public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-06-09 21:27:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【漏洞】fix SQL Injection in Datasource Save Flow

Browse Source
This commit is contained in:
taojinlong
2026-03-17 18:20:15 +08:00
committed by tjlygdx
parent f925f26042
commit e89059d88b
4 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
core/core-backend/src/main/java/io/dataease/datasource/provider/EngineProvider.java
View File

@@ -3,9 +3,14 @@ package io.dataease.datasource.provider;
import io.dataease.datasource.dao.auto.entity.CoreDeEngine;
import io.dataease.datasource.request.EngineRequest;
import io.dataease.datasource.server.DatasourceServer;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.dto.TableField;
import org.apache.commons.lang3.StringUtils;
import java.util.List;
import java.util.regex.Pattern;
import static io.dataease.engine.utils.Utils.SQL_INJECTION_PATTERNS;
/**
* @Author gin
@@ -24,5 +29,15 @@ public abstract class EngineProvider {
public abstract String insertSql(String dsType, String tableName, DatasourceServer.UpdateType extractType, List<String[]> dataList, int page, int pageNumber, List<TableField> tableFields);
public static void validateSqlInjectionRisk(String value) {
String normalized = StringUtils.defaultString(value);
if (StringUtils.isEmpty(normalized)) {
return;
}
for (Pattern pattern : SQL_INJECTION_PATTERNS) {
if (pattern.matcher(normalized).find()) {
DEException.throwException("Illegal table name");
}
}
}
}

1
core/core-backend/src/main/java/io/dataease/datasource/provider/H2EngineProvider.java
View File

@@ -78,6 +78,7 @@ public class H2EngineProvider extends EngineProvider {
@Override
public String createTableSql(String tableName, List<TableField> tableFields, CoreDeEngine engine) {
validateSqlInjectionRisk(tableName);
String dorisTableColumnSql = createTableSql(tableFields);
return creatTableSql.replace("TABLE_NAME", tableName).replace("Column_Fields", dorisTableColumnSql);
}

4
core/core-backend/src/main/java/io/dataease/datasource/provider/MysqlEngineProvider.java
View File

@@ -4,11 +4,13 @@ package io.dataease.datasource.provider;
import io.dataease.dataset.utils.TableUtils;
import io.dataease.datasource.dao.auto.entity.CoreDeEngine;
import io.dataease.datasource.server.DatasourceServer;
import io.dataease.engine.utils.Utils;
import io.dataease.extensions.datasource.dto.TableField;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -28,6 +30,7 @@ public class MysqlEngineProvider extends EngineProvider {
@Override
public String createView(String name, String viewSQL) {
validateSqlInjectionRisk(name);
return "CREATE or replace view " + name + " AS (" + viewSQL + ")";
}
@@ -102,6 +105,7 @@ public class MysqlEngineProvider extends EngineProvider {
@Override
public String createTableSql(String tableName, List<TableField> tableFields, CoreDeEngine engine) {
validateSqlInjectionRisk(tableName);
String dorisTableColumnSql = createTableSql(tableFields);
return creatTableSql.replace("TABLE_NAME", tableName).replace("Column_Fields", dorisTableColumnSql);
}

2
core/core-backend/src/main/java/io/dataease/engine/utils/Utils.java
View File

@@ -22,7 +22,7 @@ import java.util.regex.Pattern;
import java.util.stream.Collectors;
public class Utils {
private static final List<Pattern> SQL_INJECTION_PATTERNS = Arrays.asList(
public static final List<Pattern> SQL_INJECTION_PATTERNS = Arrays.asList(
Pattern.compile("[\\'\";`]"),
Pattern.compile("--\\s*|#"),
Pattern.compile("\\b(or|and|union|select|insert|delete|update|drop|alter|exec|xp_cmdshell)\\b", Pattern.CASE_INSENSITIVE),