dromara / lamp-cloud

lamp-cloud 支持jdk21、jdk17、jdk11、jdk8,ta基于 SpringCloud + SpringBoot 开发的微服务中后台快速开发平台,专注于多租户(SaaS架构)解决方案,亦可作为普通项目(非SaaS架构)的基础开发框架使用,目前已实现插拔式数据库隔离、SCHEMA隔离、字段隔离 等租户隔离方案。
http://tangyh.top
Apache License 2.0
5.5k stars 1.68k forks source link

[security vulnerability]SQL injection #337

Closed GatekeeperBuster closed 2 months ago

GatekeeperBuster commented 6 months ago

Recently, our team has identified a security vulnerability within the latest version of the project that has led to the occurrence of SQL injection issues, which could potentially result in a significant risk of information disclosure

The vulnerability entry is located in src/main/java/top/tangyh/lamp/authority/controller/auth/UserController.java#355. image

The developer, when operating the SQL statement through the method src/main/java/top/tangyh/lamp/authority/dao/auth/UserMapper.findPage(), passes the input wrapper parameter to ew (Easy Wrapper or similar), and then directly concatenates it to the SQL statement via ew.customSqlSegment in the form of "FROM c_user s ${ew.customSqlSegment}". This means that an attacker can control the wrapper parameter to achieve an SQL injection attack.