public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-06-12 16:31:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【漏洞】CalciteProvider.java SQL注入漏洞

Browse Source
This commit is contained in:
junjun
2026-06-11 18:00:13 +08:00
committed by Junjun
parent 30b3c43175
commit bc7d2ca7b9
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
core/core-backend/src/main/java/io/dataease/dataset/manage/DatasetDataManage.java
View File

@@ -106,9 +106,11 @@ public class DatasetDataManage {
List<TableField> tableFields = null;
String type = datasetTableDTO.getType();
DatasetTableInfoDTO tableInfoDTO = JsonUtil.parseObject(datasetTableDTO.getInfo(), DatasetTableInfoDTO.class);
// check table name
datasetCacheManage.validateTable(datasetTableDTO.getDatasourceId(), tableInfoDTO.getTable());
if (StringUtils.equalsIgnoreCase(type, DatasetTableType.DB) || StringUtils.equalsIgnoreCase(type, DatasetTableType.SQL)) {
if (StringUtils.equalsIgnoreCase(type, DatasetTableType.DB)) {
// check table name
datasetCacheManage.validateTable(datasetTableDTO.getDatasourceId(), tableInfoDTO.getTable());
}
CoreDatasource coreDatasource = dataSourceManage.getCoreDatasource(datasetTableDTO.getDatasourceId());
DatasourceSchemaDTO datasourceSchemaDTO = new DatasourceSchemaDTO();
if (coreDatasource.getType().contains(DatasourceConfiguration.DatasourceType.Excel.name()) || coreDatasource.getType().contains(DatasourceConfiguration.DatasourceType.API.name())) {
@@ -179,6 +181,8 @@ public class DatasetDataManage {
datasourceRequest.setTable(datasetTableDTO.getTableName());
tableFields = provider.fetchTableField(datasourceRequest);
} else {
// check table name
datasetCacheManage.validateTable(datasetTableDTO.getDatasourceId(), tableInfoDTO.getTable());
// excel,api
CoreDatasource coreDatasource = engineManage.getDeEngine();
DatasourceSchemaDTO datasourceSchemaDTO = new DatasourceSchemaDTO();

2
core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
View File

@@ -840,8 +840,6 @@ public class DatasourceServer implements DatasourceApi {
public List<TableField> getTableField(Map<String, String> req) throws DEException {
String tableName = req.get("tableName");
String datasourceId = req.get("datasourceId");
// check table name
datasetCacheManage.validateTable(Long.valueOf(datasourceId), tableName);
DatasetTableDTO datasetTableDTO = new DatasetTableDTO();
datasetTableDTO.setDatasourceId(Long.valueOf(datasourceId));
if (!getTables(datasetTableDTO).stream().map(DatasetTableDTO::getTableName).collect(Collectors.toList()).contains(tableName)) {