Example 1 with WallConfig
use of com.alibaba.druid.wall.WallConfig in project druid by alibaba.
the class WallVisitorUtils method checkDelete.
public static void checkDelete(WallVisitor visitor, SQLDeleteStatement x) {
checkReadOnly(visitor, x.getTableSource());
WallConfig config = visitor.getConfig();
if (!config.isDeleteAllow()) {
addViolation(visitor, ErrorCode.INSERT_NOT_ALLOW, "delete not allow", x);
return;
}
boolean hasUsing = false;
if (x instanceof MySqlDeleteStatement) {
hasUsing = ((MySqlDeleteStatement) x).getUsing() != null;
}
boolean isJoinTableSource = x.getTableSource() instanceof SQLJoinTableSource;
if (x.getWhere() == null && (!hasUsing) && !isJoinTableSource) {
WallContext context = WallContext.current();
if (context != null) {
context.incrementDeleteNoneConditionWarnings();
}
if (config.isDeleteWhereNoneCheck()) {
addViolation(visitor, ErrorCode.NONE_CONDITION, "delete none condition not allow", x);
return;
}
}
SQLExpr where = x.getWhere();
if (where != null) {
checkCondition(visitor, where);
if (Boolean.TRUE == getConditionValue(visitor, where, config.isDeleteWhereAlwayTrueCheck())) {
if (config.isDeleteWhereAlwayTrueCheck() && visitor.isSqlEndOfComment() && !isSimpleConstExpr(where)) {
addViolation(visitor, ErrorCode.ALWAYS_TRUE, "delete alway true condition not allow", x);
}
}
}
// checkConditionForMultiTenant(visitor, x.getWhere(), x);
}
Also used :
MySqlDeleteStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDeleteStatement)
WallConfig(com.alibaba.druid.wall.WallConfig)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
WallContext(com.alibaba.druid.wall.WallContext)
Example 2 with WallConfig
use of com.alibaba.druid.wall.WallConfig in project druid by alibaba.
the class WallVisitorUtils method preVisitCheck.
public static void preVisitCheck(WallVisitor visitor, SQLObject x) {
WallConfig config = visitor.getProvider().getConfig();
if (!(x instanceof SQLStatement)) {
return;
}
boolean allow = false;
int errorCode;
String denyMessage;
if (x instanceof SQLInsertStatement) {
allow = config.isInsertAllow();
denyMessage = "insert not allow";
errorCode = ErrorCode.INSERT_NOT_ALLOW;
} else if (x instanceof SQLSelectStatement) {
allow = true;
denyMessage = "select not allow";
errorCode = ErrorCode.SELECT_NOT_ALLOW;
} else if (x instanceof SQLDeleteStatement) {
allow = config.isDeleteAllow();
denyMessage = "delete not allow";
errorCode = ErrorCode.DELETE_NOT_ALLOW;
} else if (x instanceof SQLUpdateStatement) {
allow = config.isUpdateAllow();
denyMessage = "update not allow";
errorCode = ErrorCode.UPDATE_NOT_ALLOW;
} else if (x instanceof OracleMultiInsertStatement) {
allow = true;
denyMessage = "multi-insert not allow";
errorCode = ErrorCode.INSERT_NOT_ALLOW;
} else if (x instanceof SQLMergeStatement) {
allow = config.isMergeAllow();
denyMessage = "merge not allow";
errorCode = ErrorCode.MERGE_NOT_ALLOW;
} else if (x instanceof SQLCallStatement || x instanceof SQLServerExecStatement) {
allow = config.isCallAllow();
denyMessage = "call not allow";
errorCode = ErrorCode.CALL_NOT_ALLOW;
} else if (x instanceof SQLTruncateStatement) {
allow = config.isTruncateAllow();
denyMessage = "truncate not allow";
errorCode = ErrorCode.TRUNCATE_NOT_ALLOW;
} else if (//
x instanceof SQLCreateTableStatement || //
x instanceof SQLCreateIndexStatement || //
x instanceof SQLCreateViewStatement || //
x instanceof SQLCreateTriggerStatement || //
x instanceof SQLCreateSequenceStatement) {
allow = config.isCreateTableAllow();
denyMessage = "create table not allow";
errorCode = ErrorCode.CREATE_TABLE_NOT_ALLOW;
} else if (x instanceof SQLAlterTableStatement) {
allow = config.isAlterTableAllow();
denyMessage = "alter table not allow";
errorCode = ErrorCode.ALTER_TABLE_NOT_ALLOW;
} else if (//
x instanceof SQLDropTableStatement || //
x instanceof SQLDropIndexStatement || //
x instanceof SQLDropViewStatement || //
x instanceof SQLDropTriggerStatement || //
x instanceof SQLDropSequenceStatement || //
x instanceof SQLDropProcedureStatement) {
allow = config.isDropTableAllow();
denyMessage = "drop table not allow";
errorCode = ErrorCode.DROP_TABLE_NOT_ALLOW;
} else if (//
x instanceof MySqlSetCharSetStatement || //
x instanceof MySqlSetNamesStatement || //
x instanceof SQLSetStatement || x instanceof SQLServerSetStatement) {
allow = config.isSetAllow();
denyMessage = "set not allow";
errorCode = ErrorCode.SET_NOT_ALLOW;
} else if (x instanceof MySqlReplaceStatement) {
allow = config.isReplaceAllow();
denyMessage = "replace not allow";
errorCode = ErrorCode.REPLACE_NOT_ALLOW;
} else if (x instanceof MySqlDescribeStatement) {
allow = config.isDescribeAllow();
denyMessage = "describe not allow";
errorCode = ErrorCode.DESC_NOT_ALLOW;
} else if (x instanceof MySqlShowStatement || x instanceof PGShowStatement || x instanceof SQLShowTablesStatement) {
allow = config.isShowAllow();
denyMessage = "show not allow";
errorCode = ErrorCode.SHOW_NOT_ALLOW;
} else if (x instanceof MySqlCommitStatement || x instanceof SQLServerCommitStatement) {
allow = config.isCommitAllow();
denyMessage = "commit not allow";
errorCode = ErrorCode.COMMIT_NOT_ALLOW;
} else if (x instanceof SQLRollbackStatement) {
allow = config.isRollbackAllow();
denyMessage = "rollback not allow";
errorCode = ErrorCode.ROLLBACK_NOT_ALLOW;
} else if (x instanceof SQLUseStatement) {
allow = config.isUseAllow();
denyMessage = "use not allow";
errorCode = ErrorCode.USE_NOT_ALLOW;
} else if (x instanceof MySqlRenameTableStatement) {
allow = config.isRenameTableAllow();
denyMessage = "rename table not allow";
errorCode = ErrorCode.RENAME_TABLE_NOT_ALLOW;
} else if (x instanceof MySqlHintStatement) {
allow = config.isHintAllow();
denyMessage = "hint not allow";
errorCode = ErrorCode.HINT_NOT_ALLOW;
} else if (x instanceof MySqlLockTableStatement) {
allow = config.isLockTableAllow();
denyMessage = "lock table not allow";
errorCode = ErrorCode.LOCK_TABLE_NOT_ALLOW;
} else if (x instanceof SQLStartTransactionStatement) {
allow = config.isStartTransactionAllow();
denyMessage = "start transaction not allow";
errorCode = ErrorCode.START_TRANSACTION_NOT_ALLOW;
} else if (x instanceof SQLBlockStatement) {
allow = config.isBlockAllow();
denyMessage = "block statement not allow";
errorCode = ErrorCode.BLOCK_NOT_ALLOW;
} else {
allow = config.isNoneBaseStatementAllow();
errorCode = ErrorCode.NONE_BASE_STATEMENT_NOT_ALLOW;
denyMessage = x.getClass() + " not allow";
}
if (!allow) {
addViolation(visitor, errorCode, denyMessage, x);
}
}
Also used :
MySqlSetNamesStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlSetNamesStatement)
MySqlDescribeStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDescribeStatement)
PGShowStatement(com.alibaba.druid.sql.dialect.postgresql.ast.stmt.PGShowStatement)
SQLStatement(com.alibaba.druid.sql.ast.SQLStatement)
MySqlShowStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlShowStatement)
MySqlReplaceStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlReplaceStatement)
SQLServerCommitStatement(com.alibaba.druid.sql.dialect.sqlserver.ast.stmt.SQLServerCommitStatement)
SQLStartTransactionStatement(com.alibaba.druid.sql.ast.statement.SQLStartTransactionStatement)
MySqlRenameTableStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlRenameTableStatement)
SQLServerExecStatement(com.alibaba.druid.sql.dialect.sqlserver.ast.stmt.SQLServerExecStatement)
OracleMultiInsertStatement(com.alibaba.druid.sql.dialect.oracle.ast.stmt.OracleMultiInsertStatement)
MySqlLockTableStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlLockTableStatement)
MySqlSetCharSetStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlSetCharSetStatement)
MySqlHintStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlHintStatement)
WallConfig(com.alibaba.druid.wall.WallConfig)
SQLCommentHint(com.alibaba.druid.sql.ast.SQLCommentHint)
SQLServerSetStatement(com.alibaba.druid.sql.dialect.sqlserver.ast.stmt.SQLServerSetStatement)
MySqlCommitStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCommitStatement)
Example 3 with WallConfig
use of com.alibaba.druid.wall.WallConfig in project druid by alibaba.
the class WallVisitorUtils method checkUpdate.
public static void checkUpdate(WallVisitor visitor, SQLUpdateStatement x) {
checkReadOnly(visitor, x.getTableSource());
WallConfig config = visitor.getConfig();
if (!config.isUpdateAllow()) {
addViolation(visitor, ErrorCode.UPDATE_NOT_ALLOW, "update not allow", x);
return;
}
SQLExpr where = x.getWhere();
if (where == null) {
WallContext context = WallContext.current();
if (context != null) {
context.incrementUpdateNoneConditionWarnings();
}
if (config.isUpdateWhereNoneCheck()) {
if (x instanceof MySqlUpdateStatement) {
MySqlUpdateStatement mysqlUpdate = (MySqlUpdateStatement) x;
if (mysqlUpdate.getLimit() == null) {
addViolation(visitor, ErrorCode.NONE_CONDITION, "update none condition not allow", x);
return;
}
} else {
addViolation(visitor, ErrorCode.NONE_CONDITION, "update none condition not allow", x);
return;
}
}
} else {
where.setParent(x);
checkCondition(visitor, where);
if (Boolean.TRUE == getConditionValue(visitor, where, config.isUpdateWhereAlayTrueCheck())) {
if (config.isUpdateWhereAlayTrueCheck() && visitor.isSqlEndOfComment() && !isSimpleConstExpr(where)) {
addViolation(visitor, ErrorCode.ALWAYS_TRUE, "update alway true condition not allow", x);
}
}
}
checkUpdateForMultiTenant(visitor, x);
}
Also used :
WallConfig(com.alibaba.druid.wall.WallConfig)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
WallContext(com.alibaba.druid.wall.WallContext)
MySqlUpdateStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlUpdateStatement)
Example 4 with WallConfig
use of com.alibaba.druid.wall.WallConfig in project druid by alibaba.
the class Issue_728 method test3.
public void test3() throws Exception {
String sql = "SELECT * from city_list where city_id = 1 & 2";
WallConfig config = new WallConfig();
config.setConditionOpBitwseAllow(false);
Assert.assertFalse(WallUtils.isValidateMySql(sql, config));
}
Also used :
WallConfig(com.alibaba.druid.wall.WallConfig)
Example 5 with WallConfig
use of com.alibaba.druid.wall.WallConfig in project druid by alibaba.
the class Issue_728 method test1.
public void test1() throws Exception {
String sql = "select * from city_list where city_id = 3-1";
WallConfig config = new WallConfig();
config.setConstArithmeticAllow(false);
Assert.assertFalse(WallUtils.isValidateMySql(sql, config));
}
Also used :
WallConfig(com.alibaba.druid.wall.WallConfig)
Aggregations
WallConfig (com.alibaba.druid.wall.WallConfig)82
Properties (java.util.Properties)8
DruidDataSource (com.alibaba.druid.pool.DruidDataSource)4
WallFilter (com.alibaba.druid.wall.WallFilter)4
WallCheckResult (com.alibaba.druid.wall.WallCheckResult)3
SQLExpr (com.alibaba.druid.sql.ast.SQLExpr)2
OracleMockDriver (com.alibaba.druid.test.util.OracleMockDriver)2
WallContext (com.alibaba.druid.wall.WallContext)2
MySqlWallProvider (com.alibaba.druid.wall.spi.MySqlWallProvider)2
Filter (com.alibaba.druid.filter.Filter)1
SQLCommentHint (com.alibaba.druid.sql.ast.SQLCommentHint)1
SQLStatement (com.alibaba.druid.sql.ast.SQLStatement)1
SQLStartTransactionStatement (com.alibaba.druid.sql.ast.statement.SQLStartTransactionStatement)1
MySqlCommitStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlCommitStatement)1
MySqlDeleteStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDeleteStatement)1
MySqlDescribeStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDescribeStatement)1
MySqlHintStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlHintStatement)1
MySqlLockTableStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlLockTableStatement)1
MySqlRenameTableStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlRenameTableStatement)1
MySqlReplaceStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlReplaceStatement)1
