diff --git a/core/core-backend/src/main/java/io/dataease/datasource/provider/EngineProvider.java b/core/core-backend/src/main/java/io/dataease/datasource/provider/EngineProvider.java index 2b21ca4b1d..5eef1938d4 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/provider/EngineProvider.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/provider/EngineProvider.java @@ -3,9 +3,14 @@ package io.dataease.datasource.provider; import io.dataease.datasource.dao.auto.entity.CoreDeEngine; import io.dataease.datasource.request.EngineRequest; import io.dataease.datasource.server.DatasourceServer; +import io.dataease.exception.DEException; import io.dataease.extensions.datasource.dto.TableField; +import org.apache.commons.lang3.StringUtils; import java.util.List; +import java.util.regex.Pattern; + +import static io.dataease.engine.utils.Utils.SQL_INJECTION_PATTERNS; /** * @Author gin @@ -24,5 +29,15 @@ public abstract class EngineProvider { public abstract String insertSql(String dsType, String tableName, DatasourceServer.UpdateType extractType, List dataList, int page, int pageNumber, List tableFields); - + public static void validateSqlInjectionRisk(String value) { + String normalized = StringUtils.defaultString(value); + if (StringUtils.isEmpty(normalized)) { + return; + } + for (Pattern pattern : SQL_INJECTION_PATTERNS) { + if (pattern.matcher(normalized).find()) { + DEException.throwException("Illegal table name"); + } + } + } } diff --git a/core/core-backend/src/main/java/io/dataease/datasource/provider/H2EngineProvider.java b/core/core-backend/src/main/java/io/dataease/datasource/provider/H2EngineProvider.java index 3cbd11a3dd..f3d60fcfb8 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/provider/H2EngineProvider.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/provider/H2EngineProvider.java @@ -78,6 +78,7 @@ public class H2EngineProvider extends EngineProvider { @Override public String createTableSql(String tableName, List tableFields, CoreDeEngine engine) { + validateSqlInjectionRisk(tableName); String dorisTableColumnSql = createTableSql(tableFields); return creatTableSql.replace("TABLE_NAME", tableName).replace("Column_Fields", dorisTableColumnSql); } diff --git a/core/core-backend/src/main/java/io/dataease/datasource/provider/MysqlEngineProvider.java b/core/core-backend/src/main/java/io/dataease/datasource/provider/MysqlEngineProvider.java index 1758ef8cd5..edc9e50ca8 100644 --- a/core/core-backend/src/main/java/io/dataease/datasource/provider/MysqlEngineProvider.java +++ b/core/core-backend/src/main/java/io/dataease/datasource/provider/MysqlEngineProvider.java @@ -4,11 +4,13 @@ package io.dataease.datasource.provider; import io.dataease.dataset.utils.TableUtils; import io.dataease.datasource.dao.auto.entity.CoreDeEngine; import io.dataease.datasource.server.DatasourceServer; +import io.dataease.engine.utils.Utils; import io.dataease.extensions.datasource.dto.TableField; import io.dataease.extensions.datasource.vo.DatasourceConfiguration; import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.lang3.StringUtils; import org.springframework.stereotype.Service; + import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -28,6 +30,7 @@ public class MysqlEngineProvider extends EngineProvider { @Override public String createView(String name, String viewSQL) { + validateSqlInjectionRisk(name); return "CREATE or replace view " + name + " AS (" + viewSQL + ")"; } @@ -102,6 +105,7 @@ public class MysqlEngineProvider extends EngineProvider { @Override public String createTableSql(String tableName, List tableFields, CoreDeEngine engine) { + validateSqlInjectionRisk(tableName); String dorisTableColumnSql = createTableSql(tableFields); return creatTableSql.replace("TABLE_NAME", tableName).replace("Column_Fields", dorisTableColumnSql); } diff --git a/core/core-backend/src/main/java/io/dataease/engine/utils/Utils.java b/core/core-backend/src/main/java/io/dataease/engine/utils/Utils.java index 6fcf99b01c..c56b88a2d6 100644 --- a/core/core-backend/src/main/java/io/dataease/engine/utils/Utils.java +++ b/core/core-backend/src/main/java/io/dataease/engine/utils/Utils.java @@ -22,7 +22,7 @@ import java.util.regex.Pattern; import java.util.stream.Collectors; public class Utils { - private static final List SQL_INJECTION_PATTERNS = Arrays.asList( + public static final List SQL_INJECTION_PATTERNS = Arrays.asList( Pattern.compile("[\\'\";`]"), Pattern.compile("--\\s*|#"), Pattern.compile("\\b(or|and|union|select|insert|delete|update|drop|alter|exec|xp_cmdshell)\\b", Pattern.CASE_INSENSITIVE),