fix: 【漏洞】修复拒绝服务(正则表达式问题)

core/core-backend/src/main/java/io/dataease/commons/utils/DeSqlparserUtils.java

@@ -196,13 +196,7 @@ public class DeSqlparserUtils {
                     }
                 }
 
-                Pattern patternCross = Pattern.compile("(`.*?`)");
-                Matcher matcherCross = patternCross.matcher(sql);
-                while (matcherCross.find()) {
-                    String group = matcherCross.group();
-                    String info = group.substring(1, group.length() - 1);
-                    sql = sql.replaceAll(group, prefix + info + suffix);
-                }
+                sql = replaceQuotedIdentifiers(sql, prefix, suffix);
             }
         } catch (Exception e) {
             e.printStackTrace();
@@ -498,6 +492,18 @@ public class DeSqlparserUtils {
     private record LiteralSegment(boolean variable, String content) {
     }
 
+    private String replaceQuotedIdentifiers(String sql, String prefix, String suffix) {
+        Matcher matcher = Pattern.compile("(`.*?`)").matcher(sql);
+        StringBuilder builder = new StringBuilder();
+        while (matcher.find()) {
+            String group = matcher.group();
+            String info = group.substring(1, group.length() - 1);
+            matcher.appendReplacement(builder, Matcher.quoteReplacement(prefix + info + suffix));
+        }
+        matcher.appendTail(builder);
+        return builder.toString();
+    }
+
     private PreparedSqlFragment buildPreparedSysSqlFragment(String sysVariableId, boolean inOperator) {
         SysVariableBinding sysVariableBinding = resolveSysVariableBinding(sysVariableId, inOperator);
         if (sysVariableBinding == null || CollectionUtils.isEmpty(sysVariableBinding.values())) {

core/core-backend/src/main/java/io/dataease/commons/utils/SqlparserUtils.java

@@ -157,13 +157,7 @@ public class SqlparserUtils {
                     }
                 }
 
-                Pattern pattern = Pattern.compile("(`.*?`)");
-                Matcher matcher = pattern.matcher(sql);
-                while (matcher.find()) {
-                    String group = matcher.group();
-                    String info = group.substring(1, group.length() - 1);
-                    sql = sql.replaceAll(group, prefix + info + suffix);
-                }
+                sql = replaceQuotedIdentifiers(sql, prefix, suffix);
             }
             this.removeSysParams = true;
             sql = removeVariables(sql, ds.getType());
@@ -982,6 +976,18 @@ public class SqlparserUtils {
     private record LiteralSegment(boolean variable, String content) {
     }
 
+    private String replaceQuotedIdentifiers(String sql, String prefix, String suffix) {
+        Matcher matcher = Pattern.compile("(`.*?`)").matcher(sql);
+        StringBuilder builder = new StringBuilder();
+        while (matcher.find()) {
+            String group = matcher.group();
+            String info = group.substring(1, group.length() - 1);
+            matcher.appendReplacement(builder, Matcher.quoteReplacement(prefix + info + suffix));
+        }
+        matcher.appendTail(builder);
+        return builder.toString();
+    }
+
     private String handleSubstitutedSql(String sql) {
         if (sql.contains(SysParamsSubstitutedParams) && userEntity != null) {
             Matcher matcher = Pattern.compile(Pattern.quote(SysParamsSubstitutedParams) + "([A-Za-z0-9_.]+)").matcher(sql);