center/dataease-dm
center/dataease-dm
13
0
Fork 0
forked from github/dataease
Code Pull Requests Activity

Merge pull request #8648 from dataease/pr@dev-v2@fileddesc

Browse Source 
fix: 修复SQL注入漏洞
This commit is contained in:
taojinlong 2024-03-22 15:53:07 +08:00 committed by GitHub
commit 084d7a2ba5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/core-backend/src/main/java/io/dataease/datasource/provider/H2EngineProvider.java
View File

@ -14,6 +14,7 @@ import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.Statement;
import java.util.Arrays;
import java.util.List;
@ -28,7 +29,9 @@ public class H2EngineProvider extends EngineProvider {
CoreDatasource datasource = new CoreDatasource();
BeanUtils.copyBean(datasource, engineRequest.getEngine());
try (Connection connection = getConnection(datasource); Statement stat = getStatement(connection, queryTimeout)) {
Boolean result = stat.execute(engineRequest.getQuery());
PreparedStatement preparedStatement = connection.prepareStatement(engineRequest.getQuery());
preparedStatement.setQueryTimeout(queryTimeout);
Boolean result = preparedStatement.execute();
} catch (Exception e) {
throw e;
}

5
core/core-backend/src/main/java/io/dataease/datasource/provider/MysqlEngineProvider.java
View File

@ -14,6 +14,7 @@ import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.Statement;
import java.util.Arrays;
import java.util.List;
@ -32,7 +33,9 @@ public class MysqlEngineProvider extends EngineProvider {
CoreDatasource datasource = new CoreDatasource();
BeanUtils.copyBean(datasource, engineRequest.getEngine());
try (Connection connection = getConnection(datasource); Statement stat = getStatement(connection, queryTimeout)) {
Boolean result = stat.execute(engineRequest.getQuery());
PreparedStatement preparedStatement = connection.prepareStatement(engineRequest.getQuery());
preparedStatement.setQueryTimeout(queryTimeout);
Boolean result = preparedStatement.execute();
} catch (Exception e) {
throw e;
}