Examples of IllegalSQLObjectViolation

com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

                if (context != null) {
                    context.incrementWarnnings();
                }


                if (!provider.getConfig().isLimitZeroAllow()) {
                    this.getViolations().add(new IllegalSQLObjectViolation(ErrorCode.LIMIT_ZERO, "limit row 0",
                                                                           this.toSQL(x)));
                }
            }
        }
        return true;

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

            SQLVariantRefExpr varExpr = (SQLVariantRefExpr) x.getOwner();
            SQLObject parent = x.getParent();
            String varName = varExpr.getName();
            if (varName.equalsIgnoreCase("@@session") || varName.equalsIgnoreCase("@@global")) {
                if (!(parent instanceof SQLSelectItem) && !(parent instanceof SQLAssignItem)) {
                    violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY,
                                                                 "variable in condition not allow", toSQL(x)));
                    return false;
                }


                if (!checkVar(x.getParent(), x.getName())) {
                    boolean isTop = WallVisitorUtils.isTopNoneFromSelect(this, x);
                    if (!isTop) {
                        boolean allow = true;
                        if (WallVisitorUtils.isWhereOrHaving(x) && isDeny(varName)) {
                            allow = false;
                        }


                        if (!allow) {
                            violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY,
                                                                         "variable not allow : " + x.getName(),
                                                                         toSQL(x)));
                        }
                    }
                }

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

                if (WallVisitorUtils.isWhereOrHaving(x) && isDeny(varName)) {
                    allow = false;
                }


                if (!allow) {
                    violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : "
                                                                                         + x.getName(), toSQL(x)));
                }
            }
        }

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

    }


    @Override
    public boolean visit(MySqlOutFileExpr x) {
        if (!config.isSelectIntoOutfileAllow()) {
            violations.add(new IllegalSQLObjectViolation(ErrorCode.INTO_OUTFILE, "into out file not allow", toSQL(x)));
        }


        return true;
    }

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

        if (text.length() == 0) {
            return true;
        }


        if (Character.isDigit(text.charAt(0))) {
            addViolation(new IllegalSQLObjectViolation(ErrorCode.EVIL_HINTS, "evil hints", SQLUtils.toMySqlString(x)));
        }


        text = text.toLowerCase();


        for (int i = 0; i < text.length(); ++i) {
            char ch = text.charAt(i);
            switch (ch) {
                case ';':
                case '>':
                case '=':
                case '<':
                case '&':
                case '|':
                case '^':
                case '\n':
                    addViolation(new IllegalSQLObjectViolation(ErrorCode.EVIL_HINTS, "evil hints",
                                                               SQLUtils.toMySqlString(x)));
                default:
                    break;
            }
        }


        if (text.indexOf("or") != -1 //
            || text.indexOf("and") != -1 //
            || text.indexOf("union") != -1 //


            || text.indexOf("select") != -1 //
            || text.indexOf("delete") != -1 //
            || text.indexOf("insert") != -1 //
            || text.indexOf("update") != -1 //
            || text.indexOf("into") != -1 //


            || text.indexOf("create") != -1 //
            || text.indexOf("drop") != -1 //
            || text.indexOf("alter") != -1 //
            || text.indexOf("truncate") != -1 //


            || text.indexOf("information_schema") != -1 //
            || text.indexOf("mysql") != -1 //
            || text.indexOf("performance_schema") != -1 //


            || text.indexOf("sleep") != -1 //
            || text.indexOf("benchmark") != -1 //
            || text.indexOf("load_file") != -1 //
        ) {
            addViolation(new IllegalSQLObjectViolation(ErrorCode.EVIL_HINTS, "evil hints", SQLUtils.toMySqlString(x)));
        }


        return true;
    }

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

    }


    @Override
    public boolean visit(SQLSelectStatement x) {
        if (!config.isSelelctAllow()) {
            this.getViolations().add(new IllegalSQLObjectViolation(ErrorCode.SELECT_NOT_ALLOW, "selelct not allow",
                                                                   this.toSQL(x)));
            return false;
        }
        WallVisitorUtils.initWallTopStatementContext();

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

            if (WallVisitorUtils.isWhereOrHaving(x) && isDeny(varName)) {
                allow = false;
            }


            if (!allow) {
                violations.add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : "
                                                                                     + x.getName(), toSQL(x)));
            }
        }


        return false;

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

    }


    @Override
    public boolean visit(SQLServerObjectReferenceExpr x) {
        if (x.getSchema() != null && !provider.checkDenySchema(x.getSchema())) {
            this.getViolations().add(new IllegalSQLObjectViolation(ErrorCode.SCHEMA_DENY, "schema not allow : "
                                                                                          + x.getSchema(),
                                                                   this.toSQL(x)));
        }
        if (x.getDatabase() != null && !provider.checkDenySchema(x.getDatabase())) {
            this.getViolations().add(new IllegalSQLObjectViolation(ErrorCode.SCHEMA_DENY, "schema not allow : "
                                                                                          + x.getDatabase(),
                                                                   this.toSQL(x)));
        }
        return true;
    }

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation


    public boolean visit(SQLIdentifierExpr x) {
        String name = x.getName();
        name = WallVisitorUtils.form(name);
        if (config.isVariantCheck() && config.getDenyVariants().contains(name)) {
            getViolations().add(new IllegalSQLObjectViolation(ErrorCode.VARIANT_DENY, "variable not allow : " + name,
                                                              toSQL(x)));
        }
        return true;
    }

View Full Code Here

Examples of com.alibaba.druid.wall.violation.IllegalSQLObjectViolation

    }


    @Override
    public boolean visit(SQLSelectStatement x) {
        if (!config.isSelelctAllow()) {
            this.getViolations().add(new IllegalSQLObjectViolation(ErrorCode.SELECT_NOT_ALLOW, "selelct not allow",
                                                                   this.toSQL(x)));
            return false;
        }


        WallVisitorUtils.initWallTopStatementContext();

View Full Code Here

0 1 2 3 4 5

TOP

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.