From 1644d81dff46272b09570fa1f4a8f83f01f37440 Mon Sep 17 00:00:00 2001 From: taojinlong Date: Tue, 5 Aug 2025 16:49:01 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E3=80=90=E6=BC=8F=E6=B4=9E=E3=80=91Data?= =?UTF-8?q?ease=20H2=20JDBC=20RCE=20Bypass's=20Bypass?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/io/dataease/datasource/type/CK.java | 10 +++++++--- .../src/main/java/io/dataease/datasource/type/Db2.java | 3 +++ .../main/java/io/dataease/datasource/type/Impala.java | 4 ++++ .../main/java/io/dataease/datasource/type/Mongo.java | 4 ++++ .../main/java/io/dataease/datasource/type/Mysql.java | 3 +++ .../main/java/io/dataease/datasource/type/Oracle.java | 4 ++++ .../src/main/java/io/dataease/datasource/type/Pg.java | 3 +++ .../java/io/dataease/datasource/type/Redshift.java | 3 +++ .../java/io/dataease/datasource/type/Sqlserver.java | 4 ++++ 9 files changed, 35 insertions(+), 3 deletions(-) diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/CK.java b/core/core-backend/src/main/java/io/dataease/datasource/type/CK.java index 8b65006d07..9f341936ee 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/CK.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/CK.java @@ -1,5 +1,6 @@ package io.dataease.datasource.type; +import io.dataease.exception.DEException; import io.dataease.extensions.datasource.vo.DatasourceConfiguration; import lombok.Data; import org.apache.commons.lang3.StringUtils; @@ -12,15 +13,18 @@ public class CK extends DatasourceConfiguration { private String extraParams = ""; public String getJdbc() { - if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){ + if (StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")) { + if (!getJdbcUrl().startsWith("jdbc:clickhouse")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } - if(StringUtils.isEmpty(extraParams.trim())){ + if (StringUtils.isEmpty(extraParams.trim())) { return "jdbc:clickhouse://HOSTNAME:PORT/DATABASE" .replace("HOSTNAME", getLHost().trim()) .replace("PORT", getLPort().toString().trim()) .replace("DATABASE", getDataBase().trim()); - }else { + } else { return "jdbc:clickhouse://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS" .replace("HOSTNAME", getLHost().trim()) .replace("PORT", getLPort().toString().trim()) diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java index 6158a50e20..3983a60d05 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java @@ -23,6 +23,9 @@ public class Db2 extends DatasourceConfiguration { DEException.throwException("Illegal parameter: " + illegalParameter); } } + if (!getJdbcUrl().startsWith("jdbc:db2")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } if (StringUtils.isEmpty(extraParams.trim())) { diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Impala.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Impala.java index 5d5f0d9f31..4d0c520ce0 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/Impala.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Impala.java @@ -1,5 +1,6 @@ package io.dataease.datasource.type; +import io.dataease.exception.DEException; import io.dataease.extensions.datasource.vo.DatasourceConfiguration; import lombok.Data; import org.apache.commons.lang3.StringUtils; @@ -18,6 +19,9 @@ public class Impala extends DatasourceConfiguration { public String getJdbc() { if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){ + if (!getJdbcUrl().startsWith("jdbc:impala")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } if(StringUtils.isEmpty(extraParams.trim())){ diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Mongo.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Mongo.java index 885cacdf8f..6e90420094 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/Mongo.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Mongo.java @@ -1,5 +1,6 @@ package io.dataease.datasource.type; +import io.dataease.exception.DEException; import io.dataease.extensions.datasource.vo.DatasourceConfiguration; import lombok.Data; import org.apache.commons.lang3.StringUtils; @@ -18,6 +19,9 @@ public class Mongo extends DatasourceConfiguration { public String getJdbc() { if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){ + if (!getJdbcUrl().startsWith("jdbc:mysql")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } if (StringUtils.isEmpty(extraParams.trim())) { diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java index b1ecea0950..1752e04c64 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java @@ -25,6 +25,9 @@ public class Mysql extends DatasourceConfiguration { DEException.throwException("Illegal parameter: " + illegalParameter); } } + if (!getJdbcUrl().startsWith("jdbc:mysql")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } String jdbcUrl = ""; diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Oracle.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Oracle.java index 885f1b6054..0085e3eb4b 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/Oracle.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Oracle.java @@ -1,5 +1,6 @@ package io.dataease.datasource.type; +import io.dataease.exception.DEException; import io.dataease.extensions.datasource.vo.DatasourceConfiguration; import lombok.Data; import org.apache.commons.lang3.StringUtils; @@ -13,6 +14,9 @@ public class Oracle extends DatasourceConfiguration { public String getJdbc() { if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){ + if (!getJdbcUrl().startsWith("jdbc:oracle")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } if (StringUtils.isNotEmpty(getConnectionType()) && getConnectionType().equalsIgnoreCase("serviceName")) { diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Pg.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Pg.java index 5ac3ff9978..247e9b8526 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/Pg.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Pg.java @@ -24,6 +24,9 @@ public class Pg extends DatasourceConfiguration { DEException.throwException("Illegal parameter: " + illegalParameter); } } + if (!getJdbcUrl().startsWith("jdbc:postgresql")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } String jdbcUrl = ""; diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Redshift.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Redshift.java index ab6e2b4cc5..bd13baa9f8 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/Redshift.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Redshift.java @@ -24,6 +24,9 @@ public class Redshift extends DatasourceConfiguration { DEException.throwException("Illegal parameter: " + illegalParameter); } } + if (!getJdbcUrl().startsWith("jdbc:redshift")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } String jdbcUrl = "jdbc:redshift://HOSTNAME:PORT/DATABASE" diff --git a/core/core-backend/src/main/java/io/dataease/datasource/type/Sqlserver.java b/core/core-backend/src/main/java/io/dataease/datasource/type/Sqlserver.java index 075ca693fd..8fa7dff68b 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/type/Sqlserver.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/type/Sqlserver.java @@ -1,5 +1,6 @@ package io.dataease.datasource.type; +import io.dataease.exception.DEException; import io.dataease.extensions.datasource.vo.DatasourceConfiguration; import lombok.Data; import org.apache.commons.lang3.StringUtils; @@ -18,6 +19,9 @@ public class Sqlserver extends DatasourceConfiguration { public String getJdbc() { if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){ + if (!getJdbcUrl().startsWith("jdbc:sqlserver")) { + DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl()); + } return getJdbcUrl(); } if (StringUtils.isEmpty(extraParams.trim())) {