public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-15 05:22:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 修复漏洞

Browse Source
This commit is contained in:
taojinlong
2025-09-01 16:21:05 +08:00
committed by taojinlong
parent 42dabf4d5a
commit 7707865871
2 changed files with 37 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java
View File

@@ -14,7 +14,14 @@ import java.util.List;
public class Db2 extends DatasourceConfiguration {
private String driver = "com.ibm.db2.jcc.DB2Driver";
private String extraParams = "";
private List<String> illegalParameters = Arrays.asList("rmi");
private List<String> illegalParameters = Arrays.asList(
// 原有参数如RMI相关
"java.naming.factory.initial", "java.naming.provider.url", "rmi",
// 新增LDAP协议及相关危险参数
"ldap://", "ldaps://", "java.naming.factory.object", "java.naming.factory.state",
// 其他JDBC危险参数
"autoDeserialize", "connectionProperties", "initSQL"
);
public String getJdbc() {
if (StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")) {

35
core/core-backend/src/main/java/io/dataease/datasource/type/Impala.java
View File

@@ -6,6 +6,7 @@ import lombok.Data;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.List;
@@ -14,27 +15,49 @@ import java.util.List;
public class Impala extends DatasourceConfiguration {
private String driver = "com.cloudera.impala.jdbc.Driver";
private String extraParams = "";
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations");
private List<String> illegalParameters = Arrays.asList(
// 原有非法参数
"autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations",
// 新增Kerberos认证相关危险参数漏洞利用核心参数
"krbJAASFile", "KrbJAASFile", "krb5.conf", "Krb5Conf",
// 新增JDNI/反序列化相关危险参数
"jndi", "JNDI", "java.naming.factory.initial", "java.naming.provider.url",
// 新增其他JDBC危险参数
"connectionProperties", "ConnectionProperties", "initSQL", "InitSQL"
);
private List<String> showTableSqls = Arrays.asList("show tables");
public String getJdbc() {
if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){
if (StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")) {
for (String illegalParameter : illegalParameters) {
if (URLDecoder.decode(getJdbcUrl()).toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(getExtraParams()).contains(illegalParameter.toLowerCase())) {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
if (!getJdbcUrl().startsWith("jdbc:impala")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
if(StringUtils.isEmpty(extraParams.trim())){
return "jdbc:impala://HOSTNAME:PORT/DATABASE"
String jdbcUrl = "";
if (StringUtils.isEmpty(extraParams.trim())) {
jdbcUrl = "jdbc:impala://HOSTNAME:PORT/DATABASE"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim());
}else {
return "jdbc:impala://HOSTNAME:PORT/DATABASE;EXTRA_PARAMS"
} else {
jdbcUrl = "jdbc:impala://HOSTNAME:PORT/DATABASE;EXTRA_PARAMS"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim())
.replace("EXTRA_PARAMS", getExtraParams().trim());
}
for (String illegalParameter : illegalParameters) {
if (URLDecoder.decode(jdbcUrl).toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(jdbcUrl).contains(illegalParameter.toLowerCase())) {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
return jdbcUrl;
}
}