fix: 修复渗透测试种发现的 SQL 注入问题

2024-11-27 15:13:23 +08:00 · 2024-11-27 15:13:23 +08:00 · 1b636717e0
commit 1b636717e0
parent b99f64c352
1 changed files with 8 additions and 0 deletions
--- a/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
+++ b/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
@ -672,6 +672,9 @@ public class DatasourceServer implements DatasourceApi {
    @Override
    public List<DatasetTableDTO> getTables(DatasetTableDTO datasetTableDTO) throws DEException {
        CoreDatasource coreDatasource = datasourceMapper.selectById(datasetTableDTO.getDatasourceId());
+        if (coreDatasource == null) {
+            DEException.throwException("无效数据源！");
+        }
        DatasourceDTO datasourceDTO = new DatasourceDTO();
        BeanUtils.copyBean(datasourceDTO, coreDatasource);
        DatasourceRequest datasourceRequest = new DatasourceRequest();
@ -698,6 +701,11 @@ public class DatasourceServer implements DatasourceApi {
    public List<TableField> getTableField(Map<String, String> req) throws DEException {
        String tableName = req.get("tableName");
        String datasourceId = req.get("datasourceId");
+        DatasetTableDTO datasetTableDTO = new DatasetTableDTO();
+        datasetTableDTO.setDatasourceId(Long.valueOf(datasourceId));
+        if (!getTables(datasetTableDTO).stream().map(DatasetTableDTO::getTableName).collect(Collectors.toList()).contains("tableName")) {
+            DEException.throwException("无效的表名！");
+        }
        CoreDatasource coreDatasource = datasourceMapper.selectById(datasourceId);
        DatasourceRequest datasourceRequest = new DatasourceRequest();
        datasourceRequest.setDatasource(transDTO(coreDatasource));