Merge pull request #2463 from actiontech/issue2448-1

Cherry-Pick From 2.9999.x: Fix the issue of SQL blacklist invalidation in multiple rows of SQL
actiontech · Jun 24, 2024 · af82c33 · af82c33
2 parents e2c9b92 + c22c755
commit af82c33
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/sqle/api/controller/v1/audit_plan_test.go b/sqle/api/controller/v1/audit_plan_test.go
@@ -15,13 +15,19 @@ func TestIsSqlInBlackList(t *testing.T) {
 		}, {
 			FilterContent: "table_1",
 			FilterType:    "SQL",
+		},{
+			FilterContent: "ignored_service",
+			FilterType:    "SQL",
 		},
 	})
 
 	matchSqls := []string{
 		"SELECT * FROM users",
 		"DELETE From tAble_1",
 		"SELECT COUNT(*) FROM table_2",
+		`/* this is a comment, Service: ignored_service */ 
+		select * from table_ignored where id < 123;`,
+		`/* this is a comment, Service: ignored_service */ update * from table_ignored where id < 123;`,
 	}
 	for _, matchSql := range matchSqls {
 		if !filter.IsSqlInBlackList(matchSql) {
@@ -32,6 +38,8 @@ func TestIsSqlInBlackList(t *testing.T) {
 		"INSERT INTO users VALUES (1, 'John')",
 		"DELETE  From schools",
 		"SHOW CREATE TABLE table_2",
+		`/* this is a comment, Service: ignored_
+		service */ update * from table_ignored where id < 123;`,
 	}
 	for _, notMatchSql := range notMatchSqls {
 		if filter.IsSqlInBlackList(notMatchSql) {

diff --git a/sqle/utils/util.go b/sqle/utils/util.go
@@ -318,9 +318,20 @@ func IsPrefixSubStrArray(arr []string, prefix []string) bool {
 	return true
 }
 
-// 全模糊匹配字符串，并且对大小写不敏感
+// 全模糊匹配字符串，对大小写不敏感，匹配多行，且防止正则注入
 func FullFuzzySearchRegexp(str string) *regexp.Regexp {
-	return regexp.MustCompile(`^.*(?i)` + regexp.QuoteMeta(str) + `.*$`)
+	/*
+		1. (?is)是一个正则表达式修饰符,其中：
+			i表示忽略大小写(case-insensitive)
+			s表示开启单行模式，开启后.可以匹配换行符，让整个字符串作为一行
+		2. ^.*匹配字符串的开头,其中：
+			^表示起始位置,
+			.表示匹配任何字符(除了换行符)
+			*表示匹配前面的模式零次或多次
+		3. .*$匹配字符串的结尾,其中：
+			$表示结束位置
+	*/
+	return regexp.MustCompile(`(?is)^.*` + regexp.QuoteMeta(str) + `.*$`)
 }
 
 var ErrUnknownEncoding = errors.New("unknown encoding")

diff --git a/sqle/utils/util_test.go b/sqle/utils/util_test.go
@@ -261,6 +261,13 @@ func TestFullFuzzySearchRegexp(t *testing.T) {
 			".*(?i)",
 			[]string{"GoLang .*(?i) awesome", "I love GO^.*(?i)SING", "GoLangGO.*(?i)Golang"},
 			[]string{"language", "hi", "heyHelloCode", "HElLO", "Sun_hello", "HelLo_Jack"},
+		},{
+			"ignored_service",
+			[]string{`/* this is a comment, Service: ignored_service */
+			select * from table_ignored where id < 123;'
+			`,`/* this is a comment, Service: ignored_service */ select * from table_ignored where id < 123;`},
+			[]string{"any sql","",`/* this is a comment, Service: ignored
+			_service */ select * from table_ignored where id < 123;`},
 		},
 	}