Example 16 with SQLObject
use of com.alibaba.druid.sql.ast.SQLObject in project druid by alibaba.
the class WallVisitorUtils method check.
public static boolean check(WallVisitor visitor, SQLExprTableSource x) {
final WallTopStatementContext topStatementContext = wallTopStatementContextLocal.get();
SQLExpr expr = x.getExpr();
if (expr instanceof SQLPropertyExpr) {
boolean checkResult = checkSchema(visitor, ((SQLPropertyExpr) expr).getOwner());
if (!checkResult) {
return false;
}
}
if (expr instanceof SQLName) {
String tableName = ((SQLName) expr).getSimpleName();
WallContext context = WallContext.current();
if (context != null) {
WallSqlTableStat tableStat = context.getTableStat(tableName);
if (tableStat != null) {
SQLObject parent = x.getParent();
while (parent instanceof SQLTableSource) {
parent = parent.getParent();
}
if (parent instanceof SQLSelectQueryBlock) {
SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) parent;
if (x == queryBlock.getInto()) {
tableStat.incrementSelectIntoCount();
} else {
tableStat.incrementSelectCount();
}
} else if (parent instanceof SQLTruncateStatement) {
tableStat.incrementTruncateCount();
} else if (parent instanceof SQLInsertStatement) {
tableStat.incrementInsertCount();
} else if (parent instanceof SQLDeleteStatement) {
tableStat.incrementDeleteCount();
} else if (parent instanceof SQLUpdateStatement) {
tableStat.incrementUpdateCount();
} else if (parent instanceof MySqlReplaceStatement) {
tableStat.incrementReplaceCount();
}
}
}
if (topStatementContext != null && (topStatementContext.fromSysSchema || topStatementContext.fromSysTable)) {
return true;
}
if (visitor.isDenyTable(tableName) && !(topStatementContext != null && topStatementContext.fromPermitTable())) {
if (isTopStatementWithTableSource(x) || isFirstSelectTableSource(x)) {
if (topStatementContext != null) {
topStatementContext.setFromSysTable(Boolean.TRUE);
clearViolation(visitor);
}
return false;
}
boolean isTopNoneFrom = isTopNoneFromSelect(visitor, x);
if (isTopNoneFrom) {
return false;
}
addViolation(visitor, ErrorCode.TABLE_DENY, "deny table : " + tableName, x);
return false;
}
if (visitor.getConfig().getPermitTables().contains(tableName)) {
if (isFirstSelectTableSource(x)) {
if (topStatementContext != null) {
topStatementContext.setFromPermitTable(Boolean.TRUE);
}
return false;
}
}
}
return true;
}
Also used :
WallSqlTableStat(com.alibaba.druid.wall.WallSqlTableStat)
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
SQLName(com.alibaba.druid.sql.ast.SQLName)
SQLPropertyExpr(com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
MySqlReplaceStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlReplaceStatement)
WallContext(com.alibaba.druid.wall.WallContext)
Example 17 with SQLObject
use of com.alibaba.druid.sql.ast.SQLObject in project druid by alibaba.
the class WallVisitorUtils method isWhereOrHaving.
public static boolean isWhereOrHaving(SQLObject x) {
if (x == null) {
return false;
}
for (; ; ) {
SQLObject parent = x.getParent();
if (parent == null) {
return false;
}
if (parent instanceof SQLJoinTableSource) {
SQLJoinTableSource joinTableSource = (SQLJoinTableSource) parent;
if (joinTableSource.getCondition() == x) {
return true;
}
}
if (parent instanceof SQLUnionQuery) {
SQLUnionQuery union = (SQLUnionQuery) parent;
if (union.getRight() == x && hasWhere(union.getLeft())) {
return true;
}
}
if (parent instanceof SQLSelectQueryBlock) {
SQLSelectQueryBlock query = (SQLSelectQueryBlock) parent;
if (query.getWhere() == x) {
return true;
}
}
if (parent instanceof SQLDeleteStatement) {
SQLDeleteStatement delete = (SQLDeleteStatement) parent;
if (delete.getWhere() == x) {
return true;
} else {
return false;
}
}
if (parent instanceof SQLUpdateStatement) {
SQLUpdateStatement update = (SQLUpdateStatement) parent;
if (update.getWhere() == x) {
return true;
} else {
return false;
}
}
if (parent instanceof SQLSelectGroupByClause) {
SQLSelectGroupByClause groupBy = (SQLSelectGroupByClause) parent;
if (x == groupBy.getHaving()) {
return true;
} else {
return false;
}
}
x = parent;
}
}
Also used :
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
Example 18 with SQLObject
use of com.alibaba.druid.sql.ast.SQLObject in project druid by alibaba.
the class WallVisitorUtils method checkUnion.
public static void checkUnion(WallVisitor visitor, SQLUnionQuery x) {
if (x.getOperator() == SQLUnionOperator.MINUS && !visitor.getConfig().isMinusAllow()) {
addViolation(visitor, ErrorCode.INTERSET_NOT_ALLOW, "minus not allow", x);
return;
}
if (x.getOperator() == SQLUnionOperator.INTERSECT && !visitor.getConfig().isIntersectAllow()) {
addViolation(visitor, ErrorCode.INTERSET_NOT_ALLOW, "intersect not allow", x);
return;
}
if (!WallVisitorUtils.queryBlockFromIsNull(visitor, x.getLeft()) && WallVisitorUtils.queryBlockFromIsNull(visitor, x.getRight())) {
boolean isTopUpdateStatement = false;
boolean isTopInsertStatement = false;
SQLObject selectParent = x.getParent();
while (//
selectParent instanceof SQLSelectQuery || //
selectParent instanceof SQLJoinTableSource || //
selectParent instanceof SQLSubqueryTableSource || selectParent instanceof SQLSelect) {
selectParent = selectParent.getParent();
}
if (selectParent instanceof SQLUpdateStatement) {
isTopUpdateStatement = true;
}
if (selectParent instanceof SQLInsertStatement) {
isTopInsertStatement = true;
}
if (isTopUpdateStatement || isTopInsertStatement) {
return;
}
if (x.getLeft() instanceof SQLSelectQueryBlock) {
SQLSelectQueryBlock left = (SQLSelectQueryBlock) x.getLeft();
SQLTableSource tableSource = left.getFrom();
if (left.getWhere() == null && tableSource != null && tableSource instanceof SQLExprTableSource) {
return;
}
}
WallContext context = WallContext.current();
if (context != null) {
context.incrementUnionWarnings();
}
if (((x.getOperator() == SQLUnionOperator.UNION || x.getOperator() == SQLUnionOperator.UNION_ALL || x.getOperator() == SQLUnionOperator.DISTINCT) && visitor.getConfig().isSelectUnionCheck() && visitor.isSqlEndOfComment()) || (x.getOperator() == SQLUnionOperator.MINUS && visitor.getConfig().isSelectMinusCheck()) || (x.getOperator() == SQLUnionOperator.INTERSECT && visitor.getConfig().isSelectIntersectCheck()) || (x.getOperator() == SQLUnionOperator.EXCEPT && visitor.getConfig().isSelectExceptCheck())) {
addViolation(visitor, ErrorCode.UNION, x.getOperator().toString() + " query not contains 'from clause'", x);
}
}
}
Also used :
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
WallContext(com.alibaba.druid.wall.WallContext)
Example 19 with SQLObject
use of com.alibaba.druid.sql.ast.SQLObject in project druid by alibaba.
the class WallVisitorUtils method checkSqlExpr.
public static boolean checkSqlExpr(SQLExpr x) {
// check groupby, orderby, limit
if (x == null) {
return false;
}
SQLObject obj = x;
for (; ; ) {
SQLObject parent = obj.getParent();
if (parent == null) {
return false;
}
if (parent instanceof SQLSelectGroupByClause) {
return true;
} else if (parent instanceof SQLOrderBy) {
return true;
} else if (parent instanceof SQLLimit) {
return true;
} else if (parent instanceof MySqlOrderingExpr) {
return true;
}
obj = parent;
}
}
Also used :
SQLOrderBy(com.alibaba.druid.sql.ast.SQLOrderBy)
MySqlOrderingExpr(com.alibaba.druid.sql.dialect.mysql.ast.expr.MySqlOrderingExpr)
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
SQLLimit(com.alibaba.druid.sql.ast.SQLLimit)
Example 20 with SQLObject
use of com.alibaba.druid.sql.ast.SQLObject in project druid by alibaba.
the class WallVisitorUtils method isFirstInSubQuery.
private static boolean isFirstInSubQuery(SQLObject x) {
for (; ; ) {
if (x instanceof SQLExpr) {
x = x.getParent();
} else {
break;
}
}
if (!(x instanceof SQLExprTableSource)) {
return false;
}
SQLSelect sqlSelect = null;
SQLObject parent = x.getParent();
while (parent != null) {
if (parent instanceof SQLSelect) {
sqlSelect = (SQLSelect) parent;
break;
}
x = parent;
parent = x.getParent();
}
if (sqlSelect == null) {
return false;
}
parent = sqlSelect.getParent();
if (!(parent instanceof SQLInSubQueryExpr && isFirst(parent))) {
return false;
}
SQLInSubQueryExpr sqlInSubQueryExpr = (SQLInSubQueryExpr) parent;
if (!(sqlInSubQueryExpr.getParent() instanceof SQLSelectQueryBlock)) {
return false;
}
SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) sqlInSubQueryExpr.getParent();
if (!(queryBlock.getParent() instanceof SQLSelect)) {
return false;
}
SQLSelect select = (SQLSelect) queryBlock.getParent();
if (!(select.getParent() instanceof SQLSelectStatement)) {
return false;
}
SQLSelectStatement stmt = (SQLSelectStatement) select.getParent();
return stmt.getParent() == null;
}
Also used :
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
SQLInSubQueryExpr(com.alibaba.druid.sql.ast.expr.SQLInSubQueryExpr)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
Aggregations
SQLObject (com.alibaba.druid.sql.ast.SQLObject)23
SQLExpr (com.alibaba.druid.sql.ast.SQLExpr)8
Column (com.alibaba.druid.stat.TableStat.Column)4
SQLName (com.alibaba.druid.sql.ast.SQLName)3
SQLBinaryOpExpr (com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr)3
SQLPropertyExpr (com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)3
SQLCommentHint (com.alibaba.druid.sql.ast.SQLCommentHint)2
SQLIdentifierExpr (com.alibaba.druid.sql.ast.expr.SQLIdentifierExpr)2
SQLInSubQueryExpr (com.alibaba.druid.sql.ast.expr.SQLInSubQueryExpr)2
SQLVariantRefExpr (com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr)2
MySqlForceIndexHint (com.alibaba.druid.sql.dialect.mysql.ast.MySqlForceIndexHint)2
MySqlIgnoreIndexHint (com.alibaba.druid.sql.dialect.mysql.ast.MySqlIgnoreIndexHint)2
MySqlUseIndexHint (com.alibaba.druid.sql.dialect.mysql.ast.MySqlUseIndexHint)2
WallContext (com.alibaba.druid.wall.WallContext)2
Map (java.util.Map)2
DruidRuntimeException (com.alibaba.druid.DruidRuntimeException)1
SQLLimit (com.alibaba.druid.sql.ast.SQLLimit)1
SQLOrderBy (com.alibaba.druid.sql.ast.SQLOrderBy)1
SQLOrderingSpecification (com.alibaba.druid.sql.ast.SQLOrderingSpecification)1
SQLStatement (com.alibaba.druid.sql.ast.SQLStatement)1
