解决使用MyBatis处理含有$的变量时报IllegalArgumentException Illegal group reference
现象
在一个GET请求中,输入参数包含$符号,然后后台报错。
复现
curl 'http://localhost:9999/xxxx/drivers?page=1&size=20&realname=$' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Accept-Language: zh,en;q=0.9,ja;q=0.8,zh-TW;q=0.7,fr;q=0.6,zh-CN;q=0.5' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36' \
-H 'Accept: application/json, text/plain, */*' \
-H 'userId: 453' \
-H 'Connection: keep-alive' \
-H 'token: 1e6966ec2fafdbbd53ef53124cc3e5ae' \
--compressed
报错截图
原因
这个现象与mybatis无关,因为mybatis对$符号的操作主要集中在GenericTokenParser.java中,而这些操作都是以\${出现,因此可以认为mybatis不处理单独的$符号。如下:
在interceptor中,有一段打印将要执行的sql语句相关信息,根据调试结果,锁定了这个方法出问题所在,如下:
Object obj = boundSql.getAdditionalParameter(propertyName);
sql = sql.replaceFirst("\\?", getParameterValue(obj));
因此问题转化成了下面的问题:
// 有问题的语句
String sql = "er WHERE realname like ? AND deleted = ?";
sql = sql.replaceFirst("\\?", "\\%$%");
System.out.println(sql);
// 修改
sql = sql.replaceFirst("\\?", Matcher.quoteReplacement("\\%$%"));
$在replaceFirst(String regex, String replacement)中的使用
网上关于这个方法的使用,普遍停留在regex,对replacement的解释少之又少,基本上没有。因为$符号在replacement中导致操作报错,因此,这个$肯定是有某种特殊的意义的。打开源代码,一直跟踪到抛出错误的地方。代码如下:
/**
* Processes replacement string to replace group references with
* groups.
*/
private StringBuilder appendExpandedReplacement(String replacement, StringBuilder result) {
int cursor = 0;
while (cursor < replacement.length()) {
char nextChar = replacement.charAt(cursor);
// 可以看出,转义符号使用起来也需要小心。如果在最后面,又会报错。
if (nextChar == '\\') {
cursor++;
if (cursor == replacement.length())
throw new IllegalArgumentException(
"character to be escaped is missing");
// 对转义符的操作比较简单,只是先跳过转义符,然后将下一个字符拷贝
nextChar = replacement.charAt(cursor);
result.append(nextChar);
cursor++;
// 如果是$,那么后面要么是数字,要么是{
} else if (nextChar == '$') {
// Skip past $
cursor++;
// Throw IAE if this "$" is the last character in replacement
if (cursor == replacement.length())
throw new IllegalArgumentException(
"Illegal group reference: group index is missing");
nextChar = replacement.charAt(cursor);
int refNum = -1;
if (nextChar == '{') {
cursor++;
StringBuilder gsb = new StringBuilder();
// 先读出{}中的内容
while (cursor < replacement.length()) {
nextChar = replacement.charAt(cursor);
if (ASCII.isLower(nextChar) ||
ASCII.isUpper(nextChar) ||
ASCII.isDigit(nextChar)) {
gsb.append(nextChar);
cursor++;
} else {
break;
}
}
if (gsb.length() == 0)
throw new IllegalArgumentException(
"named capturing group has 0 length name");
if (nextChar != '}')
throw new IllegalArgumentException(
"named capturing group is missing trailing '}'");
String gname = gsb.toString();
if (ASCII.isDigit(gname.charAt(0)))
throw new IllegalArgumentException(
"capturing group name {" + gname +
"} starts with digit character");
//{}中包含的内容,是分组的名字,分组存在,直接拿来分组的值,不存在则报错
if (!parentPattern.namedGroups().containsKey(gname))
throw new IllegalArgumentException(
"No group with name {" + gname + "}");
refNum = parentPattern.namedGroups().get(gname);
cursor++;
} else {
// The first number is always a group
refNum = nextChar - '0';
// 只接受0-9的数字,也就是分组的序号
if ((refNum < 0) || (refNum > 9))
throw new IllegalArgumentException(
"Illegal group reference");
cursor++;
// Capture the largest legal group string
boolean done = false;
while (!done) {
if (cursor >= replacement.length()) {
break;
}
int nextDigit = replacement.charAt(cursor) - '0';
if ((nextDigit < 0) || (nextDigit > 9)) { // not a number
break;
}
int newRefNum = (refNum * 10) + nextDigit;
if (groupCount() < newRefNum) {
done = true;
} else {
refNum = newRefNum;
cursor++;
}
}
}
// Append group
if (start(refNum) != -1 && end(refNum) != -1)
result.append(text, start(refNum), end(refNum));
} else {
result.append(nextChar);
cursor++;
}
}
return result;
}
可以看出,转义符号使用起来也需要小心。如果在最后面,又会报错,对转义符的操作比较简单,只是先跳过转义符,然后将下一个字符拷贝;如果是$,那么后面要么是数字,要么是{。对$符号的处理,如果后面是{,则先读出{}中的内容,也就是分组的名字,然后查询分组是否存在,存在则直接拿来分组的值,不存在则报错,如果后面是数字,就去拿第n个分组的值。
过程如上,但是网上基本上没有上述内容的示例,根据上面的简要分析,做出了下面简要的demo:
String Str = new String("Welcome to Tutoririalspoint.combb");
System.out.print("Return Value :" );
System.out.println(Str.replaceFirst("Tuto(.*)als(?<hi>.*)(bb)", "$1AMROOD}$2--$3--${hi}--xx"));
// 输出:
// Return Value :Welcome to ririAMROOD}point.com--bb--point.com--xx
给分组命名确实以前没尝试过,参考:https://stackoverflow.com/questions/415580/regex-named-groups-in-java。
解决办法
替换后的方法如下所示:
private String showSql(Configuration configuration, BoundSql boundSql) {
Object parameterObject = boundSql.getParameterObject();
List<ParameterMapping> parameterMappings = boundSql.getParameterMappings();
String sql = boundSql.getSql().replaceAll("[\\s]+", " ");
if (parameterMappings.size() > 0 && parameterObject != null) {
TypeHandlerRegistry typeHandlerRegistry = configuration.getTypeHandlerRegistry();
if (typeHandlerRegistry.hasTypeHandler(parameterObject.getClass())) {
sql = sql.replaceFirst("\\?", Matcher.quoteReplacement(getParameterValue(parameterObject)));
} else {
MetaObject metaObject = configuration.newMetaObject(parameterObject);
for (ParameterMapping parameterMapping : parameterMappings) {
String propertyName = parameterMapping.getProperty();
if (metaObject.hasGetter(propertyName)) {
Object obj = metaObject.getValue(propertyName);
sql = sql.replaceFirst("\\?", Matcher.quoteReplacement(getParameterValue(obj)));
} else if (boundSql.hasAdditionalParameter(propertyName)) {
Object obj = boundSql.getAdditionalParameter(propertyName);
sql = sql.replaceFirst("\\?", Matcher.quoteReplacement(getParameterValue(obj)));
}
}
}
}
return sql;
}
