public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-14 21:12:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 修复数据集存在SQL注入漏洞

Browse Source
This commit is contained in:
taojinlong
2025-10-14 17:35:28 +08:00
committed by taojinlong
parent 083c2e35c7
commit 3c52cc26c4
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/core-backend/src/main/java/io/dataease/datasource/provider/EsProvider.java
View File

@@ -95,6 +95,9 @@ public class EsProvider extends Provider {
try {
String sql;
if (datasourceRequest.getTable() != null) {
if (!getTables(datasourceRequest).stream().map(DatasetTableDTO::getTableName).collect(Collectors.toList()).contains(datasourceRequest.getTable())) {
DEException.throwException("无效的表名!");
}
sql = "select * from \"" + datasourceRequest.getTable() + "\" limit 0";
} else {
sql = datasourceRequest.getQuery();