Search in sources :

Example 1 with IllegalSQLObjectViolation

use of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation in project druid by alibaba.

the class SQLServerWallVisitor method visit.

public boolean visit(SQLVariantRefExpr x) {
    String varName = x.getName();
    if (varName == null) {
        return false;
    }
    if (config.isVariantCheck() && varName.startsWith("@@")) {
        final WallTopStatementContext topStatementContext = WallVisitorUtils.getWallTopStatementContext();
        if (topStatementContext != null && (topStatementContext.fromSysSchema() || topStatementContext.fromSysTable())) {
            return false;
        }
        boolean allow = true;
        if (isDeny(varName) && (WallVisitorUtils.isWhereOrHaving(x) || WallVisitorUtils.checkSqlExpr(x))) {
            allow = false;
        }
        if (!allow) {
            violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + x.getName(), toSQL(x)));
        }
    }
    return false;
}
Also used : WallTopStatementContext(com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext) IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)

Example 2 with IllegalSQLObjectViolation

use of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation in project druid by alibaba.

the class DB2WallVisitor method visit.

public boolean visit(SQLIdentifierExpr x) {
    String name = x.getName();
    name = WallVisitorUtils.form(name);
    if (config.isVariantCheck() && config.getDenyVariants().contains(name)) {
        getViolations().add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + name, toSQL(x)));
    }
    return true;
}
Also used : IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)

Example 3 with IllegalSQLObjectViolation

use of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation in project druid by alibaba.

the class MySqlWallVisitor method visit.

public boolean visit(SQLVariantRefExpr x) {
    String varName = x.getName();
    if (varName == null) {
        return false;
    }
    if (varName.startsWith("@@") && !checkVar(x.getParent(), x.getName())) {
        final WallTopStatementContext topStatementContext = WallVisitorUtils.getWallTopStatementContext();
        if (topStatementContext != null && (topStatementContext.fromSysSchema() || topStatementContext.fromSysTable())) {
            return false;
        }
        boolean isTop = WallVisitorUtils.isTopNoneFromSelect(this, x);
        if (!isTop) {
            boolean allow = true;
            if (isDeny(varName) && (WallVisitorUtils.isWhereOrHaving(x) || WallVisitorUtils.checkSqlExpr(x))) {
                allow = false;
            }
            if (!allow) {
                violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + x.getName(), toSQL(x)));
            }
        }
    }
    return false;
}
Also used : WallTopStatementContext(com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext) IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)

Example 4 with IllegalSQLObjectViolation

use of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation in project druid by alibaba.

the class OracleWallVisitor method visit.

public boolean visit(SQLIdentifierExpr x) {
    String name = x.getName();
    name = WallVisitorUtils.form(name);
    if (config.isVariantCheck() && config.getDenyVariants().contains(name)) {
        getViolations().add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + name, toSQL(x)));
    }
    return true;
}
Also used : IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)

Example 5 with IllegalSQLObjectViolation

use of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation in project druid by alibaba.

the class WallProvider method checkInternal.

private WallCheckResult checkInternal(String sql) {
    checkCount.incrementAndGet();
    WallContext context = WallContext.current();
    if (config.isDoPrivilegedAllow() && ispPrivileged()) {
        WallCheckResult checkResult = new WallCheckResult();
        checkResult.setSql(sql);
        return checkResult;
    }
    // first step, check whiteList
    boolean mulltiTenant = config.getTenantTablePattern() != null && config.getTenantTablePattern().length() > 0;
    if (!mulltiTenant) {
        WallCheckResult checkResult = checkWhiteAndBlackList(sql);
        if (checkResult != null) {
            checkResult.setSql(sql);
            return checkResult;
        }
    }
    hardCheckCount.incrementAndGet();
    final List<Violation> violations = new ArrayList<Violation>();
    List<SQLStatement> statementList = new ArrayList<SQLStatement>();
    boolean syntaxError = false;
    boolean endOfComment = false;
    try {
        SQLStatementParser parser = createParser(sql);
        parser.getLexer().setCommentHandler(WallCommentHandler.instance);
        if (!config.isCommentAllow()) {
            // deny comment
            parser.getLexer().setAllowComment(false);
        }
        if (!config.isCompleteInsertValuesCheck()) {
            parser.setParseCompleteValues(false);
            parser.setParseValuesSize(config.getInsertValuesCheckSize());
        }
        parser.parseStatementList(statementList);
        final Token lastToken = parser.getLexer().token();
        if (lastToken != Token.EOF && config.isStrictSyntaxCheck()) {
            violations.add(new IllegalSQLObjectViolation(ErrorCode.SYNTAX_ERROR, "not terminal sql, token " + lastToken, sql));
        }
        endOfComment = parser.getLexer().isEndOfComment();
    } catch (NotAllowCommentException e) {
        violations.add(new IllegalSQLObjectViolation(ErrorCode.COMMENT_STATEMENT_NOT_ALLOW, "comment not allow", sql));
        incrementCommentDeniedCount();
    } catch (ParserException e) {
        syntaxErrorCount.incrementAndGet();
        syntaxError = true;
        if (config.isStrictSyntaxCheck()) {
            violations.add(new SyntaxErrorViolation(e, sql));
        }
    } catch (Exception e) {
        if (config.isStrictSyntaxCheck()) {
            violations.add(new SyntaxErrorViolation(e, sql));
        }
    }
    if (statementList.size() > 1 && !config.isMultiStatementAllow()) {
        violations.add(new IllegalSQLObjectViolation(ErrorCode.MULTI_STATEMENT, "multi-statement not allow", sql));
    }
    WallVisitor visitor = createWallVisitor();
    visitor.setSqlEndOfComment(endOfComment);
    if (statementList.size() > 0) {
        boolean lastIsHint = false;
        for (int i = 0; i < statementList.size(); i++) {
            SQLStatement stmt = statementList.get(i);
            if ((i == 0 || lastIsHint) && stmt instanceof MySqlHintStatement) {
                lastIsHint = true;
                continue;
            }
            try {
                stmt.accept(visitor);
            } catch (ParserException e) {
                violations.add(new SyntaxErrorViolation(e, sql));
            }
        }
    }
    if (visitor.getViolations().size() > 0) {
        violations.addAll(visitor.getViolations());
    }
    WallSqlStat sqlStat = null;
    if (violations.size() > 0) {
        violationCount.incrementAndGet();
        if (sql.length() < MAX_SQL_LENGTH) {
            sqlStat = addBlackSql(sql, context.getTableStats(), context.getFunctionStats(), violations, syntaxError);
        }
    } else {
        if (sql.length() < MAX_SQL_LENGTH) {
            sqlStat = addWhiteSql(sql, context.getTableStats(), context.getFunctionStats(), syntaxError);
        }
    }
    Map<String, WallSqlTableStat> tableStats = null;
    Map<String, WallSqlFunctionStat> functionStats = null;
    if (context != null) {
        tableStats = context.getTableStats();
        functionStats = context.getFunctionStats();
        recordStats(tableStats, functionStats);
    }
    WallCheckResult result;
    if (sqlStat != null) {
        context.setSqlStat(sqlStat);
        result = new WallCheckResult(sqlStat, statementList);
    } else {
        result = new WallCheckResult(null, violations, tableStats, functionStats, statementList, syntaxError);
    }
    String resultSql;
    if (visitor.isSqlModified()) {
        resultSql = SQLUtils.toSQLString(statementList, dbType);
    } else {
        resultSql = sql;
    }
    result.setSql(resultSql);
    return result;
}
Also used : SyntaxErrorViolation(com.alibaba.druid.wall.violation.SyntaxErrorViolation) IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation) ParserException(com.alibaba.druid.sql.parser.ParserException) SQLStatementParser(com.alibaba.druid.sql.parser.SQLStatementParser) SyntaxErrorViolation(com.alibaba.druid.wall.violation.SyntaxErrorViolation) ArrayList(java.util.ArrayList) IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation) Token(com.alibaba.druid.sql.parser.Token) MySqlHintStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlHintStatement) SQLStatement(com.alibaba.druid.sql.ast.SQLStatement) ParserException(com.alibaba.druid.sql.parser.ParserException) NotAllowCommentException(com.alibaba.druid.sql.parser.NotAllowCommentException) NotAllowCommentException(com.alibaba.druid.sql.parser.NotAllowCommentException)

Aggregations

IllegalSQLObjectViolation (com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)8 WallTopStatementContext (com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext)2 SQLCommentHint (com.alibaba.druid.sql.ast.SQLCommentHint)1 SQLObject (com.alibaba.druid.sql.ast.SQLObject)1 SQLStatement (com.alibaba.druid.sql.ast.SQLStatement)1 SQLNumericLiteralExpr (com.alibaba.druid.sql.ast.expr.SQLNumericLiteralExpr)1 SQLVariantRefExpr (com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr)1 SQLAssignItem (com.alibaba.druid.sql.ast.statement.SQLAssignItem)1 SQLSelectItem (com.alibaba.druid.sql.ast.statement.SQLSelectItem)1 MySqlHintStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlHintStatement)1 NotAllowCommentException (com.alibaba.druid.sql.parser.NotAllowCommentException)1 ParserException (com.alibaba.druid.sql.parser.ParserException)1 SQLStatementParser (com.alibaba.druid.sql.parser.SQLStatementParser)1 Token (com.alibaba.druid.sql.parser.Token)1 WallContext (com.alibaba.druid.wall.WallContext)1 SyntaxErrorViolation (com.alibaba.druid.wall.violation.SyntaxErrorViolation)1 ArrayList (java.util.ArrayList)1