public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-14 21:12:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 安全漏洞-社区版权限绕过 H2 RCE Bypass

Browse Source
This commit is contained in:
fit2cloud-chenyw
2025-04-30 15:41:10 +08:00
committed by fit2cloud-chenyw
parent 2999de9fe1
commit 429f654733
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
core/core-backend/src/main/java/io/dataease/datasource/type/H2.java
View File

@@ -3,16 +3,18 @@ package io.dataease.datasource.type;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
import lombok.EqualsAndHashCode;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
@EqualsAndHashCode(callSuper = true)
@Data
@Component("h2")
public class H2 extends DatasourceConfiguration {
private String driver = "org.h2.Driver";
public String getJdbc() {
if (jdbc.contains("INIT") || jdbc.contains("RUNSCRIPT")) {
if (StringUtils.containsAnyIgnoreCase(jdbc, "INIT", "RUNSCRIPT")) {
DEException.throwException("Has illegal parameter: " + jdbc);
}
return jdbc;

1
sdk/common/src/main/java/io/dataease/auth/filter/CommunityTokenFilter.java
View File

@@ -61,6 +61,7 @@ public class CommunityTokenFilter implements Filter {
String msg = URLEncoder.encode(e.getMessage(), StandardCharsets.UTF_8).replace("+", "%20");
headers.add(headName, msg);
sendResponseEntity(res, new ResponseEntity<>(e.getMessage(), headers, HttpStatus.UNAUTHORIZED));
return;
}
}