Search in sources :

Example 6 with IllegalSQLObjectViolation

use of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation in project druid by alibaba.

the class MySqlWallVisitor method visit.

public boolean visit(SQLPropertyExpr x) {
    if (x.getOwner() instanceof SQLVariantRefExpr) {
        SQLVariantRefExpr varExpr = (SQLVariantRefExpr) x.getOwner();
        SQLObject parent = x.getParent();
        String varName = varExpr.getName();
        if (varName.equalsIgnoreCase("@@session") || varName.equalsIgnoreCase("@@global")) {
            if (!(parent instanceof SQLSelectItem) && !(parent instanceof SQLAssignItem)) {
                violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable in condition not allow", toSQL(x)));
                return false;
            }
            if (!checkVar(x.getParent(), x.getName())) {
                boolean isTop = WallVisitorUtils.isTopNoneFromSelect(this, x);
                if (!isTop) {
                    boolean allow = true;
                    if (isDeny(varName) && (WallVisitorUtils.isWhereOrHaving(x) || WallVisitorUtils.checkSqlExpr(varExpr))) {
                        allow = false;
                    }
                    if (!allow) {
                        violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + x.getName(), toSQL(x)));
                    }
                }
            }
            return false;
        }
    }
    WallVisitorUtils.check(this, x);
    return true;
}
Also used : SQLAssignItem(com.alibaba.druid.sql.ast.statement.SQLAssignItem) SQLObject(com.alibaba.druid.sql.ast.SQLObject) SQLSelectItem(com.alibaba.druid.sql.ast.statement.SQLSelectItem) IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation) SQLVariantRefExpr(com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr)

Example 7 with IllegalSQLObjectViolation

use of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation in project druid by alibaba.

the class MySqlWallVisitor method visit.

@Override
public boolean visit(SQLLimit x) {
    if (x.getRowCount() instanceof SQLNumericLiteralExpr) {
        WallContext context = WallContext.current();
        int rowCount = ((SQLNumericLiteralExpr) x.getRowCount()).getNumber().intValue();
        if (rowCount == 0) {
            if (context != null) {
                context.incrementWarnings();
            }
            if (!provider.getConfig().isLimitZeroAllow()) {
                this.getViolations().add(new IllegalSQLObjectViolation(ErrorCode.LIMIT_ZERO, "limit row 0", this.toSQL(x)));
            }
        }
    }
    return true;
}
Also used : SQLNumericLiteralExpr(com.alibaba.druid.sql.ast.expr.SQLNumericLiteralExpr) IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation) SQLCommentHint(com.alibaba.druid.sql.ast.SQLCommentHint) WallContext(com.alibaba.druid.wall.WallContext)

Example 8 with IllegalSQLObjectViolation

use of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation in project druid by alibaba.

the class PGWallVisitor method visit.

public boolean visit(SQLIdentifierExpr x) {
    String name = x.getName();
    name = WallVisitorUtils.form(name);
    if (config.isVariantCheck() && config.getDenyVariants().contains(name)) {
        getViolations().add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + name, toSQL(x)));
    }
    return true;
}
Also used : IllegalSQLObjectViolation(com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)

Aggregations

IllegalSQLObjectViolation (com.alibaba.druid.wall.violation.IllegalSQLObjectViolation)8 WallTopStatementContext (com.alibaba.druid.wall.spi.WallVisitorUtils.WallTopStatementContext)2 SQLCommentHint (com.alibaba.druid.sql.ast.SQLCommentHint)1 SQLObject (com.alibaba.druid.sql.ast.SQLObject)1 SQLStatement (com.alibaba.druid.sql.ast.SQLStatement)1 SQLNumericLiteralExpr (com.alibaba.druid.sql.ast.expr.SQLNumericLiteralExpr)1 SQLVariantRefExpr (com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr)1 SQLAssignItem (com.alibaba.druid.sql.ast.statement.SQLAssignItem)1 SQLSelectItem (com.alibaba.druid.sql.ast.statement.SQLSelectItem)1 MySqlHintStatement (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlHintStatement)1 NotAllowCommentException (com.alibaba.druid.sql.parser.NotAllowCommentException)1 ParserException (com.alibaba.druid.sql.parser.ParserException)1 SQLStatementParser (com.alibaba.druid.sql.parser.SQLStatementParser)1 Token (com.alibaba.druid.sql.parser.Token)1 WallContext (com.alibaba.druid.wall.WallContext)1 SyntaxErrorViolation (com.alibaba.druid.wall.violation.SyntaxErrorViolation)1 ArrayList (java.util.ArrayList)1