fix: 【漏洞】CalciteProvider.java SQL注入漏洞

core/core-backend/src/main/java/io/dataease/dataset/manage/DatasetDataManage.java

@@ -90,6 +90,8 @@ public class DatasetDataManage {
     private RowPermissionsApi rowPermissionsApi;
     @Resource
     private DataSourceManage dataSourceManage;
+    @Resource
+    private DatasetCacheManage datasetCacheManage;
 
     private static Logger logger = LoggerFactory.getLogger(DatasetDataManage.class);
 
@@ -104,6 +106,8 @@ public class DatasetDataManage {
         List<TableField> tableFields = null;
         String type = datasetTableDTO.getType();
         DatasetTableInfoDTO tableInfoDTO = JsonUtil.parseObject(datasetTableDTO.getInfo(), DatasetTableInfoDTO.class);
+        // check table name
+        datasetCacheManage.validateTable(datasetTableDTO.getDatasourceId(), tableInfoDTO.getTable());
         if (StringUtils.equalsIgnoreCase(type, DatasetTableType.DB) || StringUtils.equalsIgnoreCase(type, DatasetTableType.SQL)) {
             CoreDatasource coreDatasource = dataSourceManage.getCoreDatasource(datasetTableDTO.getDatasourceId());
             DatasourceSchemaDTO datasourceSchemaDTO = new DatasourceSchemaDTO();

core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java

@@ -16,6 +16,7 @@ import io.dataease.commons.utils.CronUtils;
 import io.dataease.constant.LogOT;
 import io.dataease.constant.LogST;
 import io.dataease.constant.SQLConstants;
+import io.dataease.dataset.manage.DatasetCacheManage;
 import io.dataease.dataset.manage.DatasetDataManage;
 import io.dataease.dataset.utils.TableUtils;
 import io.dataease.datasource.dao.auto.entity.*;
@@ -109,6 +110,8 @@ public class DatasourceServer implements DatasourceApi {
     private PluginManageApi pluginManage;
     @Autowired(required = false)
     private RelationApi relationManage;
+    @Resource
+    private DatasetCacheManage datasetCacheManage;
 
     public enum UpdateType {
         all_scope, add_scope
@@ -769,19 +772,26 @@ public class DatasourceServer implements DatasourceApi {
         BeanUtils.copyBean(datasourceDTO, coreDatasource);
         DatasourceRequest datasourceRequest = new DatasourceRequest();
         datasourceRequest.setDatasource(datasourceDTO);
+        List<DatasetTableDTO> result;
         if (coreDatasource.getType().contains(DatasourceConfiguration.DatasourceType.API.name())) {
-            List<DatasetTableDTO> datasetTableDTOS = (List<DatasetTableDTO>) invokeMethod(coreDatasource.getType(), "getApiTables", DatasourceRequest.class, datasourceRequest);
-            return datasetTableDTOS;
+            result = (List<DatasetTableDTO>) invokeMethod(coreDatasource.getType(), "getApiTables", DatasourceRequest.class, datasourceRequest);
+            datasetCacheManage.cacheTablesByDatasource(datasetTableDTO.getDatasourceId(), result);
+            return result;
         }
         if (coreDatasource.getType().contains("Excel")) {
-            return ExcelUtils.getTables(datasourceRequest);
+            result = ExcelUtils.getTables(datasourceRequest);
+            datasetCacheManage.cacheTablesByDatasource(datasetTableDTO.getDatasourceId(), result);
+            return result;
         }
         Provider provider = ProviderFactory.getProvider(datasourceDTO.getType());
         List<DatasetTableDTO> tables = provider.getTables(datasourceRequest);
         if (StringUtils.equalsIgnoreCase(coreDatasource.getType(), DatasourceConfiguration.DatasourceType.oracle.name())) {
-            return tables.stream().filter(table -> !isOracleRecycleBinTable(table)).collect(Collectors.toList());
+            result = tables.stream().filter(table -> !isOracleRecycleBinTable(table)).collect(Collectors.toList());
+        } else {
+            result = tables;
         }
-        return tables;
+        datasetCacheManage.cacheTablesByDatasource(datasetTableDTO.getDatasourceId(), result);
+        return result;
     }
 
     private boolean isOracleRecycleBinTable(DatasetTableDTO table) {

core/core-backend/src/main/resources/ehcache/ehcache.xml

@@ -157,5 +157,15 @@
         </resources>
     </cache>
 
+    <cache alias="de_v2_dataset_table" uses-template="common-cache">
+        <key-type>java.lang.String</key-type>
+        <value-type>java.util.List</value-type>
+    </cache>
+
+    <cache alias="de_v2_dataset_field" uses-template="common-cache">
+        <key-type>java.lang.String</key-type>
+        <value-type>java.util.List</value-type>
+    </cache>
+
 </config>
 

core/core-backend/src/main/resources/i18n/core_en_US.properties

@@ -220,3 +220,5 @@ i18n_app_error_no_api=Currently, API and Lark data sources are not supported.
 i18n_resource_not_exists=Resource does not exist or has been deleted...
 i18n_field_name_limit_100=Field name cannot exceed 100 characters
 i18n_invalid_table_name=Invalid table name!
+i18n_dataset_table_not_exist=Dataset table does not exist
+i18n_dataset_field_not_exist=Dataset field does not exist

core/core-backend/src/main/resources/i18n/core_zh_CN.properties

@@ -219,3 +219,5 @@ i18n_app_error_no_api=\u5F53\u524D\u4E0D\u652F\u6301API\u548C\u98DE\u4E66\u6570\
 i18n_resource_not_exists=\u8D44\u6E90\u4E0D\u5B58\u5728\u6216\u5DF2\u7ECF\u88AB\u5220\u9664...
 i18n_field_name_limit_100=\u5B57\u6BB5\u540D\u79F0\u4E0D\u80FD\u8D85\u8FC7100\u5B57\u7B26
 i18n_invalid_table_name=\u65E0\u6548\u7684\u8868\u540D\uFF01
+i18n_dataset_table_not_exist=\u6570\u636E\u96C6\u8868\u4E0D\u5B58\u5728
+i18n_dataset_field_not_exist=\u6570\u636E\u96C6\u5B57\u6BB5\u4E0D\u5B58\u5728

core/core-backend/src/main/resources/i18n/core_zh_TW.properties

@@ -219,3 +219,5 @@ i18n_app_error_no_api=\u7576\u524D\u4E0D\u652F\u63F4API\u548C\u98DB\u66F8\u6578\
 i18n_resource_not_exists=\u8CC7\u6E90\u4E0D\u5B58\u5728\u6216\u5DF2\u7D93\u88AB\u522A\u9664...
 i18n_field_name_limit_100=\u5B57\u6BB5\u540D\u7A31\u4E0D\u80FD\u8D85\u904E100\u5B57\u7B26
 i18n_invalid_table_name=\u65E0\u6548\u7684\u8868\u540D\uFF01
+i18n_dataset_table_not_exist=\u6578\u64DA\u96C6\u8868\u4E0D\u5B58\u5728
+i18n_dataset_field_not_exist=\u6578\u64DA\u96C6\u5B57\u6BB5\u4E0D\u5B58\u5728

sdk/common/src/main/java/io/dataease/constant/CacheConstant.java

@@ -40,4 +40,9 @@ public class CacheConstant {
 
         public static final String cacheKey = "de_v2_lic_key";
     }
+
+    public static class DatasetCacheConstant {
+        public static final String DATASET_TABLE_CACHE = "de_v2_dataset_table";
+        public static final String DATASET_FIELD_CACHE = "de_v2_dataset_field";
+    }
 }