Hello,I found a sql injection vulnerability in project with CodeQL(openSourced by GitHub) that I wroten a ql script.There is detail.
src/main/java/com/mysiteforme/admin/controller/system/TableController.java:393:
public RestResponse delete(@RequestParam(value = "tableName",required = false)String tableName){
if(StringUtils.isBlank(tableName)){
return RestResponse.failure("数据表名称不能为空");
}
if(tableName.contains("sys_")){
return RestResponse.failure("不能删除系统表");
}
tableService.dropTable(tableName);
return RestResponse.success();
}
@Override
public void dropTable(String tableName) {
tableDao.dropTable(tableName);
dictService.deleteByTableName(tableName);
}
the function will invoke tableDao.dropTable(tableName), goto it and get mybatis sqlStatement:
<update id="dropTable" parameterType="java.lang.String">
drop table ${tableName}
</update>
${tableName} will joint value of tableName where user input to sqlStatement, user could input a sql substatement to change the original sql or do something evil . It's a standard sql injection vuln.
this project is good enough that gained many stars. Expect your patch, thanks.