fix[数据源]: 修复【漏洞】SQL 注入漏洞

2026-05-17 06:50:45 +08:00 · 2026-01-29 11:32:33 +08:00
parent 8f1c21834a
commit 568f7b730b
4 changed files with 11 additions and 3 deletions
--- a/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
+++ b/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
@@ -1089,6 +1089,11 @@ public class DatasourceServer implements DatasourceApi {
        if (ObjectUtils.isEmpty(tableName) || ObjectUtils.isEmpty(id)) {
            return null;
        }
+        DatasetTableDTO datasetTableDTO = new DatasetTableDTO();
+        datasetTableDTO.setDatasourceId(id);
+        if (!getTables(datasetTableDTO).stream().map(DatasetTableDTO::getTableName).collect(Collectors.toList()).contains(tableName)) {
+            DEException.throwException(Translator.get("i18n_invalid_table_name"));
+        }
        String sql = "SELECT * FROM `" + tableName + "`";
        sql = new String(Base64.getEncoder().encode(sql.getBytes()));
        PreviewSqlDTO previewSqlDTO = new PreviewSqlDTO();
--- a/core/core-backend/src/main/resources/i18n/core_en_US.properties
+++ b/core/core-backend/src/main/resources/i18n/core_en_US.properties
@@ -215,4 +215,5 @@ i18n_unsupported_protocol=Unsupported protocol!
 i18n_excel_error_first_row=Empty cells are not allowed in the middle of the first row!
 i18n_app_error_no_api=Currently, API and Lark data sources are not supported.
 i18n_resource_not_exists=Resource does not exist or has been deleted...
-i18n_field_name_limit_100=Field name cannot exceed 100 characters
+i18n_field_name_limit_100=Field name cannot exceed 100 characters
+i18n_invalid_table_name=Invalid table name!
--- a/core/core-backend/src/main/resources/i18n/core_zh_CN.properties
+++ b/core/core-backend/src/main/resources/i18n/core_zh_CN.properties
@@ -214,4 +214,5 @@ i18n_unsupported_protocol=\u4E0D\u652F\u6301\u7684\u534F\u8BAE\uFF01
 i18n_excel_error_first_row=\u9996\u884C\u884C\u4E2D\u4E0D\u5141\u8BB8\u6709\u7A7A\u5355\u5143\u683C\uFF01
 i18n_app_error_no_api=\u5F53\u524D\u4E0D\u652F\u6301API\u548C\u98DE\u4E66\u6570\u636E\u6E90
 i18n_resource_not_exists=\u8D44\u6E90\u4E0D\u5B58\u5728\u6216\u5DF2\u7ECF\u88AB\u5220\u9664...
-i18n_field_name_limit_100=\u5b57\u6bb5\u540d\u79f0\u4e0d\u80fd\u8d85\u8fc7100\u5b57\u7b26
+i18n_field_name_limit_100=\u5b57\u6bb5\u540d\u79f0\u4e0d\u80fd\u8d85\u8fc7100\u5b57\u7b26
+i18n_invalid_table_name=\u65e0\u6548\u7684\u8868\u540d\uff01
--- a/core/core-backend/src/main/resources/i18n/core_zh_TW.properties
+++ b/core/core-backend/src/main/resources/i18n/core_zh_TW.properties
@@ -214,4 +214,5 @@ i18n_unsupported_protocol=\u4E0D\u652F\u63F4\u7684\u5354\u8B70\uFF01
 i18n_excel_error_first_row=\u9996\u884C\u884C\u4E2D\u4E0D\u5141\u8A31\u6709\u7A7A\u5132\u5B58\u683C\uFF01
 i18n_app_error_no_api=\u7576\u524D\u4E0D\u652F\u63F4API\u548C\u98DB\u66F8\u6578\u64DA\u6E90
 i18n_resource_not_exists=\u8CC7\u6E90\u4E0D\u5B58\u5728\u6216\u5DF2\u7D93\u88AB\u522A\u9664...
-i18n_field_name_limit_100=\u5b57\u6bb5\u540d\u7a31\u4e0d\u80fd\u8d85\u904e100\u5b57\u7b26
+i18n_field_name_limit_100=\u5b57\u6bb5\u540d\u7a31\u4e0d\u80fd\u8d85\u904e100\u5b57\u7b26
+i18n_invalid_table_name=\u65e0\u6548\u7684\u8868\u540d\uff01