mirror of
https://github.com/dataease/dataease.git
synced 2026-06-14 17:51:43 +08:00
fix: 数据源修复mysql、Redshift远程代码执行漏洞
This commit is contained in:
taojinlong
@@ -19,24 +19,25 @@ public class MysqlConfiguration extends JdbcConfiguration {
|
||||
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath");
|
||||
|
||||
public String getJdbc() {
|
||||
String jdbcUrl = "";
|
||||
if (StringUtils.isEmpty(extraParams.trim())) {
|
||||
return "jdbc:mysql://HOSTNAME:PORT/DATABASE".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim());
|
||||
jdbcUrl = "jdbc:mysql://HOSTNAME:PORT/DATABASE".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim());
|
||||
} else {
|
||||
for (String illegalParameter : getIllegalParameters()) {
|
||||
if (getExtraParams().toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(getExtraParams()).contains(illegalParameter.toLowerCase())) {
|
||||
throw new RuntimeException("Illegal parameter: " + illegalParameter);
|
||||
}
|
||||
}
|
||||
|
||||
return "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim()).replace("EXTRA_PARAMS", getExtraParams().trim());
|
||||
jdbcUrl = "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim()).replace("EXTRA_PARAMS", getExtraParams().trim());
|
||||
}
|
||||
for (String illegalParameter : getIllegalParameters()) {
|
||||
if (jdbcUrl.toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(jdbcUrl).contains(illegalParameter.toLowerCase())) {
|
||||
throw new RuntimeException("Illegal parameter: " + illegalParameter);
|
||||
}
|
||||
}
|
||||
return jdbcUrl;
|
||||
}
|
||||
|
||||
public List<String> getIllegalParameters(){
|
||||
public List<String> getIllegalParameters() {
|
||||
List<String> newIllegalParameters = new ArrayList<>();
|
||||
newIllegalParameters.addAll(illegalParameters);
|
||||
newIllegalParameters.addAll(Arrays.asList("allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath"));
|
||||
return newIllegalParameters;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -19,31 +19,33 @@ public class PgConfiguration extends JdbcConfiguration {
|
||||
|
||||
|
||||
public String getJdbc() {
|
||||
String jdbcUrl = "";
|
||||
if (StringUtils.isEmpty(extraParams.trim())) {
|
||||
if (StringUtils.isEmpty(getSchema())) {
|
||||
return "jdbc:postgresql://HOSTNAME:PORT/DATABASE"
|
||||
jdbcUrl = "jdbc:postgresql://HOSTNAME:PORT/DATABASE"
|
||||
.replace("HOSTNAME", getHost().trim())
|
||||
.replace("PORT", getPort().toString().trim())
|
||||
.replace("DATABASE", getDataBase().trim());
|
||||
} else {
|
||||
return "jdbc:postgresql://HOSTNAME:PORT/DATABASE?currentSchema=SCHEMA"
|
||||
jdbcUrl = "jdbc:postgresql://HOSTNAME:PORT/DATABASE?currentSchema=SCHEMA"
|
||||
.replace("HOSTNAME", getHost().trim())
|
||||
.replace("PORT", getPort().toString().trim())
|
||||
.replace("DATABASE", getDataBase().trim())
|
||||
.replace("SCHEMA", getSchema().trim());
|
||||
}
|
||||
} else {
|
||||
for (String illegalParameter : illegalParameters) {
|
||||
if (getExtraParams().toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(getExtraParams()).contains(illegalParameter.toLowerCase())) {
|
||||
throw new RuntimeException("Illegal parameter: " + illegalParameter);
|
||||
}
|
||||
}
|
||||
return "jdbc:postgresql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
|
||||
jdbcUrl = "jdbc:postgresql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
|
||||
.replace("HOSTNAME", getHost().trim())
|
||||
.replace("PORT", getPort().toString().trim())
|
||||
.replace("DATABASE", getDataBase().trim())
|
||||
.replace("EXTRA_PARAMS", getExtraParams().trim());
|
||||
|
||||
}
|
||||
|
||||
for (String illegalParameter : illegalParameters) {
|
||||
if (jdbcUrl.toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(jdbcUrl).contains(illegalParameter.toLowerCase())) {
|
||||
throw new RuntimeException("Illegal parameter: " + illegalParameter);
|
||||
}
|
||||
}
|
||||
return jdbcUrl;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,17 +4,29 @@ import io.dataease.plugins.datasource.entity.JdbcConfiguration;
|
||||
import lombok.Getter;
|
||||
import lombok.Setter;
|
||||
|
||||
import java.net.URLDecoder;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
@Getter
|
||||
@Setter
|
||||
public class RedshiftConfiguration extends JdbcConfiguration {
|
||||
|
||||
private String driver = "com.amazon.redshift.jdbc42.Driver";
|
||||
private List<String> illegalParameters = Arrays.asList("socketFactory", "socketFactoryArg", "sslfactory", "sslfactoryarg", "loggerLevel", "loggerFile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath");
|
||||
|
||||
|
||||
public String getJdbc() {
|
||||
// 连接参数先写死,后边要把编码、时区等参数放到数据源的设置中
|
||||
return "jdbc:redshift://HOSTNAME:PORT/DATABASE"
|
||||
|
||||
String jdbcUrl = "jdbc:redshift://HOSTNAME:PORT/DATABASE"
|
||||
.replace("HOSTNAME", getHost().trim())
|
||||
.replace("PORT", getPort().toString().trim())
|
||||
.replace("DATABASE", getDataBase().trim());
|
||||
for (String illegalParameter : illegalParameters) {
|
||||
if (jdbcUrl.toLowerCase().contains(illegalParameter.toLowerCase())) {
|
||||
throw new RuntimeException("Illegal parameter: " + illegalParameter);
|
||||
}
|
||||
}
|
||||
return jdbcUrl;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user