From 2204258118eac6160a6636ca20dbedb0d3f95747 Mon Sep 17 00:00:00 2001
From: tjlygdx <tjlygdx@163.com>
Date: Tue, 2 Jun 2026 15:54:16 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=20=E3=80=90=E6=BC=8F=E6=B4=9E=E3=80=91H?=
 =?UTF-8?q?2=20JDBC=20RCE=20Bypass?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../security/JdbcUrlSecurityPolicy.java       | 23 ++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/core/core-backend/src/main/java/io/dataease/datasource/security/JdbcUrlSecurityPolicy.java b/core/core-backend/src/main/java/io/dataease/datasource/security/JdbcUrlSecurityPolicy.java
index c69e0c127b..87a17b2fa4 100644
--- a/core/core-backend/src/main/java/io/dataease/datasource/security/JdbcUrlSecurityPolicy.java
+++ b/core/core-backend/src/main/java/io/dataease/datasource/security/JdbcUrlSecurityPolicy.java
@@ -106,13 +106,13 @@ public final class JdbcUrlSecurityPolicy {
         String normalizedUrl = canonicalize(jdbcUrl);
         String normalizedExtraParams = canonicalize(extraParams);
         String expectedPrefix = JDBC_PREFIXES.get(normalizedType);
-        if (StringUtils.isBlank(expectedPrefix) || !normalizedUrl.startsWith(expectedPrefix)) {
+        if (StringUtils.isBlank(expectedPrefix) || !startsWithIgnoreCase(normalizedUrl, expectedPrefix)) {
             DEException.throwException("Illegal jdbcUrl: " + jdbcUrl);
         }
         Set<String> dangerousFragments = new LinkedHashSet<>(COMMON_DANGEROUS_FRAGMENTS);
         dangerousFragments.addAll(TYPE_DANGEROUS_FRAGMENTS.getOrDefault(normalizedType, Set.of()));
         for (String fragment : dangerousFragments) {
-            if (normalizedUrl.contains(fragment) || normalizedExtraParams.contains(fragment)) {
+            if (containsIgnoreCase(normalizedUrl, fragment) || containsIgnoreCase(normalizedExtraParams, fragment)) {
                 DEException.throwException("Illegal parameter: " + fragment);
             }
         }
@@ -166,10 +166,27 @@ public final class JdbcUrlSecurityPolicy {
         }
         normalized = Normalizer.normalize(normalized, Normalizer.Form.NFKC);
         normalized = normalized.replace("\\", "");
-        return normalized.toLowerCase(Locale.ROOT);
+        return normalized;
     }
 
     private static String normalizeType(String type) {
         return StringUtils.defaultString(type).toLowerCase(Locale.ROOT);
     }
+
+    private static boolean startsWithIgnoreCase(String value, String prefix) {
+        return StringUtils.length(value) >= StringUtils.length(prefix)
+                && value.regionMatches(true, 0, prefix, 0, prefix.length());
+    }
+
+    private static boolean containsIgnoreCase(String value, String fragment) {
+        if (StringUtils.isEmpty(value) || StringUtils.isEmpty(fragment) || fragment.length() > value.length()) {
+            return false;
+        }
+        for (int i = 0; i <= value.length() - fragment.length(); i++) {
+            if (value.regionMatches(true, i, fragment, 0, fragment.length())) {
+                return true;
+            }
+        }
+        return false;
+    }
 }