jsqlparser:实现基于SQL语法分析的SQL注入攻击检查

之前写过一篇博客：《java:正则表达式检查SQL WHERE条件语句防止注入攻击和常量表达式》,当前时通过正则表达式来检查SQL语句中是否有危险关键字和常量表达式实现SQL语句的注入攻击检查。坦率的说，这个办法是有漏洞的，误判，漏判的概率很大，基于当前我的知识能力，也只能做到这样。
最近学习了jsqlparser,我知道我找到了更好的办法来解决SQL注入攻击检查问题。
jsqlparser是一个java的SQL语句解析器，在上一篇博客：《jsqlparser:基于抽象语法树(AST)遍历SQL语句的语法元素》介绍了如何通过jsqlparser来遍历SQL语句中所有的字段和表名引用。
其实它可以用来进行更复杂的工作，jsqlparser会将一条SQL语句的各种语法元素以抽象语法树(AST，abstract syntax tree)形式解析为很多不同类型对象，通过对AST的遍历就可以对SQL语句进行分析。采用这种方式做SQL注入攻击检查不会有误判，漏判的问题。

SqlInjectionAnalyzer

SqlInjectionAnalyzer SQL注入攻击分析器
jsqlparse提供了两种式遍历SQL语句解析对象，一种是基于TablesNamesFinder，TablesNamesFinder其实是实现jsqparser很多对象访问接口的一个基类
一种是基于CCJSqlParserDefaultVisitor接口。

/*** SQL注入攻击分析器* @author guyadong**/
public class SqlInjectionAnalyzer {private boolean injectCheckEnable = true;private final InjectionSyntaxObjectAnalyzer injectionChecker;private final InjectionAstNodeVisitor injectionVisitor;public SqlInjectionAnalyzer() {this.injectionChecker = new InjectionSyntaxObjectAnalyzer(); this.injectionVisitor = new InjectionAstNodeVisitor();}/*** 启用/关闭注入攻击检查,默认启动* @param enable* @return*/public SqlInjectionAnalyzer injectCheckEnable(boolean enable){injectCheckEnable = enable;return this;}/*** 对解析后的SQL对象执行注入攻击分析，有注入攻击的危险则抛出异常{@link InjectionAttackException}* @param sqlParserInfo* @throws InjectionAttackException */public SqlParserInfo injectAnalyse(SqlParserInfo sqlParserInfo) throws InjectionAttackException{if(null != sqlParserInfo && injectCheckEnable){/** SQL注入攻击检查 */sqlParserInfo.statement.accept(injectionChecker);sqlParserInfo.simpleNode.jjtAccept(injectionVisitor, null);             }return sqlParserInfo;}
}

InjectionSyntaxObjectAnalyzer

InjectionSyntaxObjectAnalyzer 为基于SQL语法对象的SQL注入攻击分析实现
TablesNamesFinder是jsqlparser提供的一个语法元素遍历对象，继承这个对象可以实现对需要的语法元素的访问，当遇到有注入攻击危险的表达式，语句时抛出InjectionAttackException异常，就是这个类做的工作


import net.sf.jsqlparser.expression.BinaryExpression;
import net.sf.jsqlparser.expression.Expression;
import net.sf.jsqlparser.expression.Function;
import net.sf.jsqlparser.expression.operators.conditional.AndExpression;
import net.sf.jsqlparser.expression.operators.conditional.OrExpression;
import net.sf.jsqlparser.expression.operators.relational.ComparisonOperator;
import net.sf.jsqlparser.schema.Column;
import net.sf.jsqlparser.statement.select.Join;
import net.sf.jsqlparser.statement.select.OrderByElement;
import net.sf.jsqlparser.statement.select.PlainSelect;
import net.sf.jsqlparser.statement.select.SelectItem;
import net.sf.jsqlparser.statement.select.SubSelect;
import net.sf.jsqlparser.statement.select.WithItem;
import net.sf.jsqlparser.util.TablesNamesFinder;/*** 基于SQL语法对象的SQL注入攻击分析实现* @author guyadong**/
public class InjectionSyntaxObjectAnalyzer  extends TablesNamesFinder{/** 危险函数名 */private static final String DANGROUS_FUNCTIONS = "(sleep|benchmark|extractvalue|updatexml|ST_LatFromGeoHash|ST_LongFromGeoHash|GTID_SUBSET|GTID_SUBTRACT|floor|ST_Pointfromgeohash"+ "|geometrycollection|multipoint|polygon|multipolygon|linestring|multilinestring)";private static ThreadLocal<Boolean> disableSubselect = new ThreadLocal<Boolean>(){@Overrideprotected Boolean initialValue() {return true;}};private ConstAnalyzer constAnalyzer = new ConstAnalyzer();public InjectionSyntaxObjectAnalyzer() {super();init(true);}@Overridepublic void visitBinaryExpression(BinaryExpression binaryExpression) {if(binaryExpression instanceof ComparisonOperator){if(isConst(binaryExpression.getLeftExpression()) && isConst(binaryExpression.getRightExpression())){/** 禁用恒等式 */throw new InjectionAttackException("DISABLE IDENTICAL EQUATION " + binaryExpression);}}super.visitBinaryExpression(binaryExpression);}@Overridepublic void visit(AndExpression andExpression) {super.visit(andExpression);checkConstExpress(andExpression.getLeftExpression());checkConstExpress(andExpression.getRightExpression());}@Overridepublic void visit(OrExpression orExpression) {super.visit(orExpression);checkConstExpress(orExpression.getLeftExpression());checkConstExpress(orExpression.getRightExpression());}@Overridepublic void visit(Function function) {if(function.getName().matches(DANGROUS_FUNCTIONS)){/** 禁用危险函数 */throw new InjectionAttackException("DANGROUS FUNCTION: "+function.getName());}super.visit(function);}@Overridepublic void visit(WithItem withItem) {try {/** 允许 WITH 语句中的子查询 */disableSubselect.set(false);super.visit(withItem);} finally {disableSubselect.set(true);}}@Overridepublic void visit(SubSelect subSelect) {if(disableSubselect.get()){// 禁用子查询throw new InjectionAttackException("DISABLE subselect " + subSelect);}}@Overridepublic void visit(Column tableColumn) {if(ParserSupport.isBoolean(tableColumn)){throw new InjectionAttackException("DISABLE CONST BOOL " + tableColumn);}super.visit(tableColumn);}@Overridepublic void visit(PlainSelect plainSelect) {if (plainSelect.getSelectItems() != null) {for (SelectItem item : plainSelect.getSelectItems()) {item.accept(this);}}if (plainSelect.getFromItem() != null) {plainSelect.getFromItem().accept(this);}if (plainSelect.getJoins() != null) {for (Join join : plainSelect.getJoins()) {join.getRightItem().accept(this);for(Expression e:join.getOnExpressions()){e.accept(this);}}}if (plainSelect.getWhere() != null) {plainSelect.getWhere().accept(this);checkConstExpress(plainSelect.getWhere());}if (plainSelect.getHaving() != null) {plainSelect.getHaving().accept(this);}if (plainSelect.getOracleHierarchical() != null) {plainSelect.getOracleHierarchical().accept(this);}if(plainSelect.getOrderByElements() != null){for( OrderByElement orderByElement : plainSelect.getOrderByElements()){orderByElement.getExpression().accept(this);}}if(plainSelect.getGroupBy() != null){for(Expression expression : plainSelect.getGroupBy().getGroupByExpressionList().getExpressions()){expression.accept(this);}}}private boolean isConst(Expression expression){return constAnalyzer.isConstExpression(expression);}private void checkConstExpress(Expression expression){if(constAnalyzer.isConstExpression(expression)){/** 禁用常量表达式 */throw new InjectionAttackException("DISABLE CONST EXPRESSION " + expression);}}
}

InjectionAstNodeVisitor

InjectionAstNodeVisitor 为基于抽象语法树(AST)的注入攻击分析实现
这部分代码很少，实现禁用用UNION语句

import net.sf.jsqlparser.parser.CCJSqlParserDefaultVisitor;
import net.sf.jsqlparser.parser.SimpleNode;
import net.sf.jsqlparser.statement.select.UnionOp;/*** 基于抽象语法树(AST)的注入攻击分析实现* @author guyadong**/
public class InjectionAstNodeVisitor extends CCJSqlParserDefaultVisitor{public InjectionAstNodeVisitor() {}@Overridepublic Object visit(SimpleNode node, Object data) {Object value = node.jjtGetValue();if(value instanceof UnionOp){throw new InjectionAttackException("DISABLE UNION");}return super.visit(node, data);}
}

单元测试

InjectAttackCheckerTest SQL注入攻击检查测试

import static org.junit.Assert.*;import org.junit.BeforeClass;
import org.junit.Test;import gu.sql2java.parser.InjectionAttackException;
import gu.sql2java.parser.ParserSupport;
import gu.sql2java.parser.SqlInjectionAnalyzer;
import gu.sql2java.parser.ParserSupport.SqlParserInfo;
import net.sf.jsqlparser.JSQLParserException;import static gu.sql2java.SimpleLog.log;/*** SQL注入攻击检查测试* @author guyadong**/
public class InjectAttackCheckerTest {private static SqlInjectionAnalyzer analyser;@BeforeClasspublic static void setUpBeforeClass() throws Exception {analyser= new SqlInjectionAnalyzer();}private boolean injectAnalyse(String sql) throws JSQLParserException{SqlParserInfo sqlParserInfo = ParserSupport.parse0(sql, null);try {analyser.injectAnalyse(sqlParserInfo);return true;} catch (InjectionAttackException e) {log("{}",e.getMessage());//log(e);return false;}}@Testpublic void test() throws JSQLParserException {assertFalse(injectAnalyse("select * from dc_device where id in (select id from other)"));assertFalse(injectAnalyse("select * from dc_device where 2=2.0 or 2 != 4"));assertFalse(injectAnalyse("select * from dc_device where 1!=2.0"));assertFalse(injectAnalyse("select * from dc_device where id=floor(2.0)"));assertFalse(injectAnalyse("select * from dc_device where not true"));assertFalse(injectAnalyse("select * from dc_device where 1 or id > 0"));assertFalse(injectAnalyse("select * from dc_device where 'tom' or id > 0"));assertFalse(injectAnalyse("select * from dc_device where '-2.3' "));assertFalse(injectAnalyse("select * from dc_device where 2 "));assertFalse(injectAnalyse("select * from dc_device where (3+2) "));assertFalse(injectAnalyse("select * from dc_device where  -1 IS TRUE"));assertFalse(injectAnalyse("select * from dc_device where 'hello' is null "));assertFalse(injectAnalyse("select * from dc_device where '2022-10-31' and id > 0"));assertFalse(injectAnalyse("select * from dc_device where id > 0 or 1!=2.0 "));assertFalse(injectAnalyse("select * from dc_device where id > 0 or 1 in (1,3,4) "));assertFalse(injectAnalyse("select * from dc_device  UNION select name from other"));assertTrue(injectAnalyse("WITH SUB1 AS (SELECT user FROM t1) SELECT * FROM T2 WHERE id > 123 "));}}

完整代码参见码云仓库：
https://gitee.com/l0km/sql2java/tree/dev/sql2java-manager/src/main/java/gu/sql2java/parser