merge Dev (#18021)

* fix(X-Pack): 设置动态访问路径后导出pdf失败 #12945 * fix(X-Pack): 使用 Redis 作为缓存中间件开启禁止多端登录导致第三方认证报错 (#14054) * fix: 数据源修复mysql、Redshift远程代码执行漏洞 * chore: 更新版本到v1.18.27 * fix(仪表板): 修复社区版的新建用户无创建仪表板权限问题 #13439 * feat(X-Pack): 数据填报表单下拉框增加返回条数1000条限制，并支持关键词搜索 #14136 * fix: 修复Mysql JDBC 连接参数未验证导致任意文件读取漏洞 * fix(仪表板): 修复部分仪表板可能无法打开问题 * Revise DataEase V1 maintenance notice in README (#16843) Updated the README to reflect the end of maintenance for DataEase V1. * fix(过滤组件): V1版本时间查询组件，动态时间，移动端日期显示不正常。 #17347 * fix(数据集): 修复api数据源中，json格式字段保存为不标准json格式，导致无法通过计算字段的函数解析 #17772 * fix(漏洞): 升级shiro 1.12.0 * chore: 更新版本到v1.18.28 * Fix typo in 'truncate' in CHECK_INJECT_PATTERN --------- Co-authored-by: fit2cloud-chenyw <yawen.chen@fit2cloud.com> Co-authored-by: ulleo <ulleo.wang@gmail.com> Co-authored-by: fit2cloud-chenyw <67260074+fit2cloud-chenyw@users.noreply.github.com> Co-authored-by: taojinlong <jinlong@fit2cloud.com> Co-authored-by: wangjiahao <1522128093@qq.com> Co-authored-by: maninhill <41712985+maninhill@users.noreply.github.com> Co-authored-by: dataeaseShu <tong.shu@fit2cloud.com>
2026-06-10 05:36:54 +08:00 · 2026-03-05 04:53:11 +08:00
parent 038ee081d9
commit a31f180e15
1 changed files with 1 additions and 1 deletions
--- a/sdk/dataease-plugin-datasource/src/main/java/io/dataease/plugins/datasource/provider/DefaultExtDDLProvider.java
+++ b/sdk/dataease-plugin-datasource/src/main/java/io/dataease/plugins/datasource/provider/DefaultExtDDLProvider.java
@@ -10,7 +10,7 @@ import java.util.regex.Pattern;

 public class DefaultExtDDLProvider extends ExtDDLProvider {

-    private final Pattern CHECK_INJECT_PATTERN = Pattern.compile("(.*\\=.*\\-\\-.*)|(.*(\\+).*)|(.*\\w+(%|\\$|#|&)\\w+.*)|(.*\\|\\|.*)|(.*\\s+(and|or)\\s+.*)|(.*\\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|sleep|extractvalue|updatexml|substring|database|concat|rand|gtid_subset)\\b.*)");
+    private final Pattern CHECK_INJECT_PATTERN = Pattern.compile("(.*\\=.*\\-\\-.*)|(.*(\\+).*)|(.*\\w+(%|\\$|#|&)\\w+.*)|(.*\\|\\|.*)|(.*\\s+(and|or)\\s+.*)|(.*\\b(select|update|union|and|or|delete|insert|truncate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|sleep|extractvalue|updatexml|substring|database|concat|rand|gtid_subset)\\b.*)");

    @Override
    public boolean checkSqlInjection(String sql) {