center/dataease-dm
center/dataease-dm
13
0
Fork 0
forked from github/dataease
Code Pull Requests Activity

Merge pull request #8609 from dataease/pr@dev-v2@fileddesc

Browse Source 
fix: DataEase 未授权漏洞
This commit is contained in:
taojinlong 2024-03-20 16:30:08 +08:00 committed by GitHub
commit 5e80af5fc9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java
View File

@ -1,6 +1,7 @@
package io.dataease.utils; package io.dataease.utils;
import io.dataease.constant.AuthConstant; import io.dataease.constant.AuthConstant;
import io.dataease.exception.DEException;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.springframework.core.env.Environment; import org.springframework.core.env.Environment;
@ -44,6 +45,9 @@ public class WhitelistUtils {
"/"); "/");
public static boolean match(String requestURI) { public static boolean match(String requestURI) {
if (requestURI.contains(";") && !requestURI.contains("?")) {
DEException.throwException("Invalid uri: " + requestURI);
}
if (StringUtils.startsWith(requestURI, getContextPath())) { if (StringUtils.startsWith(requestURI, getContextPath())) {
requestURI = requestURI.replaceFirst(getContextPath(), ""); requestURI = requestURI.replaceFirst(getContextPath(), "");
} }