public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-14 12:22:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【漏洞】Arbitrary File Read (Credential Exfiltration)

Browse Source
This commit is contained in:
taojinlong
2026-04-13 11:54:51 +08:00
committed by tjlygdx
parent ff1d3366be
commit 16a950f960
9 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/core-backend/src/main/java/io/dataease/datasource/type/CK.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -31,6 +32,7 @@ public class CK extends DatasourceConfiguration {
private String sslCert;
private String sslKey;
@JsonIgnore
private List<String> ILLEGAL_PARAMETERS = Arrays.asList("jndi:", "rmi:", "ldap:", "ldaps:", "dns:", "nis:", "corba:",
"java.naming.factory.initial", "java.naming.provider.url");

2
core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -14,6 +15,7 @@ import java.util.List;
public class Db2 extends DatasourceConfiguration {
private String driver = "com.ibm.db2.jcc.DB2Driver";
private String extraParams = "";
@JsonIgnore
private List<String> illegalParameters = Arrays.asList(
// 原有参数如RMI相关
"java.naming.factory.initial", "java.naming.provider.url", "rmi",

2
core/core-backend/src/main/java/io/dataease/datasource/type/H2.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -29,6 +30,7 @@ public class H2 extends DatasourceConfiguration {
return jdbc;
}
@JsonIgnore
private List<String> getH2IllegalParameters() {
return Arrays.asList("INIT", "RUNSCRIPT");
}

2
core/core-backend/src/main/java/io/dataease/datasource/type/Impala.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -16,6 +17,7 @@ import java.util.regex.Pattern;
public class Impala extends DatasourceConfiguration {
private String driver = "com.cloudera.impala.jdbc.Driver";
private String extraParams = "";
@JsonIgnore
private List<String> illegalParameters = Arrays.asList(
// 原有非法参数
"autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations",

2
core/core-backend/src/main/java/io/dataease/datasource/type/Mongo.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -14,6 +15,7 @@ import java.util.List;
public class Mongo extends DatasourceConfiguration {
private String driver = "com.mysql.cj.jdbc.Driver";
private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull";
@JsonIgnore
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations");
private List<String> showTableSqls = Arrays.asList("show tables");

2
core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -15,6 +16,7 @@ import java.util.List;
public class Mysql extends DatasourceConfiguration {
private String driver = "com.mysql.cj.jdbc.Driver";
private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull";
@JsonIgnore
private List<String> illegalParameters = Arrays.asList("maxAllowedPacket", "autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath", "allowMultiQueries");
private List<String> showTableSqls = Arrays.asList("show tables");

2
core/core-backend/src/main/java/io/dataease/datasource/type/Pg.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -16,6 +17,7 @@ import java.util.regex.Pattern;
public class Pg extends DatasourceConfiguration {
private String driver = "org.postgresql.Driver";
private String extraParams = "";
@JsonIgnore
private List<String> illegalParameters = Arrays.asList("socketFactory", "socketFactoryArg", "sslfactory", "sslhostnameverifier", "sslpasswordcallback", "authenticationPluginClassName");
public String getJdbc() {

2
core/core-backend/src/main/java/io/dataease/datasource/type/Redshift.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -19,6 +20,7 @@ import static java.awt.SystemColor.info;
public class Redshift extends DatasourceConfiguration {
private String driver = "com.amazon.redshift.jdbc42.Driver";
private String extraParams = "";
@JsonIgnore
private List<String> illegalParameters = Arrays.asList("socketFactory", "socketFactoryArg", "sslfactory", "sslhostnameverifier", "sslpasswordcallback", "authenticationPluginClassName", "IniFile");
public String getJdbc() {

2
core/core-backend/src/main/java/io/dataease/datasource/type/Sqlserver.java
View File

@@ -1,5 +1,6 @@
package io.dataease.datasource.type;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
@@ -16,6 +17,7 @@ import java.util.regex.Pattern;
public class Sqlserver extends DatasourceConfiguration {
private String driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver";
private String extraParams = "";
@JsonIgnore
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "jndi:", "rmi:", "ldap:", "ldaps:", "java.naming.factory.initial");
private List<String> showTableSqls = Arrays.asList("show tables");