Example 6 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class MySqlWallVisitor method visit.
@Override
public boolean visit(MySqlShowCreateTableStatement x) {
String tableName = ((SQLName) x.getName()).getSimpleName();
WallContext context = WallContext.current();
if (context != null) {
WallSqlTableStat tableStat = context.getTableStat(tableName);
if (tableStat != null) {
tableStat.incrementShowCount();
}
}
return false;
}
Also used :
WallSqlTableStat(com.alibaba.druid.wall.WallSqlTableStat)
SQLName(com.alibaba.druid.sql.ast.SQLName)
WallContext(com.alibaba.druid.wall.WallContext)
Example 7 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class WallVisitorUtils method check.
public static boolean check(WallVisitor visitor, SQLExprTableSource x) {
final WallTopStatementContext topStatementContext = wallTopStatementContextLocal.get();
SQLExpr expr = x.getExpr();
if (expr instanceof SQLPropertyExpr) {
boolean checkResult = checkSchema(visitor, ((SQLPropertyExpr) expr).getOwner());
if (!checkResult) {
return false;
}
}
if (expr instanceof SQLName) {
String tableName = ((SQLName) expr).getSimpleName();
WallContext context = WallContext.current();
if (context != null) {
WallSqlTableStat tableStat = context.getTableStat(tableName);
if (tableStat != null) {
SQLObject parent = x.getParent();
while (parent instanceof SQLTableSource) {
parent = parent.getParent();
}
if (parent instanceof SQLSelectQueryBlock) {
SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) parent;
if (x == queryBlock.getInto()) {
tableStat.incrementSelectIntoCount();
} else {
tableStat.incrementSelectCount();
}
} else if (parent instanceof SQLTruncateStatement) {
tableStat.incrementTruncateCount();
} else if (parent instanceof SQLInsertStatement) {
tableStat.incrementInsertCount();
} else if (parent instanceof SQLDeleteStatement) {
tableStat.incrementDeleteCount();
} else if (parent instanceof SQLUpdateStatement) {
tableStat.incrementUpdateCount();
} else if (parent instanceof MySqlReplaceStatement) {
tableStat.incrementReplaceCount();
}
}
}
if (topStatementContext != null && (topStatementContext.fromSysSchema || topStatementContext.fromSysTable)) {
return true;
}
if (visitor.isDenyTable(tableName) && !(topStatementContext != null && topStatementContext.fromPermitTable())) {
if (isTopStatementWithTableSource(x) || isFirstSelectTableSource(x)) {
if (topStatementContext != null) {
topStatementContext.setFromSysTable(Boolean.TRUE);
clearViolation(visitor);
}
return false;
}
boolean isTopNoneFrom = isTopNoneFromSelect(visitor, x);
if (isTopNoneFrom) {
return false;
}
addViolation(visitor, ErrorCode.TABLE_DENY, "deny table : " + tableName, x);
return false;
}
if (visitor.getConfig().getPermitTables().contains(tableName)) {
if (isFirstSelectTableSource(x)) {
if (topStatementContext != null) {
topStatementContext.setFromPermitTable(Boolean.TRUE);
}
return false;
}
}
}
return true;
}
Also used :
WallSqlTableStat(com.alibaba.druid.wall.WallSqlTableStat)
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
SQLName(com.alibaba.druid.sql.ast.SQLName)
SQLPropertyExpr(com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
MySqlReplaceStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlReplaceStatement)
WallContext(com.alibaba.druid.wall.WallContext)
Example 8 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class WallVisitorUtils method getValue.
public static Object getValue(WallVisitor visitor, SQLBinaryOpExpr x) {
if (x.getOperator() == SQLBinaryOperator.BooleanOr) {
List<SQLExpr> groupList = SQLUtils.split(x);
boolean allFalse = true;
for (int i = groupList.size() - 1; i >= 0; --i) {
SQLExpr item = groupList.get(i);
Object result = getValue(visitor, item);
Boolean booleanVal = SQLEvalVisitorUtils.castToBoolean(result);
if (Boolean.TRUE == booleanVal) {
final WallConditionContext wallContext = WallVisitorUtils.getWallConditionContext();
if (wallContext != null && !isFirst(item)) {
wallContext.setPartAlwayTrue(true);
}
return true;
}
if (Boolean.FALSE != booleanVal) {
allFalse = false;
}
}
if (allFalse) {
return false;
}
return null;
}
if (x.getOperator() == SQLBinaryOperator.BooleanAnd) {
List<SQLExpr> groupList = SQLUtils.split(x);
int dalConst = 0;
Boolean allTrue = Boolean.TRUE;
for (int i = groupList.size() - 1; i >= 0; --i) {
SQLExpr item = groupList.get(i);
Object result = getValue(visitor, item);
Boolean booleanVal = SQLEvalVisitorUtils.castToBoolean(result);
if (Boolean.TRUE == booleanVal) {
final WallConditionContext wallContext = WallVisitorUtils.getWallConditionContext();
if (wallContext != null && !isFirst(item)) {
wallContext.setPartAlwayTrue(true);
}
dalConst++;
} else if (Boolean.FALSE == booleanVal) {
final WallConditionContext wallContext = WallVisitorUtils.getWallConditionContext();
if (wallContext != null && !isFirst(item)) {
wallContext.setPartAlwayFalse(true);
}
allTrue = Boolean.FALSE;
dalConst++;
} else {
if (allTrue != Boolean.FALSE) {
allTrue = null;
}
dalConst = 0;
}
if (dalConst == 2 && visitor != null && !visitor.getConfig().isConditionDoubleConstAllow()) {
addViolation(visitor, ErrorCode.DOUBLE_CONST_CONDITION, "double const condition", x);
}
}
if (Boolean.TRUE == allTrue) {
return true;
} else if (Boolean.FALSE == allTrue) {
return false;
}
return null;
}
boolean checkCondition = visitor != null && (!visitor.getConfig().isConstArithmeticAllow() || !visitor.getConfig().isConditionOpBitwseAllow() || !visitor.getConfig().isConditionOpXorAllow());
if (x.getLeft() instanceof SQLName) {
if (x.getRight() instanceof SQLName) {
if (x.getLeft().toString().equalsIgnoreCase(x.getRight().toString())) {
switch(x.getOperator()) {
case Equality:
case Like:
return Boolean.TRUE;
case NotEqual:
case GreaterThan:
case GreaterThanOrEqual:
case LessThan:
case LessThanOrEqual:
case LessThanOrGreater:
case NotLike:
return Boolean.FALSE;
default:
break;
}
}
} else if (!checkCondition) {
switch(x.getOperator()) {
case Equality:
case NotEqual:
case GreaterThan:
case GreaterThanOrEqual:
case LessThan:
case LessThanOrEqual:
case LessThanOrGreater:
return null;
default:
break;
}
}
}
if (x.getLeft() instanceof SQLValuableExpr && x.getRight() instanceof SQLValuableExpr) {
Object leftValue = ((SQLValuableExpr) x.getLeft()).getValue();
Object rightValue = ((SQLValuableExpr) x.getRight()).getValue();
if (x.getOperator() == SQLBinaryOperator.Equality) {
boolean evalValue = SQLEvalVisitorUtils.eq(leftValue, rightValue);
x.putAttribute(EVAL_VALUE, evalValue);
return evalValue;
} else if (x.getOperator() == SQLBinaryOperator.NotEqual) {
boolean evalValue = SQLEvalVisitorUtils.eq(leftValue, rightValue);
x.putAttribute(EVAL_VALUE, !evalValue);
return !evalValue;
}
}
Object leftResult = getValue(visitor, x.getLeft());
Object rightResult = getValue(visitor, x.getRight());
if (x.getOperator() == SQLBinaryOperator.Like && leftResult instanceof String && leftResult.equals(rightResult)) {
addViolation(visitor, ErrorCode.SAME_CONST_LIKE, "same const like", x);
}
if (x.getOperator() == SQLBinaryOperator.Like || x.getOperator() == SQLBinaryOperator.NotLike) {
WallContext context = WallContext.current();
if (context != null) {
if (rightResult instanceof Number || leftResult instanceof Number) {
context.incrementLikeNumberWarnings();
}
}
}
String dbType = null;
WallContext wallContext = WallContext.current();
if (wallContext != null) {
dbType = wallContext.getDbType();
}
return eval(visitor, dbType, x, Collections.emptyList());
}
Also used :
SQLName(com.alibaba.druid.sql.ast.SQLName)
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)
SQLCommentHint(com.alibaba.druid.sql.ast.SQLCommentHint)
SQLValuableExpr(com.alibaba.druid.sql.ast.expr.SQLValuableExpr)
WallContext(com.alibaba.druid.wall.WallContext)
Example 9 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class WallVisitorUtils method check.
public static void check(WallVisitor visitor, SQLAlterTableStatement x) {
String tableName = ((SQLName) x.getName()).getSimpleName();
WallContext context = WallContext.current();
if (context != null) {
WallSqlTableStat tableStat = context.getTableStat(tableName);
if (tableStat != null) {
tableStat.incrementAlterCount();
}
}
}
Also used :
WallSqlTableStat(com.alibaba.druid.wall.WallSqlTableStat)
SQLName(com.alibaba.druid.sql.ast.SQLName)
WallContext(com.alibaba.druid.wall.WallContext)
Example 10 with WallContext
use of com.alibaba.druid.wall.WallContext in project druid by alibaba.
the class WallVisitorUtils method checkUnion.
public static void checkUnion(WallVisitor visitor, SQLUnionQuery x) {
if (x.getOperator() == SQLUnionOperator.MINUS && !visitor.getConfig().isMinusAllow()) {
addViolation(visitor, ErrorCode.INTERSET_NOT_ALLOW, "minus not allow", x);
return;
}
if (x.getOperator() == SQLUnionOperator.INTERSECT && !visitor.getConfig().isIntersectAllow()) {
addViolation(visitor, ErrorCode.INTERSET_NOT_ALLOW, "intersect not allow", x);
return;
}
if (!WallVisitorUtils.queryBlockFromIsNull(visitor, x.getLeft()) && WallVisitorUtils.queryBlockFromIsNull(visitor, x.getRight())) {
boolean isTopUpdateStatement = false;
boolean isTopInsertStatement = false;
SQLObject selectParent = x.getParent();
while (//
selectParent instanceof SQLSelectQuery || //
selectParent instanceof SQLJoinTableSource || //
selectParent instanceof SQLSubqueryTableSource || selectParent instanceof SQLSelect) {
selectParent = selectParent.getParent();
}
if (selectParent instanceof SQLUpdateStatement) {
isTopUpdateStatement = true;
}
if (selectParent instanceof SQLInsertStatement) {
isTopInsertStatement = true;
}
if (isTopUpdateStatement || isTopInsertStatement) {
return;
}
if (x.getLeft() instanceof SQLSelectQueryBlock) {
SQLSelectQueryBlock left = (SQLSelectQueryBlock) x.getLeft();
SQLTableSource tableSource = left.getFrom();
if (left.getWhere() == null && tableSource != null && tableSource instanceof SQLExprTableSource) {
return;
}
}
WallContext context = WallContext.current();
if (context != null) {
context.incrementUnionWarnings();
}
if (((x.getOperator() == SQLUnionOperator.UNION || x.getOperator() == SQLUnionOperator.UNION_ALL || x.getOperator() == SQLUnionOperator.DISTINCT) && visitor.getConfig().isSelectUnionCheck() && visitor.isSqlEndOfComment()) || (x.getOperator() == SQLUnionOperator.MINUS && visitor.getConfig().isSelectMinusCheck()) || (x.getOperator() == SQLUnionOperator.INTERSECT && visitor.getConfig().isSelectIntersectCheck()) || (x.getOperator() == SQLUnionOperator.EXCEPT && visitor.getConfig().isSelectExceptCheck())) {
addViolation(visitor, ErrorCode.UNION, x.getOperator().toString() + " query not contains 'from clause'", x);
}
}
}
Also used :
SQLObject(com.alibaba.druid.sql.ast.SQLObject)
WallContext(com.alibaba.druid.wall.WallContext)
Aggregations
WallContext (com.alibaba.druid.wall.WallContext)12
SQLName (com.alibaba.druid.sql.ast.SQLName)6
SQLExpr (com.alibaba.druid.sql.ast.SQLExpr)5
WallSqlTableStat (com.alibaba.druid.wall.WallSqlTableStat)5
SQLObject (com.alibaba.druid.sql.ast.SQLObject)4
SQLCommentHint (com.alibaba.druid.sql.ast.SQLCommentHint)2
WallConfig (com.alibaba.druid.wall.WallConfig)2
SQLNumericLiteralExpr (com.alibaba.druid.sql.ast.expr.SQLNumericLiteralExpr)1
SQLPropertyExpr (com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)1
SQLValuableExpr (com.alibaba.druid.sql.ast.expr.SQLValuableExpr)1
MySqlDeleteStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDeleteStatement)1
MySqlReplaceStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlReplaceStatement)1
MySqlShowGrantsStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlShowGrantsStatement)1
MySqlUpdateStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlUpdateStatement)1
IllegalSQLObjectViolation (com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)1
