public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-14 21:12:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 修复 jdbc 漏洞

Browse Source
This commit is contained in:
taojinlong
2025-09-25 12:02:57 +08:00
committed by taojinlong
parent d87264ab2d
commit bb320e42bf
4 changed files with 32 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
core/core-backend/src/main/java/io/dataease/datasource/type/Db2.java
View File

@@ -35,31 +35,32 @@ public class Db2 extends DatasourceConfiguration {
}
return getJdbcUrl();
}
String url = "";
if (StringUtils.isEmpty(extraParams.trim())) {
if (StringUtils.isEmpty(getSchema())) {
return "jdbc:db2://HOSTNAME:PORT/DATABASE"
url = "jdbc:db2://HOSTNAME:PORT/DATABASE"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim());
} else {
return "jdbc:db2://HOSTNAME:PORT/DATABASE:currentSchema=SCHEMA;"
url = "jdbc:db2://HOSTNAME:PORT/DATABASE:currentSchema=SCHEMA;"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim())
.replace("SCHEMA", getSchema().trim());
}
} else {
String url = "jdbc:db2://HOSTNAME:PORT/DATABASE:EXTRA_PARAMS"
url = "jdbc:db2://HOSTNAME:PORT/DATABASE:EXTRA_PARAMS"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim())
.replace("EXTRA_PARAMS", getExtraParams().trim());
for (String illegalParameter : illegalParameters) {
if (url.toLowerCase().contains(illegalParameter.toLowerCase())) {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
return url;
}
for (String illegalParameter : illegalParameters) {
if (url.toLowerCase().contains(illegalParameter.toLowerCase())) {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
return url;
}
}

4
core/core-backend/src/main/java/io/dataease/datasource/type/H2.java
View File

@@ -22,8 +22,8 @@ public class H2 extends DatasourceConfiguration {
DEException.throwException("Has illegal parameter: " + jdbc);
}
}
if (StringUtils.isNotEmpty(getJdbcUrl()) && !getJdbcUrl().startsWith("jdbc:h2")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
if (StringUtils.isNotEmpty(jdbc) && !jdbc.startsWith("jdbc:h2")) {
DEException.throwException("Illegal jdbcUrl: " + jdbc);
}
return jdbc;
}

19
core/core-backend/src/main/java/io/dataease/datasource/type/Mongo.java
View File

@@ -18,29 +18,30 @@ public class Mongo extends DatasourceConfiguration {
private List<String> showTableSqls = Arrays.asList("show tables");
public String getJdbc() {
if(StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")){
if (StringUtils.isNoneEmpty(getUrlType()) && !getUrlType().equalsIgnoreCase("hostName")) {
if (!getJdbcUrl().startsWith("jdbc:mysql")) {
DEException.throwException("Illegal jdbcUrl: " + getJdbcUrl());
}
return getJdbcUrl();
}
String jdbcUrl = "";
if (StringUtils.isEmpty(extraParams.trim())) {
return "jdbc:mysql://HOSTNAME:PORT/DATABASE"
jdbcUrl = "jdbc:mysql://HOSTNAME:PORT/DATABASE"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim());
} else {
for (String illegalParameter : illegalParameters) {
if (getExtraParams().contains(illegalParameter)) {
throw new RuntimeException("Illegal parameter: " + illegalParameter);
}
}
return "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
jdbcUrl = "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim())
.replace("EXTRA_PARAMS", getExtraParams().trim());
}
for (String illegalParameter : illegalParameters) {
if (jdbcUrl.contains(illegalParameter)) {
throw new RuntimeException("Illegal parameter: " + illegalParameter);
}
}
return jdbcUrl;
}
}

12
core/core-backend/src/main/java/io/dataease/datasource/type/Sqlserver.java
View File

@@ -6,6 +6,7 @@ import lombok.Data;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.List;
import java.util.regex.Pattern;
@@ -25,18 +26,25 @@ public class Sqlserver extends DatasourceConfiguration {
}
return getJdbcUrl();
}
String jdbcUrl = "";
if (StringUtils.isEmpty(extraParams.trim())) {
return "jdbc:sqlserver://HOSTNAME:PORT;DatabaseName=DATABASE"
jdbcUrl = "jdbc:sqlserver://HOSTNAME:PORT;DatabaseName=DATABASE"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim());
} else {
return "jdbc:sqlserver://HOSTNAME:PORT;DatabaseName=DATABASE;EXTRA_PARAMS"
jdbcUrl = "jdbc:sqlserver://HOSTNAME:PORT;DatabaseName=DATABASE;EXTRA_PARAMS"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim())
.replace("EXTRA_PARAMS", getExtraParams().trim());
}
for (String illegalParameter : illegalParameters) {
if (URLDecoder.decode(jdbcUrl).toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(jdbcUrl).contains(illegalParameter.toLowerCase())) {
DEException.throwException("Illegal parameter: " + illegalParameter);
}
}
return jdbcUrl;
}
private static final Pattern DB_NAME_PATTERN = Pattern.compile(";databaseName=([^;]+)");