干燥机配套车间生产管理系统/云平台服务端
blame | 历史 | 原始文档
baoshiwei
2023-03-10 58d42ccf875b120f40fddce63752298e916e0b0b 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

package org.jeecg.common.util.security;


 


import org.jeecg.common.exception.JeecgBootException;


import org.jeecg.common.util.oConvertUtils;


 


/**


 * jdbc连接校验


 * @Author taoYan


 * @Date 2022/8/10 18:15


 **/


public class JdbcSecurityUtil {


 


    /**


     * 连接驱动漏洞 最新版本修复后,可删除相应的key


     * postgre:authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback


     * https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4


     * 


     */


    public static final String[] notAllowedProps = new String[]{"authenticationPluginClassName", "sslhostnameverifier", "socketFactory", "sslfactory", "sslpasswordcallback"};


 


    /**


     * 校验sql是否有特定的key


     * @param jdbcUrl


     * @return


     */


    public static void validate(String jdbcUrl){


        if(oConvertUtils.isEmpty(jdbcUrl)){


            return;


        }


        String urlConcatChar = "?";


        if(jdbcUrl.indexOf(urlConcatChar)<0){


            return;


        }


        String argString = jdbcUrl.substring(jdbcUrl.indexOf(urlConcatChar)+1);


        String[] keyAndValues = argString.split("&");


        for(String temp: keyAndValues){


            String key = temp.split("=")[0];


            for(String prop: notAllowedProps){


                if(prop.equalsIgnoreCase(key)){


                    throw new JeecgBootException("连接地址有安全风险,【"+key+"】");


                }


            }


        }


    }


    


}