fix: 【漏洞】CalciteProvider.java SQL注入漏洞

2026-06-12 16:31:11 +08:00 · 2026-06-10 11:42:51 +08:00
parent 5ee1ac4f0d
commit b2333adadc
1 changed files with 2 additions and 0 deletions
--- a/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
+++ b/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
@@ -840,6 +840,8 @@ public class DatasourceServer implements DatasourceApi {
    public List<TableField> getTableField(Map<String, String> req) throws DEException {
        String tableName = req.get("tableName");
        String datasourceId = req.get("datasourceId");
+        // check table name
+        datasetCacheManage.validateTable(Long.valueOf(datasourceId), tableName);
        DatasetTableDTO datasetTableDTO = new DatasetTableDTO();
        datasetTableDTO.setDatasourceId(Long.valueOf(datasourceId));
        if (!getTables(datasetTableDTO).stream().map(DatasetTableDTO::getTableName).collect(Collectors.toList()).contains(tableName)) {