mirror of
https://github.com/dataease/dataease.git
synced 2026-05-14 12:22:10 +08:00
fix: 【漏洞】Arbitrary File Read (Credential Exfiltration)
This commit is contained in:
taojinlong
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -31,6 +32,7 @@ public class CK extends DatasourceConfiguration {
|
|||||||
private String sslCert;
|
private String sslCert;
|
||||||
private String sslKey;
|
private String sslKey;
|
||||||
|
|
||||||
|
@JsonIgnore
|
||||||
private List<String> ILLEGAL_PARAMETERS = Arrays.asList("jndi:", "rmi:", "ldap:", "ldaps:", "dns:", "nis:", "corba:",
|
private List<String> ILLEGAL_PARAMETERS = Arrays.asList("jndi:", "rmi:", "ldap:", "ldaps:", "dns:", "nis:", "corba:",
|
||||||
"java.naming.factory.initial", "java.naming.provider.url");
|
"java.naming.factory.initial", "java.naming.provider.url");
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -14,6 +15,7 @@ import java.util.List;
|
|||||||
public class Db2 extends DatasourceConfiguration {
|
public class Db2 extends DatasourceConfiguration {
|
||||||
private String driver = "com.ibm.db2.jcc.DB2Driver";
|
private String driver = "com.ibm.db2.jcc.DB2Driver";
|
||||||
private String extraParams = "";
|
private String extraParams = "";
|
||||||
|
@JsonIgnore
|
||||||
private List<String> illegalParameters = Arrays.asList(
|
private List<String> illegalParameters = Arrays.asList(
|
||||||
// 原有参数(如RMI相关)
|
// 原有参数(如RMI相关)
|
||||||
"java.naming.factory.initial", "java.naming.provider.url", "rmi",
|
"java.naming.factory.initial", "java.naming.provider.url", "rmi",
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -29,6 +30,7 @@ public class H2 extends DatasourceConfiguration {
|
|||||||
return jdbc;
|
return jdbc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@JsonIgnore
|
||||||
private List<String> getH2IllegalParameters() {
|
private List<String> getH2IllegalParameters() {
|
||||||
return Arrays.asList("INIT", "RUNSCRIPT");
|
return Arrays.asList("INIT", "RUNSCRIPT");
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -16,6 +17,7 @@ import java.util.regex.Pattern;
|
|||||||
public class Impala extends DatasourceConfiguration {
|
public class Impala extends DatasourceConfiguration {
|
||||||
private String driver = "com.cloudera.impala.jdbc.Driver";
|
private String driver = "com.cloudera.impala.jdbc.Driver";
|
||||||
private String extraParams = "";
|
private String extraParams = "";
|
||||||
|
@JsonIgnore
|
||||||
private List<String> illegalParameters = Arrays.asList(
|
private List<String> illegalParameters = Arrays.asList(
|
||||||
// 原有非法参数
|
// 原有非法参数
|
||||||
"autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations",
|
"autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations",
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -14,6 +15,7 @@ import java.util.List;
|
|||||||
public class Mongo extends DatasourceConfiguration {
|
public class Mongo extends DatasourceConfiguration {
|
||||||
private String driver = "com.mysql.cj.jdbc.Driver";
|
private String driver = "com.mysql.cj.jdbc.Driver";
|
||||||
private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull";
|
private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull";
|
||||||
|
@JsonIgnore
|
||||||
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations");
|
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations");
|
||||||
private List<String> showTableSqls = Arrays.asList("show tables");
|
private List<String> showTableSqls = Arrays.asList("show tables");
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -15,6 +16,7 @@ import java.util.List;
|
|||||||
public class Mysql extends DatasourceConfiguration {
|
public class Mysql extends DatasourceConfiguration {
|
||||||
private String driver = "com.mysql.cj.jdbc.Driver";
|
private String driver = "com.mysql.cj.jdbc.Driver";
|
||||||
private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull";
|
private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull";
|
||||||
|
@JsonIgnore
|
||||||
private List<String> illegalParameters = Arrays.asList("maxAllowedPacket", "autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath", "allowMultiQueries");
|
private List<String> illegalParameters = Arrays.asList("maxAllowedPacket", "autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath", "allowMultiQueries");
|
||||||
private List<String> showTableSqls = Arrays.asList("show tables");
|
private List<String> showTableSqls = Arrays.asList("show tables");
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -16,6 +17,7 @@ import java.util.regex.Pattern;
|
|||||||
public class Pg extends DatasourceConfiguration {
|
public class Pg extends DatasourceConfiguration {
|
||||||
private String driver = "org.postgresql.Driver";
|
private String driver = "org.postgresql.Driver";
|
||||||
private String extraParams = "";
|
private String extraParams = "";
|
||||||
|
@JsonIgnore
|
||||||
private List<String> illegalParameters = Arrays.asList("socketFactory", "socketFactoryArg", "sslfactory", "sslhostnameverifier", "sslpasswordcallback", "authenticationPluginClassName");
|
private List<String> illegalParameters = Arrays.asList("socketFactory", "socketFactoryArg", "sslfactory", "sslhostnameverifier", "sslpasswordcallback", "authenticationPluginClassName");
|
||||||
|
|
||||||
public String getJdbc() {
|
public String getJdbc() {
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -19,6 +20,7 @@ import static java.awt.SystemColor.info;
|
|||||||
public class Redshift extends DatasourceConfiguration {
|
public class Redshift extends DatasourceConfiguration {
|
||||||
private String driver = "com.amazon.redshift.jdbc42.Driver";
|
private String driver = "com.amazon.redshift.jdbc42.Driver";
|
||||||
private String extraParams = "";
|
private String extraParams = "";
|
||||||
|
@JsonIgnore
|
||||||
private List<String> illegalParameters = Arrays.asList("socketFactory", "socketFactoryArg", "sslfactory", "sslhostnameverifier", "sslpasswordcallback", "authenticationPluginClassName", "IniFile");
|
private List<String> illegalParameters = Arrays.asList("socketFactory", "socketFactoryArg", "sslfactory", "sslhostnameverifier", "sslpasswordcallback", "authenticationPluginClassName", "IniFile");
|
||||||
|
|
||||||
public String getJdbc() {
|
public String getJdbc() {
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
package io.dataease.datasource.type;
|
package io.dataease.datasource.type;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
import io.dataease.exception.DEException;
|
import io.dataease.exception.DEException;
|
||||||
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
@@ -16,6 +17,7 @@ import java.util.regex.Pattern;
|
|||||||
public class Sqlserver extends DatasourceConfiguration {
|
public class Sqlserver extends DatasourceConfiguration {
|
||||||
private String driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver";
|
private String driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver";
|
||||||
private String extraParams = "";
|
private String extraParams = "";
|
||||||
|
@JsonIgnore
|
||||||
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "jndi:", "rmi:", "ldap:", "ldaps:", "java.naming.factory.initial");
|
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "jndi:", "rmi:", "ldap:", "ldaps:", "java.naming.factory.initial");
|
||||||
private List<String> showTableSqls = Arrays.asList("show tables");
|
private List<String> showTableSqls = Arrays.asList("show tables");
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user