Question

"#{variable}" Spring表达式语言SpEL值是否可以免受SQL注入攻击？例如：

@Mapper
public interface UrlInfoMapper {
    public static final String SELECT_BY_ID = "select * from url WHERE ID=#{ID}";
    public static final String DELETE_BY_ID = "DELETE FROM url WHERE ID=#{ID}";

    @Select(SELECT_BY_ID)
    UrlInfo getFromUrlById(String ID);

    @Update(DELETE_BY_ID)
    void delete(@Param("ID")String ID);

我检查了引用，但是没有提到为引号等SQL字符转义的替换值。

https://docs.spring.io/spring/docs/4.3.17.RELEASE/spring-framework-reference/htmlsingle/#expressions

我在网上找不到关于SpEL和SQL注入的提及（只有这个项目没有使用的JPA）。

https://duckduckgo.com/?q=spel+sql+injection&ia=qa

本文讨论了视图中SpEL的漏洞，但没有讨论数据库。

https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

Spring Core 2.6.1，Spring Boot 1.5.6，Spring Expression 4.3.10。

Answer 1

我相信他们是。

@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc
public class MockTest {

    @Autowired
    private UserMapper userMapper;

    @Test
    public void sqlInjections() throws Exception {
        User user = userMapper.getUser("admin'--");
        assertNull(user);
    }


@Mapper
public interface UserMapper {

    @Select("select * from user WHERE name =#{name}")
    @Results(value = {
             @Result(property = "name", column = "name"),
             @Result(property = "password", column = "password"),
             @Result(property = "encrypted", column = "encrypted"),
             @Result(property = "permission", column = "permission")
           })
    User getUser(@Param("name")String name);

并且

mvn test

Tests run: 5, Failures: 0, Errors: 0, Skipped: 0

Spring SpEL查询是否可以免受SQL注入攻击？

1 个答案: