center/dataease-dm
center/dataease-dm
13
0
Fork 0
forked from github/dataease
Code Pull Requests Activity

fix: 修复SQL注入漏洞

Browse Source
This commit is contained in:
taojinlong 2024-03-22 15:51:04 +08:00
parent 49555ab90f
commit 65dd5eb9f8
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/core-backend/src/main/java/io/dataease/datasource/provider/H2EngineProvider.java
View File

@ -14,6 +14,7 @@ import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import java.sql.Connection; import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.Statement; import java.sql.Statement;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
@ -28,7 +29,9 @@ public class H2EngineProvider extends EngineProvider {
CoreDatasource datasource = new CoreDatasource(); CoreDatasource datasource = new CoreDatasource();
BeanUtils.copyBean(datasource, engineRequest.getEngine()); BeanUtils.copyBean(datasource, engineRequest.getEngine());
try (Connection connection = getConnection(datasource); Statement stat = getStatement(connection, queryTimeout)) { try (Connection connection = getConnection(datasource); Statement stat = getStatement(connection, queryTimeout)) {
Boolean result = stat.execute(engineRequest.getQuery()); PreparedStatement preparedStatement = connection.prepareStatement(engineRequest.getQuery());
preparedStatement.setQueryTimeout(queryTimeout);
Boolean result = preparedStatement.execute();
} catch (Exception e) { } catch (Exception e) {
throw e; throw e;
} }

5
core/core-backend/src/main/java/io/dataease/datasource/provider/MysqlEngineProvider.java
View File

@ -14,6 +14,7 @@ import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import java.sql.Connection; import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.Statement; import java.sql.Statement;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
@ -32,7 +33,9 @@ public class MysqlEngineProvider extends EngineProvider {
CoreDatasource datasource = new CoreDatasource(); CoreDatasource datasource = new CoreDatasource();
BeanUtils.copyBean(datasource, engineRequest.getEngine()); BeanUtils.copyBean(datasource, engineRequest.getEngine());
try (Connection connection = getConnection(datasource); Statement stat = getStatement(connection, queryTimeout)) { try (Connection connection = getConnection(datasource); Statement stat = getStatement(connection, queryTimeout)) {
Boolean result = stat.execute(engineRequest.getQuery()); PreparedStatement preparedStatement = connection.prepareStatement(engineRequest.getQuery());
preparedStatement.setQueryTimeout(queryTimeout);
Boolean result = preparedStatement.execute();
} catch (Exception e) { } catch (Exception e) {
throw e; throw e;
} }