public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-06-14 17:51:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 数据源修复mysql、Redshift远程代码执行漏洞

Browse Source
This commit is contained in:
taojinlong
2024-12-16 17:50:55 +08:00
committed by xuwei-fit2cloud
parent e63bae82a3
commit bc52e142a1
3 changed files with 37 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
core/backend/src/main/java/io/dataease/dto/datasource/MysqlConfiguration.java
View File

@@ -19,24 +19,25 @@ public class MysqlConfiguration extends JdbcConfiguration {
private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations", "allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath");
public String getJdbc() {
String jdbcUrl = "";
if (StringUtils.isEmpty(extraParams.trim())) {
return "jdbc:mysql://HOSTNAME:PORT/DATABASE".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim());
jdbcUrl = "jdbc:mysql://HOSTNAME:PORT/DATABASE".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim());
} else {
for (String illegalParameter : getIllegalParameters()) {
if (getExtraParams().toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(getExtraParams()).contains(illegalParameter.toLowerCase())) {
throw new RuntimeException("Illegal parameter: " + illegalParameter);
}
}
return "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim()).replace("EXTRA_PARAMS", getExtraParams().trim());
jdbcUrl = "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim()).replace("EXTRA_PARAMS", getExtraParams().trim());
}
for (String illegalParameter : getIllegalParameters()) {
if (jdbcUrl.toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(jdbcUrl).contains(illegalParameter.toLowerCase())) {
throw new RuntimeException("Illegal parameter: " + illegalParameter);
}
}
return jdbcUrl;
}
public List<String> getIllegalParameters(){
public List<String> getIllegalParameters() {
List<String> newIllegalParameters = new ArrayList<>();
newIllegalParameters.addAll(illegalParameters);
newIllegalParameters.addAll(Arrays.asList("allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath"));
return newIllegalParameters;
}
}
}

20
core/backend/src/main/java/io/dataease/dto/datasource/PgConfiguration.java
View File

@@ -19,31 +19,33 @@ public class PgConfiguration extends JdbcConfiguration {
public String getJdbc() {
String jdbcUrl = "";
if (StringUtils.isEmpty(extraParams.trim())) {
if (StringUtils.isEmpty(getSchema())) {
return "jdbc:postgresql://HOSTNAME:PORT/DATABASE"
jdbcUrl = "jdbc:postgresql://HOSTNAME:PORT/DATABASE"
.replace("HOSTNAME", getHost().trim())
.replace("PORT", getPort().toString().trim())
.replace("DATABASE", getDataBase().trim());
} else {
return "jdbc:postgresql://HOSTNAME:PORT/DATABASE?currentSchema=SCHEMA"
jdbcUrl = "jdbc:postgresql://HOSTNAME:PORT/DATABASE?currentSchema=SCHEMA"
.replace("HOSTNAME", getHost().trim())
.replace("PORT", getPort().toString().trim())
.replace("DATABASE", getDataBase().trim())
.replace("SCHEMA", getSchema().trim());
}
} else {
for (String illegalParameter : illegalParameters) {
if (getExtraParams().toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(getExtraParams()).contains(illegalParameter.toLowerCase())) {
throw new RuntimeException("Illegal parameter: " + illegalParameter);
}
}
return "jdbc:postgresql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
jdbcUrl = "jdbc:postgresql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
.replace("HOSTNAME", getHost().trim())
.replace("PORT", getPort().toString().trim())
.replace("DATABASE", getDataBase().trim())
.replace("EXTRA_PARAMS", getExtraParams().trim());
}
for (String illegalParameter : illegalParameters) {
if (jdbcUrl.toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(jdbcUrl).contains(illegalParameter.toLowerCase())) {
throw new RuntimeException("Illegal parameter: " + illegalParameter);
}
}
return jdbcUrl;
}
}

18
core/backend/src/main/java/io/dataease/dto/datasource/RedshiftConfiguration.java
View File

@@ -4,17 +4,29 @@ import io.dataease.plugins.datasource.entity.JdbcConfiguration;
import lombok.Getter;
import lombok.Setter;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.List;
@Getter
@Setter
public class RedshiftConfiguration extends JdbcConfiguration {
private String driver = "com.amazon.redshift.jdbc42.Driver";
private List<String> illegalParameters = Arrays.asList("socketFactory", "socketFactoryArg", "sslfactory", "sslfactoryarg", "loggerLevel", "loggerFile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath");
public String getJdbc() {
// 连接参数先写死,后边要把编码、时区等参数放到数据源的设置中
return "jdbc:redshift://HOSTNAME:PORT/DATABASE"
String jdbcUrl = "jdbc:redshift://HOSTNAME:PORT/DATABASE"
.replace("HOSTNAME", getHost().trim())
.replace("PORT", getPort().toString().trim())
.replace("DATABASE", getDataBase().trim());
for (String illegalParameter : illegalParameters) {
if (jdbcUrl.toLowerCase().contains(illegalParameter.toLowerCase())) {
throw new RuntimeException("Illegal parameter: " + illegalParameter);
}
}
return jdbcUrl;
}
}
}