新增 攻击 SQL 阻断解析器

mybatis-plus-core/src/main/java/com/baomidou/mybatisplus/core/parser/AbstractJsqlParser.java

@@ -19,7 +19,6 @@ import org.apache.ibatis.logging.Log;
 import org.apache.ibatis.logging.LogFactory;
 import org.apache.ibatis.reflection.MetaObject;
 
-
 import com.baomidou.mybatisplus.core.exceptions.MybatisPlusException;
 
 import net.sf.jsqlparser.JSQLParserException;
@@ -106,16 +105,24 @@ public abstract class AbstractJsqlParser implements ISqlParser {
         return SqlInfo.newInstance().setSql(statement.toString());
     }
 
-    // 新增
+    /**
+     * 新增
+     */
     public abstract void processInsert(Insert insert);
 
-    // 删除
+    /**
+     * 删除
+     */
     public abstract void processDelete(Delete delete);
 
-    // 更新
+    /**
+     * 更新
+     */
     public abstract void processUpdate(Update update);
 
-    // 查询
+    /**
+     * 查询
+     */
     public abstract void processSelectBody(SelectBody selectBody);
 
     /**

mybatis-plus-extension/src/main/java/com/baomidou/mybatisplus/extension/handlers/SqlParserHandler.java → mybatis-plus-extension/src/main/java/com/baomidou/mybatisplus/extension/handlers/AbstractSqlParserHandler.java

@@ -40,7 +40,7 @@ import lombok.experimental.Accessors;
  */
 @Data
 @Accessors(chain = true)
-public abstract class SqlParserHandler {
+public abstract class AbstractSqlParserHandler {
 
     private List<ISqlParser> sqlParserList;
     private ISqlParserFilter sqlParserFilter;

mybatis-plus-extension/src/main/java/com/baomidou/mybatisplus/extension/parsers/BlockAttackSqlParser.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2011-2020, hubin (jobob@qq.com).
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.baomidou.mybatisplus.extension.parsers;
+
+import com.baomidou.mybatisplus.core.exceptions.MybatisPlusException;
+import com.baomidou.mybatisplus.core.parser.AbstractJsqlParser;
+
+import net.sf.jsqlparser.statement.delete.Delete;
+import net.sf.jsqlparser.statement.insert.Insert;
+import net.sf.jsqlparser.statement.select.SelectBody;
+import net.sf.jsqlparser.statement.update.Update;
+
+/**
+ * <p>
+ * 攻击 SQL 阻断解析器
+ * </p>
+ *
+ * @author hubin
+ * @since 2018-07-17
+ */
+public class BlockAttackSqlParser extends AbstractJsqlParser {
+
+    @Override
+    public void processInsert(Insert insert) {
+        // to do nothing
+    }
+
+    @Override
+    public void processDelete(Delete delete) {
+        if (null == delete.getWhere()) {
+            throw new MybatisPlusException("Prohibition of full table deletion");
+        }
+    }
+
+    @Override
+    public void processUpdate(Update update) {
+        if (null == update.getWhere()) {
+            throw new MybatisPlusException("Prohibition of table update operation");
+        }
+    }
+
+    @Override
+    public void processSelectBody(SelectBody selectBody) {
+        // to do nothing
+    }
+}

mybatis-plus-extension/src/main/java/com/baomidou/mybatisplus/extension/plugins/PaginationInterceptor.java

@@ -48,7 +48,7 @@ import com.baomidou.mybatisplus.core.toolkit.ArrayUtils;
 import com.baomidou.mybatisplus.core.toolkit.PluginUtils;
 import com.baomidou.mybatisplus.core.toolkit.StringUtils;
 import com.baomidou.mybatisplus.core.toolkit.sql.SqlUtils;
-import com.baomidou.mybatisplus.extension.handlers.SqlParserHandler;
+import com.baomidou.mybatisplus.extension.handlers.AbstractSqlParserHandler;
 import com.baomidou.mybatisplus.extension.plugins.pagination.DialectFactory;
 import com.baomidou.mybatisplus.extension.plugins.pagination.PageHelper;
 import com.baomidou.mybatisplus.extension.toolkit.JdbcUtils;
@@ -62,7 +62,7 @@ import com.baomidou.mybatisplus.extension.toolkit.JdbcUtils;
  * @since 2016-01-23
  */
 @Intercepts({@Signature(type = StatementHandler.class, method = "prepare", args = {Connection.class, Integer.class})})
-public class PaginationInterceptor extends SqlParserHandler implements Interceptor {
+public class PaginationInterceptor extends AbstractSqlParserHandler implements Interceptor {
 
     /**
      * COUNT SQL 解析

mybatis-plus-extension/src/main/java/com/baomidou/mybatisplus/extension/plugins/tenant/TenantSqlParser.java

@@ -15,8 +15,11 @@
  */
 package com.baomidou.mybatisplus.extension.plugins.tenant;
 
+import java.util.List;
+
 import com.baomidou.mybatisplus.core.exceptions.MybatisPlusException;
 import com.baomidou.mybatisplus.core.parser.AbstractJsqlParser;
+
 import net.sf.jsqlparser.expression.BinaryExpression;
 import net.sf.jsqlparser.expression.Expression;
 import net.sf.jsqlparser.expression.operators.conditional.AndExpression;
@@ -28,14 +31,22 @@ import net.sf.jsqlparser.schema.Column;
 import net.sf.jsqlparser.schema.Table;
 import net.sf.jsqlparser.statement.delete.Delete;
 import net.sf.jsqlparser.statement.insert.Insert;
-import net.sf.jsqlparser.statement.select.*;
+import net.sf.jsqlparser.statement.select.FromItem;
+import net.sf.jsqlparser.statement.select.Join;
+import net.sf.jsqlparser.statement.select.LateralSubSelect;
+import net.sf.jsqlparser.statement.select.PlainSelect;
+import net.sf.jsqlparser.statement.select.SelectBody;
+import net.sf.jsqlparser.statement.select.SelectExpressionItem;
+import net.sf.jsqlparser.statement.select.SetOperationList;
+import net.sf.jsqlparser.statement.select.SubJoin;
+import net.sf.jsqlparser.statement.select.SubSelect;
+import net.sf.jsqlparser.statement.select.ValuesList;
+import net.sf.jsqlparser.statement.select.WithItem;
 import net.sf.jsqlparser.statement.update.Update;
 
-import java.util.List;
-
 /**
  * <p>
- * 租户 SQL 解析（ TenantId 行级 ）
+ * 租户 SQL 解析器（ TenantId 行级 ）
  * </p>
  *
  * @author hubin