public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-15 05:22:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【数据源】jdbc 漏洞

Browse Source
This commit is contained in:
taojinlong
2025-10-30 18:18:31 +08:00
committed by taojinlong
parent 2662ee2475
commit 7b68eb3dfc
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
core/core-backend/src/main/java/io/dataease/datasource/type/Oracle.java
View File

@@ -16,14 +16,16 @@ import java.util.regex.Pattern;
public class Oracle extends DatasourceConfiguration {
private String driver = "oracle.jdbc.driver.OracleDriver";
private String extraParams = "";
private List<String> getIllegalParameters = Arrays.asList(
// 原有参数如RMI相关
"java.naming.factory.initial", "java.naming.provider.url", "rmi",
// 新增LDAP协议及相关危险参数
"ldap://", "ldaps://", "java.naming.factory.object", "java.naming.factory.state",
// 其他JDBC危险参数
"autoDeserialize", "connectionProperties", "initSQL", "dns", "file", "ftp"
);
private List<String> getOracleIllegalParameters() {
return Arrays.asList(
// 原有参数如RMI相关
"java.naming.factory.initial", "java.naming.provider.url", "rmi",
// 新增LDAP协议及相关危险参数
"ldap://", "ldaps://", "java.naming.factory.object", "java.naming.factory.state",
// 其他JDBC危险参数
"autoDeserialize", "connectionProperties", "initSQL", "dns", "file", "ftp"
);
}
public String getJdbc() {
@@ -31,7 +33,7 @@ public class Oracle extends DatasourceConfiguration {
if (!getJdbcUrl().startsWith("jdbc:oracle")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
for (String illegalParameter : getIllegalParameters()) {
for (String illegalParameter : getOracleIllegalParameters()) {
if (getJdbcUrl().toLowerCase().contains(illegalParameter.toLowerCase())) {
DEException.throwException("Illegal jdbcUrl: " + illegalParameter);
}