mybatis-3
mybatis-3 copied to clipboard
mybatis
add a tag like #{} ${} reopen! i have a new idea!
Hi! i am a web security engineer. With my communicate, my colleagues accepted use #{} is safe. If don't check code very carefully, useing ${} wil be create a sql injection Also i add some rules into sonarqube to check xml can't have ${} But ordey by and group by must use ${} So I thinging if mybatis can add a tag , something like @{} !{} In this new tag,Mybatis can prevent "sql injection char" likes ' " , * ( ) { } @ nine chars Or In this new tag only accept letters and char _ regex: [a-zA-Z_] So #{} and new tag canbe safe. Only some situation coder will useing ${}. Thx.
Hello @k4n5ha0 ,
Filtering characters can never be a good strategy to prevent SQL injection as there are many techniques to circumvent those filters.
The only reliable protection is to use #{}.
For ORDER BY, there usually are several choices, so you may be able to write as follows to avoid ${}.
ORDER BY
<choose>
<when test="orderBy == 1">
id desc
</when>
<when test="orderBy == 2">
date_submitted desc
</when>
...
If your app allows end users to supply arbitrary ORDER BY / GROUP BY clause, your job will be very hard...
Hi!I have a new idea! How about build a safemode like fastjson. url: https://github.com/alibaba/fastjson/wiki/fastjson_safemode
- ParserConfig.getGlobalInstance().setSafeMode(true);
- fastjson.parser.safeMode=true
- -Dfastjson.parser.safeMode=true Three ways to open a safemode.
When Mybatis open this mode, mybatis's $ will throw a Exception. So this mode will prevent Sql Injection! And Forcing programmers use # Thx!
${} is an important feature and I am not comfortable with adding an option to disallow its usage.
It is not that difficult to use ${} safely, so you should educate your programmers instead of banning it.
In case you really have to detect ${}, you may be able to check text nodes in a custom language driver, probably (I do not recommend using it on production for performance reason, though).
hi , one of my friend working in a bank , he tells me this bank is using fortify to check mybatis's xml isnt have ${} .i talked with him , he tells me more about mybatis, some company is using "changed mybatis" to reduce sqlinection Possibility, so i wich this feather will be create.secre by deault. thx.
Hi,i really thinks create A new tag(for example !{})is a good idea,beacause a tag which: use allowrule regex [a-zA-Z0-9_] or use denyrule in tag string can't include ' " < > % ( ) may help programmers reduce sql injection code.
sql injection with like
Select * from news where title like '%${title}%'
can be
Select * from news where title like '%!{title}%'
sql injection with in
Select * from news where id in (${id})
can be
Select * from news where id in (!{id})
sql injection with order by
Select * from news where title = 'time' order by ${time} asc
can be
Select * from news where title = 'time' order by !{time} asc
this new tag can fix sqlinjection very quickly with lower time.
As I wrote in my first comment, filtering characters can never be a good strategy to prevent SQL injection. Trying to filter characters is the opposite of taking the security risk seriously and we will not provide such feature.