Example 1 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class WallVisitorUtils method checkDelete.
public static void checkDelete(WallVisitor visitor, SQLDeleteStatement x) {
checkReadOnly(visitor, x.getTableSource());
WallConfig config = visitor.getConfig();
if (!config.isDeleteAllow()) {
addViolation(visitor, ErrorCode.INSERT_NOT_ALLOW, "delete not allow", x);
return;
}
boolean hasUsing = false;
if (x instanceof MySqlDeleteStatement) {
hasUsing = ((MySqlDeleteStatement) x).getUsing() != null;
}
boolean isJoinTableSource = x.getTableSource() instanceof SQLJoinTableSource;
if (x.getWhere() == null && (!hasUsing) && !isJoinTableSource) {
WallContext context = WallContext.current();
if (context != null) {
context.incrementDeleteNoneConditionWarnings();
}
if (config.isDeleteWhereNoneCheck()) {
addViolation(visitor, ErrorCode.NONE_CONDITION, "delete none condition not allow", x);
return;
}
}
SQLExpr where = x.getWhere();
if (where != null) {
checkCondition(visitor, where);
if (Boolean.TRUE == getConditionValue(visitor, where, config.isDeleteWhereAlwayTrueCheck())) {
if (config.isDeleteWhereAlwayTrueCheck() && visitor.isSqlEndOfComment() && !isSimpleConstExpr(where)) {
addViolation(visitor, ErrorCode.ALWAYS_TRUE, "delete alway true condition not allow", x);
}
}
}
// checkConditionForMultiTenant(visitor, x.getWhere(), x);
}
Also used :
MySqlDeleteStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDeleteStatement)
WallConfig(com.alibaba.druid.wall.WallConfig)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
WallContext(com.alibaba.druid.wall.WallContext)
Example 2 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class WallVisitorUtils method checkFunction.
public static void checkFunction(WallVisitor visitor, SQLMethodInvokeExpr x) {
final WallTopStatementContext topStatementContext = wallTopStatementContextLocal.get();
if (topStatementContext != null && (topStatementContext.fromSysSchema || topStatementContext.fromSysTable)) {
return;
}
checkSchema(visitor, x.getOwner());
if (!visitor.getConfig().isFunctionCheck()) {
return;
}
String methodName = x.getMethodName().toLowerCase();
WallContext context = WallContext.current();
if (context != null) {
context.incrementFunctionInvoke(methodName);
}
if (!visitor.getProvider().checkDenyFunction(methodName)) {
boolean isTopNoneFrom = isTopNoneFromSelect(visitor, x);
if (isTopNoneFrom) {
return;
}
if (isTopFromDenySchema(visitor, x)) {
return;
}
boolean isShow = x.getParent() instanceof MySqlShowGrantsStatement;
if (isShow) {
return;
}
if (isWhereOrHaving(x) || checkSqlExpr(x)) {
addViolation(visitor, ErrorCode.FUNCTION_DENY, "deny function : " + methodName, x);
}
}
}
Also used :
MySqlShowGrantsStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlShowGrantsStatement)
WallContext(com.alibaba.druid.wall.WallContext)
Example 3 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class WallVisitorUtils method getConditionValue.
public static Object getConditionValue(WallVisitor visitor, SQLExpr x, boolean alwayTrueCheck) {
final WallConditionContext old = wallConditionContextLocal.get();
try {
wallConditionContextLocal.set(new WallConditionContext());
final Object value = getValue(visitor, x);
final WallConditionContext current = wallConditionContextLocal.get();
WallContext context = WallContext.current();
if (context != null) {
if (current.hasPartAlwayTrue() || Boolean.TRUE == value) {
if (!isFirst(x)) {
context.incrementWarnings();
}
}
}
if (current.hasPartAlwayTrue() && !visitor.getConfig().isConditionAndAlwayTrueAllow()) {
addViolation(visitor, ErrorCode.ALWAYS_TRUE, "part alway true condition not allow", x);
}
if (current.hasPartAlwayFalse() && !visitor.getConfig().isConditionAndAlwayFalseAllow()) {
addViolation(visitor, ErrorCode.ALWAYS_FALSE, "part alway false condition not allow", x);
}
if (current.hasConstArithmetic() && !visitor.getConfig().isConstArithmeticAllow()) {
addViolation(visitor, ErrorCode.CONST_ARITHMETIC, "const arithmetic not allow", x);
}
if (current.hasXor() && !visitor.getConfig().isConditionOpXorAllow()) {
addViolation(visitor, ErrorCode.XOR, "xor not allow", x);
}
if (current.hasBitwise() && !visitor.getConfig().isConditionOpBitwseAllow()) {
addViolation(visitor, ErrorCode.BITWISE, "bitwise operator not allow", x);
}
return value;
} finally {
wallConditionContextLocal.set(old);
}
}
Also used :
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
WallContext(com.alibaba.druid.wall.WallContext)
Example 4 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class MySqlWallVisitor method visit.
@Override
public boolean visit(SQLLimit x) {
if (x.getRowCount() instanceof SQLNumericLiteralExpr) {
WallContext context = WallContext.current();
int rowCount = ((SQLNumericLiteralExpr) x.getRowCount()).getNumber().intValue();
if (rowCount == 0) {
if (context != null) {
context.incrementWarnings();
}
if (!provider.getConfig().isLimitZeroAllow()) {
this.getViolations().add(new IllegalSQLObjectViolation(ErrorCode.LIMIT_ZERO, "limit row 0", this.toSQL(x)));
}
}
}
return true;
}
Also used :
SQLNumericLiteralExpr(com.alibaba.druid.sql.ast.expr.SQLNumericLiteralExpr)
IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)
SQLCommentHint(com.alibaba.druid.sql.ast.SQLCommentHint)
WallContext(com.alibaba.druid.wall.WallContext)
Example 5 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class MySqlWallVisitor method visit.
@Override
public boolean visit(MySqlShowCreateTableStatement x) {
String tableName = ((SQLName) x.getName()).getSimpleName();
WallContext context = WallContext.current();
if (context != null) {
WallSqlTableStat tableStat = context.getTableStat(tableName);
if (tableStat != null) {
tableStat.incrementShowCount();
}
}
return false;
}
Also used :
WallSqlTableStat(com.alibaba.druid.wall.WallSqlTableStat)
SQLName(com.alibaba.druid.sql.ast.SQLName)
WallContext(com.alibaba.druid.wall.WallContext)
Aggregations
WallContext (com.alibaba.druid.wall.WallContext)10
SQLName (com.alibaba.druid.sql.ast.SQLName)5
WallSqlTableStat (com.alibaba.druid.wall.WallSqlTableStat)5
SQLExpr (com.alibaba.druid.sql.ast.SQLExpr)3
SQLObject (com.alibaba.druid.sql.ast.SQLObject)3
SQLCommentHint (com.alibaba.druid.sql.ast.SQLCommentHint)1
SQLNumericLiteralExpr (com.alibaba.druid.sql.ast.expr.SQLNumericLiteralExpr)1
SQLPropertyExpr (com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)1
MySqlDeleteStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDeleteStatement)1
MySqlReplaceStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlReplaceStatement)1
MySqlShowGrantsStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlShowGrantsStatement)1
WallConfig (com.alibaba.druid.wall.WallConfig)1
IllegalSQLObjectViolation (com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)1
