!251 修复sql注入检测不准确的问题

Merge pull request !251 from uyong/3.0

mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/toolkit/sql/SqlInjectionUtils.java

@@ -29,7 +29,7 @@ public class SqlInjectionUtils {
      * SQL语法检查正则：符合两个关键字（有先后顺序）才算匹配
      */
     private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" +
-        ".+(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)", Pattern.CASE_INSENSITIVE);
+        "\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)", Pattern.CASE_INSENSITIVE);
     /**
      * 使用'、;或注释截断SQL检查正则
      */

mybatis-plus-core/src/test/java/com/baomidou/mybatisplus/core/toolkit/sql/SqlInjectionUtilsTest.java

@@ -23,6 +23,23 @@ public class SqlInjectionUtilsTest {
         assertSql(false, "trigger");
         assertSql(true, "and name like '%s123%s'");
         assertSql(false, "convert(name using GBK)");
+
+        // 无空格
+        assertSql(false, "insert_into");
+        assertSql(true, "SELECT aa FROM user");
+        // 无空格
+        assertSql(true, "SELECT*FROM user");
+        // 左空格
+        assertSql(true, "SELECT *FROM user");
+        // 右空格
+        assertSql(true, "SELECT* FROM user");
+        // 左tab
+        assertSql(true, "SELECT                 *FROM user");
+        // 右tab
+        assertSql(true, "SELECT*        FROM user");
+        assertSql(false, "SELECT*FROMuser");
+        // 该字符串里包含 setT or
+        assertSql(false, "databaseType desc,orderNum desc)");
     }
 
     private void assertSql(boolean injection, String sql) {