public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-06-12 16:31:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【漏洞】CalciteProvider.java SQL注入漏洞

Browse Source
This commit is contained in:
junjun
2026-06-10 11:33:13 +08:00
parent 22b60e9ca0
commit 5ee1ac4f0d
1 changed files with 101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
core/core-backend/src/main/java/io/dataease/dataset/manage/DatasetCacheManage.java Normal file
View File

@@ -0,0 +1,101 @@
package io.dataease.dataset.manage;
import io.dataease.constant.CacheConstant;
import io.dataease.dataset.dao.auto.mapper.CoreDatasetTableFieldMapper;
import io.dataease.dataset.dao.auto.mapper.CoreDatasetTableMapper;
import io.dataease.datasource.server.DatasourceServer;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.dto.DatasetTableDTO;
import io.dataease.extensions.datasource.dto.DatasetTableFieldDTO;
import io.dataease.i18n.Translator;
import io.dataease.utils.CacheUtils;
import jakarta.annotation.Resource;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
import java.util.Collections;
import java.util.List;
/**
* 数据集表和字段缓存管理
* 表缓存key = datasourceIdvalue = List该数据源下所有表
* 字段缓存key = datasourceId_tableNamevalue = List该表下所有字段
*/
@Component
public class DatasetCacheManage {
@Resource
private CoreDatasetTableMapper coreDatasetTableMapper;
@Resource
private CoreDatasetTableFieldMapper coreDatasetTableFieldMapper;
@Resource
private DatasourceServer datasourceServer;
/**
* 缓存某个数据源下的所有表
*/
public void cacheTablesByDatasource(Long datasourceId, List<DatasetTableDTO> tables) {
if (datasourceId == null || CollectionUtils.isEmpty(tables)) return;
String cacheKey = String.valueOf(datasourceId);
List<String> tableNames = tables.stream().map(DatasetTableDTO::getTableName).toList();
CacheUtils.put(CacheConstant.DatasetCacheConstant.DATASET_TABLE_CACHE, cacheKey, tableNames);
}
/**
* 缓存某个表下的所有字段
*/
public void cacheFieldsByTable(Long datasourceId, String tableName, List<DatasetTableFieldDTO> fields) {
if (datasourceId == null || StringUtils.isBlank(tableName) || CollectionUtils.isEmpty(fields)) return;
String cacheKey = datasourceId + "_" + tableName;
List<String> fieldNames = fields.stream().map(DatasetTableFieldDTO::getOriginName).toList();
CacheUtils.put(CacheConstant.DatasetCacheConstant.DATASET_FIELD_CACHE, cacheKey, fieldNames);
}
/**
* 获取某个数据源下的所有表,缓存未命中则查询数据源并缓存
*/
public List<String> getCachedTablesByDatasource(Long datasourceId) {
if (datasourceId == null) return Collections.emptyList();
String cacheKey = String.valueOf(datasourceId);
Object cached = CacheUtils.get(CacheConstant.DatasetCacheConstant.DATASET_TABLE_CACHE, cacheKey);
if (cached != null) {
return (List<String>) cached;
} else {
DatasetTableDTO dto = new DatasetTableDTO();
dto.setDatasourceId(datasourceId);
List<DatasetTableDTO> tables = datasourceServer.getTables(dto);
cacheTablesByDatasource(datasourceId, tables);
return tables.stream().map(DatasetTableDTO::getTableName).toList();
}
}
/**
* 获取某个表下的所有字段,缓存未命中则查询并缓存
*/
public List<String> getCachedFieldsByTable(Long datasourceId, String tableName) {
if (datasourceId == null || StringUtils.isBlank(tableName)) return Collections.emptyList();
String cacheKey = datasourceId + "_" + tableName;
Object cached = CacheUtils.get(CacheConstant.DatasetCacheConstant.DATASET_FIELD_CACHE, cacheKey);
if (cached != null) {
return (List<String>) cached;
}
return null;
}
/**
* 校验表是否存在:检查该数据源的缓存表列表中是否包含此表
* 如果缓存中没有该数据源的表列表,则放行(由调用方确保缓存已填充)
*/
public void validateTable(Long datasourceId, String tableName) {
if (StringUtils.isBlank(tableName)) return;
List<String> cachedTables = getCachedTablesByDatasource(datasourceId);
if (cachedTables.isEmpty()) {
return;
}
boolean exists = cachedTables.stream()
.anyMatch(t -> StringUtils.equalsIgnoreCase(t, tableName));
if (!exists) {
DEException.throwException(Translator.get("i18n_dataset_table_not_exist"));
}
}
}