Merge pull request #7704 from dataease/pr@dev@fixSql

fix: 限制 mysql 非法参数
2024-01-18 17:56:19 +08:00 · 2024-01-18 17:56:19 +08:00 · 5109414512
commit 5109414512
parent e5a5d3d580 bb540e6dc8
1 changed files with 2 additions and 1 deletions
--- a/core/backend/src/main/java/io/dataease/dto/datasource/MysqlConfiguration.java
+++ b/core/backend/src/main/java/io/dataease/dto/datasource/MysqlConfiguration.java
@ -5,6 +5,7 @@ import lombok.Getter;
 import lombok.Setter;
 import org.apache.commons.lang3.StringUtils;
 import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@ -22,7 +23,7 @@ public class MysqlConfiguration extends JdbcConfiguration {
            return "jdbc:mysql://HOSTNAME:PORT/DATABASE".replace("HOSTNAME", getHost().trim()).replace("PORT", getPort().toString().trim()).replace("DATABASE", getDataBase().trim());
        } else {
            for (String illegalParameter : getIllegalParameters()) {
-                if (getExtraParams().toLowerCase().contains(illegalParameter.toLowerCase())) {
+                if (getExtraParams().toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(getExtraParams()).contains(illegalParameter.toLowerCase())) {
                    throw new RuntimeException("Illegal parameter: " + illegalParameter);
                }
            }