public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-15 13:32:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【漏洞】Dataease H2 JDBC Connection Remote Code Execution

Browse Source
This commit is contained in:
taojinlong
2025-06-03 09:29:48 +08:00
committed by taojinlong
parent 7056a81ab2
commit 6e9d62a4da
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
core/core-backend/src/main/java/io/dataease/datasource/type/H2.java
View File

@@ -7,16 +7,23 @@ import lombok.EqualsAndHashCode;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
import java.util.Arrays;
import java.util.List;
@EqualsAndHashCode(callSuper = true)
@Data
@Component("h2")
public class H2 extends DatasourceConfiguration {
private String driver = "org.h2.Driver";
private List<String> illegalParameters = Arrays.asList("INIT", "RUNSCRIPT");
public String getJdbc() {
if (StringUtils.containsAnyIgnoreCase(jdbc, "INIT", "RUNSCRIPT")) {
DEException.throwException("Has illegal parameter: " + jdbc);
for (String illegalParameter : illegalParameters) {
if (jdbc.toUpperCase().contains(illegalParameter)) {
DEException.throwException("Has illegal parameter: " + jdbc);
}
}
return jdbc;
}
}