From a31f180e15fb09a5da5746f85cf2856b409f0814 Mon Sep 17 00:00:00 2001
From: xuwei-fit2cloud <wei@fit2cloud.com>
Date: Thu, 5 Mar 2026 04:53:11 +0800
Subject: [PATCH] merge Dev (#18021)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(X-Pack): 设置动态访问路径后导出pdf失败 #12945

* fix(X-Pack): 使用 Redis 作为缓存中间件开启禁止多端登录导致第三方认证报错 (#14054)

* fix: 数据源修复mysql、Redshift远程代码执行漏洞

* chore: 更新版本到v1.18.27

* fix(仪表板): 修复社区版的新建用户无创建仪表板权限问题 #13439

* feat(X-Pack): 数据填报表单下拉框增加返回条数1000条限制，并支持关键词搜索  #14136

* fix: 修复Mysql JDBC 连接参数未验证导致任意文件读取漏洞

* fix(仪表板): 修复部分仪表板可能无法打开问题

* Revise DataEase V1 maintenance notice in README (#16843)

Updated the README to reflect the end of maintenance for DataEase V1.

* fix(过滤组件): V1版本 时间查询组件，动态时间，移动端日期显示不正常。 #17347

* fix(数据集): 修复api数据源中，json格式字段保存为不标准json格式，导致无法通过计算字段的函数解析 #17772

* fix(漏洞): 升级shiro 1.12.0

* chore: 更新版本到v1.18.28

* Fix typo in 'truncate' in CHECK_INJECT_PATTERN

---------

Co-authored-by: fit2cloud-chenyw <yawen.chen@fit2cloud.com>
Co-authored-by: ulleo <ulleo.wang@gmail.com>
Co-authored-by: fit2cloud-chenyw <67260074+fit2cloud-chenyw@users.noreply.github.com>
Co-authored-by: taojinlong <jinlong@fit2cloud.com>
Co-authored-by: wangjiahao <1522128093@qq.com>
Co-authored-by: maninhill <41712985+maninhill@users.noreply.github.com>
Co-authored-by: dataeaseShu <tong.shu@fit2cloud.com>
---
 .../plugins/datasource/provider/DefaultExtDDLProvider.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk/dataease-plugin-datasource/src/main/java/io/dataease/plugins/datasource/provider/DefaultExtDDLProvider.java b/sdk/dataease-plugin-datasource/src/main/java/io/dataease/plugins/datasource/provider/DefaultExtDDLProvider.java
index 3e33e7fa9a..2f61f59000 100644
--- a/sdk/dataease-plugin-datasource/src/main/java/io/dataease/plugins/datasource/provider/DefaultExtDDLProvider.java
+++ b/sdk/dataease-plugin-datasource/src/main/java/io/dataease/plugins/datasource/provider/DefaultExtDDLProvider.java
@@ -10,7 +10,7 @@ import java.util.regex.Pattern;
 
 public class DefaultExtDDLProvider extends ExtDDLProvider {
 
-    private final Pattern CHECK_INJECT_PATTERN = Pattern.compile("(.*\\=.*\\-\\-.*)|(.*(\\+).*)|(.*\\w+(%|\\$|#|&)\\w+.*)|(.*\\|\\|.*)|(.*\\s+(and|or)\\s+.*)|(.*\\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|sleep|extractvalue|updatexml|substring|database|concat|rand|gtid_subset)\\b.*)");
+    private final Pattern CHECK_INJECT_PATTERN = Pattern.compile("(.*\\=.*\\-\\-.*)|(.*(\\+).*)|(.*\\w+(%|\\$|#|&)\\w+.*)|(.*\\|\\|.*)|(.*\\s+(and|or)\\s+.*)|(.*\\b(select|update|union|and|or|delete|insert|truncate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|sleep|extractvalue|updatexml|substring|database|concat|rand|gtid_subset)\\b.*)");
 
     @Override
     public boolean checkSqlInjection(String sql) {