Search in sources :

Example 6 with WallContext

use of com.alibaba.druid.wall.WallContext in project druid by alibaba.

the class MySqlWallVisitor method visit.

@Override
public boolean visit(MySqlShowCreateTableStatement x) {
    String tableName = ((SQLName) x.getName()).getSimpleName();
    WallContext context = WallContext.current();
    if (context != null) {
        WallSqlTableStat tableStat = context.getTableStat(tableName);
        if (tableStat != null) {
            tableStat.incrementShowCount();
        }
    }
    return false;
}
Also used : WallSqlTableStat(com.alibaba.druid.wall.WallSqlTableStat) SQLName(com.alibaba.druid.sql.ast.SQLName) WallContext(com.alibaba.druid.wall.WallContext)

Example 7 with WallContext

use of com.alibaba.druid.wall.WallContext in project druid by alibaba.

the class WallVisitorUtils method check.

public static boolean check(WallVisitor visitor, SQLExprTableSource x) {
    final WallTopStatementContext topStatementContext = wallTopStatementContextLocal.get();
    SQLExpr expr = x.getExpr();
    if (expr instanceof SQLPropertyExpr) {
        boolean checkResult = checkSchema(visitor, ((SQLPropertyExpr) expr).getOwner());
        if (!checkResult) {
            return false;
        }
    }
    if (expr instanceof SQLName) {
        String tableName = ((SQLName) expr).getSimpleName();
        WallContext context = WallContext.current();
        if (context != null) {
            WallSqlTableStat tableStat = context.getTableStat(tableName);
            if (tableStat != null) {
                SQLObject parent = x.getParent();
                while (parent instanceof SQLTableSource) {
                    parent = parent.getParent();
                }
                if (parent instanceof SQLSelectQueryBlock) {
                    SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) parent;
                    if (x == queryBlock.getInto()) {
                        tableStat.incrementSelectIntoCount();
                    } else {
                        tableStat.incrementSelectCount();
                    }
                } else if (parent instanceof SQLTruncateStatement) {
                    tableStat.incrementTruncateCount();
                } else if (parent instanceof SQLInsertStatement) {
                    tableStat.incrementInsertCount();
                } else if (parent instanceof SQLDeleteStatement) {
                    tableStat.incrementDeleteCount();
                } else if (parent instanceof SQLUpdateStatement) {
                    tableStat.incrementUpdateCount();
                } else if (parent instanceof MySqlReplaceStatement) {
                    tableStat.incrementReplaceCount();
                }
            }
        }
        if (topStatementContext != null && (topStatementContext.fromSysSchema || topStatementContext.fromSysTable)) {
            return true;
        }
        if (visitor.isDenyTable(tableName) && !(topStatementContext != null && topStatementContext.fromPermitTable())) {
            if (isTopStatementWithTableSource(x) || isFirstSelectTableSource(x)) {
                if (topStatementContext != null) {
                    topStatementContext.setFromSysTable(Boolean.TRUE);
                    clearViolation(visitor);
                }
                return false;
            }
            boolean isTopNoneFrom = isTopNoneFromSelect(visitor, x);
            if (isTopNoneFrom) {
                return false;
            }
            addViolation(visitor, ErrorCode.TABLE_DENY, "deny table : " + tableName, x);
            return false;
        }
        if (visitor.getConfig().getPermitTables().contains(tableName)) {
            if (isFirstSelectTableSource(x)) {
                if (topStatementContext != null) {
                    topStatementContext.setFromPermitTable(Boolean.TRUE);
                }
                return false;
            }
        }
    }
    return true;
}
Also used : WallSqlTableStat(com.alibaba.druid.wall.WallSqlTableStat) SQLObject(com.alibaba.druid.sql.ast.SQLObject) SQLName(com.alibaba.druid.sql.ast.SQLName) SQLPropertyExpr(com.alibaba.druid.sql.ast.expr.SQLPropertyExpr) SQLExpr(com.alibaba.druid.sql.ast.SQLExpr) MySqlReplaceStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlReplaceStatement) WallContext(com.alibaba.druid.wall.WallContext)

Example 8 with WallContext

use of com.alibaba.druid.wall.WallContext in project druid by alibaba.

the class WallVisitorUtils method getValue.

public static Object getValue(WallVisitor visitor, SQLBinaryOpExpr x) {
    if (x.getOperator() == SQLBinaryOperator.BooleanOr) {
        List<SQLExpr> groupList = SQLUtils.split(x);
        boolean allFalse = true;
        for (int i = groupList.size() - 1; i >= 0; --i) {
            SQLExpr item = groupList.get(i);
            Object result = getValue(visitor, item);
            Boolean booleanVal = SQLEvalVisitorUtils.castToBoolean(result);
            if (Boolean.TRUE == booleanVal) {
                final WallConditionContext wallContext = WallVisitorUtils.getWallConditionContext();
                if (wallContext != null && !isFirst(item)) {
                    wallContext.setPartAlwayTrue(true);
                }
                return true;
            }
            if (Boolean.FALSE != booleanVal) {
                allFalse = false;
            }
        }
        if (allFalse) {
            return false;
        }
        return null;
    }
    if (x.getOperator() == SQLBinaryOperator.BooleanAnd) {
        List<SQLExpr> groupList = SQLUtils.split(x);
        int dalConst = 0;
        Boolean allTrue = Boolean.TRUE;
        for (int i = groupList.size() - 1; i >= 0; --i) {
            SQLExpr item = groupList.get(i);
            Object result = getValue(visitor, item);
            Boolean booleanVal = SQLEvalVisitorUtils.castToBoolean(result);
            if (Boolean.TRUE == booleanVal) {
                final WallConditionContext wallContext = WallVisitorUtils.getWallConditionContext();
                if (wallContext != null && !isFirst(item)) {
                    wallContext.setPartAlwayTrue(true);
                }
                dalConst++;
            } else if (Boolean.FALSE == booleanVal) {
                final WallConditionContext wallContext = WallVisitorUtils.getWallConditionContext();
                if (wallContext != null && !isFirst(item)) {
                    wallContext.setPartAlwayFalse(true);
                }
                allTrue = Boolean.FALSE;
                dalConst++;
            } else {
                if (allTrue != Boolean.FALSE) {
                    allTrue = null;
                }
                dalConst = 0;
            }
            if (dalConst == 2 && visitor != null && !visitor.getConfig().isConditionDoubleConstAllow()) {
                addViolation(visitor, ErrorCode.DOUBLE_CONST_CONDITION, "double const condition", x);
            }
        }
        if (Boolean.TRUE == allTrue) {
            return true;
        } else if (Boolean.FALSE == allTrue) {
            return false;
        }
        return null;
    }
    boolean checkCondition = visitor != null && (!visitor.getConfig().isConstArithmeticAllow() || !visitor.getConfig().isConditionOpBitwseAllow() || !visitor.getConfig().isConditionOpXorAllow());
    if (x.getLeft() instanceof SQLName) {
        if (x.getRight() instanceof SQLName) {
            if (x.getLeft().toString().equalsIgnoreCase(x.getRight().toString())) {
                switch(x.getOperator()) {
                    case Equality:
                    case Like:
                        return Boolean.TRUE;
                    case NotEqual:
                    case GreaterThan:
                    case GreaterThanOrEqual:
                    case LessThan:
                    case LessThanOrEqual:
                    case LessThanOrGreater:
                    case NotLike:
                        return Boolean.FALSE;
                    default:
                        break;
                }
            }
        } else if (!checkCondition) {
            switch(x.getOperator()) {
                case Equality:
                case NotEqual:
                case GreaterThan:
                case GreaterThanOrEqual:
                case LessThan:
                case LessThanOrEqual:
                case LessThanOrGreater:
                    return null;
                default:
                    break;
            }
        }
    }
    if (x.getLeft() instanceof SQLValuableExpr && x.getRight() instanceof SQLValuableExpr) {
        Object leftValue = ((SQLValuableExpr) x.getLeft()).getValue();
        Object rightValue = ((SQLValuableExpr) x.getRight()).getValue();
        if (x.getOperator() == SQLBinaryOperator.Equality) {
            boolean evalValue = SQLEvalVisitorUtils.eq(leftValue, rightValue);
            x.putAttribute(EVAL_VALUE, evalValue);
            return evalValue;
        } else if (x.getOperator() == SQLBinaryOperator.NotEqual) {
            boolean evalValue = SQLEvalVisitorUtils.eq(leftValue, rightValue);
            x.putAttribute(EVAL_VALUE, !evalValue);
            return !evalValue;
        }
    }
    Object leftResult = getValue(visitor, x.getLeft());
    Object rightResult = getValue(visitor, x.getRight());
    if (x.getOperator() == SQLBinaryOperator.Like && leftResult instanceof String && leftResult.equals(rightResult)) {
        addViolation(visitor, ErrorCode.SAME_CONST_LIKE, "same const like", x);
    }
    if (x.getOperator() == SQLBinaryOperator.Like || x.getOperator() == SQLBinaryOperator.NotLike) {
        WallContext context = WallContext.current();
        if (context != null) {
            if (rightResult instanceof Number || leftResult instanceof Number) {
                context.incrementLikeNumberWarnings();
            }
        }
    }
    String dbType = null;
    WallContext wallContext = WallContext.current();
    if (wallContext != null) {
        dbType = wallContext.getDbType();
    }
    return eval(visitor, dbType, x, Collections.emptyList());
}
Also used : SQLName(com.alibaba.druid.sql.ast.SQLName) SQLObject(com.alibaba.druid.sql.ast.SQLObject) SQLExpr(com.alibaba.druid.sql.ast.SQLExpr) SQLCommentHint(com.alibaba.druid.sql.ast.SQLCommentHint) SQLValuableExpr(com.alibaba.druid.sql.ast.expr.SQLValuableExpr) WallContext(com.alibaba.druid.wall.WallContext)

Example 9 with WallContext

use of com.alibaba.druid.wall.WallContext in project druid by alibaba.

the class WallVisitorUtils method check.

public static void check(WallVisitor visitor, SQLAlterTableStatement x) {
    String tableName = ((SQLName) x.getName()).getSimpleName();
    WallContext context = WallContext.current();
    if (context != null) {
        WallSqlTableStat tableStat = context.getTableStat(tableName);
        if (tableStat != null) {
            tableStat.incrementAlterCount();
        }
    }
}
Also used : WallSqlTableStat(com.alibaba.druid.wall.WallSqlTableStat) SQLName(com.alibaba.druid.sql.ast.SQLName) WallContext(com.alibaba.druid.wall.WallContext)

Example 10 with WallContext

use of com.alibaba.druid.wall.WallContext in project druid by alibaba.

the class WallVisitorUtils method checkUnion.

public static void checkUnion(WallVisitor visitor, SQLUnionQuery x) {
    if (x.getOperator() == SQLUnionOperator.MINUS && !visitor.getConfig().isMinusAllow()) {
        addViolation(visitor, ErrorCode.INTERSET_NOT_ALLOW, "minus not allow", x);
        return;
    }
    if (x.getOperator() == SQLUnionOperator.INTERSECT && !visitor.getConfig().isIntersectAllow()) {
        addViolation(visitor, ErrorCode.INTERSET_NOT_ALLOW, "intersect not allow", x);
        return;
    }
    if (!WallVisitorUtils.queryBlockFromIsNull(visitor, x.getLeft()) && WallVisitorUtils.queryBlockFromIsNull(visitor, x.getRight())) {
        boolean isTopUpdateStatement = false;
        boolean isTopInsertStatement = false;
        SQLObject selectParent = x.getParent();
        while (//
        selectParent instanceof SQLSelectQuery || //
        selectParent instanceof SQLJoinTableSource || //
        selectParent instanceof SQLSubqueryTableSource || selectParent instanceof SQLSelect) {
            selectParent = selectParent.getParent();
        }
        if (selectParent instanceof SQLUpdateStatement) {
            isTopUpdateStatement = true;
        }
        if (selectParent instanceof SQLInsertStatement) {
            isTopInsertStatement = true;
        }
        if (isTopUpdateStatement || isTopInsertStatement) {
            return;
        }
        if (x.getLeft() instanceof SQLSelectQueryBlock) {
            SQLSelectQueryBlock left = (SQLSelectQueryBlock) x.getLeft();
            SQLTableSource tableSource = left.getFrom();
            if (left.getWhere() == null && tableSource != null && tableSource instanceof SQLExprTableSource) {
                return;
            }
        }
        WallContext context = WallContext.current();
        if (context != null) {
            context.incrementUnionWarnings();
        }
        if (((x.getOperator() == SQLUnionOperator.UNION || x.getOperator() == SQLUnionOperator.UNION_ALL || x.getOperator() == SQLUnionOperator.DISTINCT) && visitor.getConfig().isSelectUnionCheck() && visitor.isSqlEndOfComment()) || (x.getOperator() == SQLUnionOperator.MINUS && visitor.getConfig().isSelectMinusCheck()) || (x.getOperator() == SQLUnionOperator.INTERSECT && visitor.getConfig().isSelectIntersectCheck()) || (x.getOperator() == SQLUnionOperator.EXCEPT && visitor.getConfig().isSelectExceptCheck())) {
            addViolation(visitor, ErrorCode.UNION, x.getOperator().toString() + " query not contains 'from clause'", x);
        }
    }
}
Also used : SQLObject(com.alibaba.druid.sql.ast.SQLObject) WallContext(com.alibaba.druid.wall.WallContext)

Aggregations

WallContext (com.alibaba.druid.wall.WallContext)12 SQLName (com.alibaba.druid.sql.ast.SQLName)6 SQLExpr (com.alibaba.druid.sql.ast.SQLExpr)5 WallSqlTableStat (com.alibaba.druid.wall.WallSqlTableStat)5 SQLObject (com.alibaba.druid.sql.ast.SQLObject)4 SQLCommentHint (com.alibaba.druid.sql.ast.SQLCommentHint)2 WallConfig (com.alibaba.druid.wall.WallConfig)2 SQLNumericLiteralExpr (com.alibaba.druid.sql.ast.expr.SQLNumericLiteralExpr)1 SQLPropertyExpr (com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)1 SQLValuableExpr (com.alibaba.druid.sql.ast.expr.SQLValuableExpr)1 MySqlDeleteStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDeleteStatement)1 MySqlReplaceStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlReplaceStatement)1 MySqlShowGrantsStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlShowGrantsStatement)1 MySqlUpdateStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlUpdateStatement)1 IllegalSQLObjectViolation (com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)1