Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the issue of SQL blacklist invalidation in multiple rows of SQL #2449

Merged
merged 3 commits into from
Jun 6, 2024
Merged

Fix the issue of SQL blacklist invalidation in multiple rows of SQL #2449

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
04a41ef
fix: regular expressions not matching multiple lines
winfredLIN Jun 6, 2024
e92754d
test: unit test for regular expressions and black list
winfredLIN Jun 6, 2024
798c09b
docs: modify comment
winfredLIN Jun 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions sqle/api/controller/v1/audit_plan_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,19 @@ func TestIsSqlInBlackList(t *testing.T) {
}, {
FilterContent: "table_1",
FilterType: "SQL",
},{
FilterContent: "ignored_service",
FilterType: "SQL",
},
})

matchSqls := []string{
"SELECT * FROM users",
"DELETE From tAble_1",
"SELECT COUNT(*) FROM table_2",
`/* this is a comment, Service: ignored_service */
select * from table_ignored where id < 123;`,
`/* this is a comment, Service: ignored_service */ update * from table_ignored where id < 123;`,
}
for _, matchSql := range matchSqls {
if !filter.IsSqlInBlackList(matchSql) {
Expand All @@ -32,6 +38,8 @@ func TestIsSqlInBlackList(t *testing.T) {
"INSERT INTO users VALUES (1, 'John')",
"DELETE From schools",
"SHOW CREATE TABLE table_2",
`/* this is a comment, Service: ignored_
service */ update * from table_ignored where id < 123;`,
}
for _, notMatchSql := range notMatchSqls {
if filter.IsSqlInBlackList(notMatchSql) {
Expand Down
15 changes: 13 additions & 2 deletions sqle/utils/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,9 +317,20 @@ func IsPrefixSubStrArray(arr []string, prefix []string) bool {
return true
}

// 全模糊匹配字符串,并且对大小写不敏感
// 全模糊匹配字符串,对大小写不敏感,匹配多行,且防止正则注入
func FullFuzzySearchRegexp(str string) *regexp.Regexp {
return regexp.MustCompile(`^.*(?i)` + regexp.QuoteMeta(str) + `.*$`)
/*
1. (?is)是一个正则表达式修饰符,其中:
i表示忽略大小写(case-insensitive)
s表示开启单行模式,开启后.可以匹配换行符,让整个字符串作为一行
2. ^.*匹配字符串的开头,其中:
^表示起始位置,
.表示匹配任何字符(除了换行符)
*表示匹配前面的模式零次或多次
3. .*$匹配字符串的结尾,其中:
$表示结束位置
*/
return regexp.MustCompile(`(?is)^.*` + regexp.QuoteMeta(str) + `.*$`)
}

var ErrUnknownEncoding = errors.New("unknown encoding")
Expand Down
7 changes: 7 additions & 0 deletions sqle/utils/util_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,13 @@ func TestFullFuzzySearchRegexp(t *testing.T) {
".*(?i)",
[]string{"GoLang .*(?i) awesome", "I love GO^.*(?i)SING", "GoLangGO.*(?i)Golang"},
[]string{"language", "hi", "heyHelloCode", "HElLO", "Sun_hello", "HelLo_Jack"},
},{
"ignored_service",
[]string{`/* this is a comment, Service: ignored_service */
select * from table_ignored where id < 123;'
`,`/* this is a comment, Service: ignored_service */ select * from table_ignored where id < 123;`},
[]string{"any sql","",`/* this is a comment, Service: ignored
_service */ select * from table_ignored where id < 123;`},
},
}

Expand Down
Loading