"#{variable}" Spring 表达式语言 SpEL 值是否可以免受 SQL 注入(inject)攻击?例如:
@Mapper
public interface UrlInfoMapper {
public static final String SELECT_BY_ID = "select * from url WHERE ID=#{ID}";
public static final String DELETE_BY_ID = "DELETE FROM url WHERE ID=#{ID}";
@Select(SELECT_BY_ID)
UrlInfo getFromUrlById(String ID);
@Update(DELETE_BY_ID)
void delete(@Param("ID")String ID);
我检查了引用资料,但没有发现任何关于替换为 SQL 字符(如引号)的值被转义的提及。
https://docs.spring.io/spring/docs/4.3.17.RELEASE/spring-framework-reference/htmlsingle/#expressions
我在网上找不到关于 SpEL 和 SQL 注入(inject)的任何提及(只有这个项目没有使用的 JPA)。
https://duckduckgo.com/?q=spel+sql+injection&ia=qa
本文讨论了 View 中 SpEL 的漏洞,但没有讨论数据库。
https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
Spring Core 2.6.1、Spring Boot 1.5.6、Spring Expression 4.3.10。
最佳答案
我相信他们是。
@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc
public class MockTest {
@Autowired
private UserMapper userMapper;
@Test
public void sqlInjections() throws Exception {
User user = userMapper.getUser("admin'--");
assertNull(user);
}
@Mapper
public interface UserMapper {
@Select("select * from user WHERE name =#{name}")
@Results(value = {
@Result(property = "name", column = "name"),
@Result(property = "password", column = "password"),
@Result(property = "encrypted", column = "encrypted"),
@Result(property = "permission", column = "permission")
})
User getUser(@Param("name")String name);
和
mvn test
Tests run: 5, Failures: 0, Errors: 0, Skipped: 0
关于java - Spring SpEL 查询是否可以免受 SQL 注入(inject)攻击?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50264421/