isConditionAndAlwayFalseAllow()) {
addViolation(visitor, ErrorCode.ALWAYS_FALSE, "part alway false condition not allow", x);
}
if (current.hasConstArithmetic()
&& !visitor.getConfig().isConstArithmeticAllow()) {
addViolation(visitor, ErrorCode.CONST_ARITHMETIC, "const arithmetic not allow", x);
}
if (current.hasXor() && !visitor.getConfig().isConditionOpXorAllow()) {
addViolation(visitor, ErrorCode.XOR, "xor not allow", x);
}
if (current.hasBitwise() && !visitor.getConfig().isConditionOpBitwseAllow()) {
addViolation(visitor, ErrorCode.BITWISE, "bitwise operator not allow", x);
}
return value;
} finally {
wallConditionContextLocal.set(old);
}
}
发现到以下代码时,执行了addViolation
if (current.hasPartAlwayTrue()
&& !visitor.getConfig().isConditionAndAlwayTrueAllow()) {
addViolation(visitor, ErrorCode.ALWAYS_TRUE, "part alway true condition not allow", x);
}
于是再次修改配置:将condition-and-alway-true-allow也改为true
spring:
datasource:
druid:
filters: config,wall,stat
filter:
wall:
enabled: true
config:
condition-and-alway-true-allow: true
condition-double-const-allow: true
再次测试:执行成功!!!
