public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-15 05:22:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【漏洞】Dataease H2 JDBC RCE Bypass's Bypass

Browse Source
This commit is contained in:
taojinlong
2025-08-05 16:49:01 +08:00
committed by taojinlong
parent 8d04e92d44
commit 1644d81dff
9 changed files with 35 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
core/core-backend/src/main/java/io/dataease/datasource/type/CK.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
import org.apache.commons.lang3.StringUtils;
@@ -12,15 +13,18 @@ public class CK extends DatasourceConfiguration {
private String extraParams = "";
public String getJdbc() {
if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){
if (StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")) {
if (!getJdbcUrl().startsWith("jdbc:clickhouse")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
if(StringUtils.isEmpty(extraParams.trim())){
if (StringUtils.isEmpty(extraParams.trim())) {
return "jdbc:clickhouse://HOSTNAME:PORT/DATABASE"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim());
}else {
} else {
return "jdbc:clickhouse://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())

3
core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java
View File

@@ -23,6 +23,9 @@ public class Db2 extends DatasourceConfiguration {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
if (!getJdbcUrl().startsWith("jdbc:db2")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
if (StringUtils.isEmpty(extraParams.trim())) {

4
core/core-backend/src/main/java/io/dataease/datasource/type/Impala.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
import org.apache.commons.lang3.StringUtils;
@@ -18,6 +19,9 @@ public class Impala extends DatasourceConfiguration {
public String getJdbc() {
if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){
if (!getJdbcUrl().startsWith("jdbc:impala")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
if(StringUtils.isEmpty(extraParams.trim())){

4
core/core-backend/src/main/java/io/dataease/datasource/type/Mongo.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
import org.apache.commons.lang3.StringUtils;
@@ -18,6 +19,9 @@ public class Mongo extends DatasourceConfiguration {
public String getJdbc() {
if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){
if (!getJdbcUrl().startsWith("jdbc:mysql")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
if (StringUtils.isEmpty(extraParams.trim())) {

3
core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java
View File

@@ -25,6 +25,9 @@ public class Mysql extends DatasourceConfiguration {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
if (!getJdbcUrl().startsWith("jdbc:mysql")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
String jdbcUrl = "";

4
core/core-backend/src/main/java/io/dataease/datasource/type/Oracle.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
import org.apache.commons.lang3.StringUtils;
@@ -13,6 +14,9 @@ public class Oracle extends DatasourceConfiguration {
public String getJdbc() {
if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){
if (!getJdbcUrl().startsWith("jdbc:oracle")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
if (StringUtils.isNotEmpty(getConnectionType()) && getConnectionType().equalsIgnoreCase("serviceName")) {

3
core/core-backend/src/main/java/io/dataease/datasource/type/Pg.java
View File

@@ -24,6 +24,9 @@ public class Pg extends DatasourceConfiguration {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
if (!getJdbcUrl().startsWith("jdbc:postgresql")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
String jdbcUrl = "";

3
core/core-backend/src/main/java/io/dataease/datasource/type/Redshift.java
View File

@@ -24,6 +24,9 @@ public class Redshift extends DatasourceConfiguration {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
if (!getJdbcUrl().startsWith("jdbc:redshift")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
String jdbcUrl = "jdbc:redshift://HOSTNAME:PORT/DATABASE"

4
core/core-backend/src/main/java/io/dataease/datasource/type/Sqlserver.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
import org.apache.commons.lang3.StringUtils;
@@ -18,6 +19,9 @@ public class Sqlserver extends DatasourceConfiguration {
public String getJdbc() {
if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){
if (!getJdbcUrl().startsWith("jdbc:sqlserver")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
if (StringUtils.isEmpty(extraParams.trim())) {