Search in sources :

Example 1 with WallTopStatementContext

use of com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext in project druid by alibaba.

the class SQLServerWallVisitor method visit.

public boolean visit(SQLVariantRefExpr x) {
    String varName = x.getName();
    if (varName == null) {
        return false;
    }
    if (config.isVariantCheck() && varName.startsWith("@@")) {
        final WallTopStatementContext topStatementContext = WallVisitorUtils.getWallTopStatementContext();
        if (topStatementContext != null && (topStatementContext.fromSysSchema() || topStatementContext.fromSysTable())) {
            return false;
        }
        boolean allow = true;
        if (isDeny(varName) && (WallVisitorUtils.isWhereOrHaving(x) || WallVisitorUtils.checkSqlExpr(x))) {
            allow = false;
        }
        if (!allow) {
            violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + x.getName(), toSQL(x)));
        }
    }
    return false;
}
Also used : WallTopStatementContext(com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext) IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)

Example 2 with WallTopStatementContext

use of com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext in project druid by alibaba.

the class MySqlWallVisitor method visit.

public boolean visit(SQLVariantRefExpr x) {
    String varName = x.getName();
    if (varName == null) {
        return false;
    }
    if (varName.startsWith("@@") && !checkVar(x.getParent(), x.getName())) {
        final WallTopStatementContext topStatementContext = WallVisitorUtils.getWallTopStatementContext();
        if (topStatementContext != null && (topStatementContext.fromSysSchema() || topStatementContext.fromSysTable())) {
            return false;
        }
        boolean isTop = WallVisitorUtils.isTopNoneFromSelect(this, x);
        if (!isTop) {
            boolean allow = true;
            if (isDeny(varName) && (WallVisitorUtils.isWhereOrHaving(x) || WallVisitorUtils.checkSqlExpr(x))) {
                allow = false;
            }
            if (!allow) {
                violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + x.getName(), toSQL(x)));
            }
        }
    }
    return false;
}
Also used : WallTopStatementContext(com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext) IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)

Aggregations

WallTopStatementContext (com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext)2 IllegalSQLObjectViolation (com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)2