public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-06-17 04:51:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【漏洞】路径操纵、敏感信息泄露

Browse Source
This commit is contained in:
tjlygdx
2026-06-16 15:20:01 +08:00
parent 9b1438a725
commit 6bb3dd998b
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
core/core-backend/src/main/java/io/dataease/dataset/utils/TableUtils.java
View File

@@ -101,4 +101,24 @@ public class TableUtils {
.map(part -> quoteIdentifier(part, prefix, suffix))
.collect(Collectors.joining("."));
}
public static String quoteIdentifier(String name, String prefix, String suffix) {
String resolvedPrefix = StringUtils.defaultString(prefix);
String resolvedSuffix = StringUtils.defaultString(suffix);
if (StringUtils.isEmpty(resolvedPrefix) && StringUtils.isEmpty(resolvedSuffix)) {
resolvedPrefix = Quoting.BACK_TICK.string;
resolvedSuffix = Quoting.BACK_TICK.string;
}
String escapedName = StringUtils.defaultString(name);
if (StringUtils.isNotEmpty(resolvedSuffix)) {
escapedName = escapedName.replace(resolvedSuffix, resolvedSuffix + resolvedSuffix);
}
return resolvedPrefix + escapedName + resolvedSuffix;
}
public static String quoteCompoundIdentifier(String name, String prefix, String suffix) {
return Arrays.stream(StringUtils.defaultString(name).split("\\.", -1))
.map(part -> quoteIdentifier(part, prefix, suffix))
.collect(Collectors.joining("."));
}
}