java Spring SpEL查询是否安全，不受SQL注入攻击？

1 周，5 日 Questions & Answers 547

"#{variable}"Spring表达式语言SpEL值是否安全，不受SQL注入攻击？例如：

@Mapper
public interface UrlInfoMapper {
    public static final String SELECT_BY_ID = "select * from url WHERE ID=#{ID}";
    public static final String DELETE_BY_ID = "DELETE FROM url WHERE ID=#{ID}";

    @Select(SELECT_BY_ID)
    UrlInfo getFromUrlById(String ID);

    @Update(DELETE_BY_ID)
    void delete(@Param("ID")String ID);

我检查了引用，但没有发现被替换为引号等SQL字符的值

https://docs.spring.io/spring/docs/4.3.17.RELEASE/spring-framework-reference/htmlsingle/#expressions

我在网上找不到关于SpEL和SQL注入的内容（只有这个项目没有使用的JPA）

https://duckduckgo.com/?q=spel+sql+injection&ia=qa

本文讨论的是视图中的SpEL，而不是数据库中的漏洞

https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

弹簧芯2.6.1，弹簧靴1.5.6，弹簧表达式4.3.10

@RunWith(SpringRunner.class) @SpringBootTest @AutoConfigureMockMvc public class MockTest { @Autowired private UserMapper userMapper; @Test public void sqlInjections() throws Exception { User user = userMapper.getUser("admin' "); assertNull(user); } @Mapper public interface UserMapper { @Select("select * from user WHERE name =#{name}") @Results(value = { @Result(property = "name", column = "name"), @Result(property = "password", column = "password"), @Result(property = "encrypted", column = "encrypted"), @Result(property = "permission", column = "permission") }) User getUser(@Param("name")String name);

Python中文网

有 Java 编程相关的问题?

java Spring SpEL查询是否安全，不受SQL注入攻击？

共 (1) 个答案

# 1 楼答案