center/dataease-dm
center/dataease-dm
13
0
Fork 0
forked from github/dataease
Code Pull Requests Activity

fix: 漏洞修复

Browse Source
This commit is contained in:
taojinlong 2022-02-21 17:40:45 +08:00
parent fe01f43d8c
commit b636179f0c
5 changed files with 5 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
backend/pom.xml
View File

@ -31,7 +31,7 @@
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>30.1.1-jre</version>
<version>31.0.1-jre</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
@ -143,7 +143,7 @@
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.72</version>
<version>1.2.79</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>

3
backend/src/main/java/io/dataease/commons/utils/ExcelXlsxReader.java
View File

@ -142,6 +142,9 @@ public class ExcelXlsxReader extends DefaultHandler {
stylesTable = xssfReader.getStylesTable();
SharedStringsTable sst = xssfReader.getSharedStringsTable();
XMLReader parser = XMLReaderFactory.createXMLReader("org.apache.xerces.parsers.SAXParser");
parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
this.sst = sst;
parser.setContentHandler(this);
XSSFReader.SheetIterator sheets = (XSSFReader.SheetIterator) xssfReader.getSheetsData();

51
backend/src/main/java/io/dataease/commons/utils/ServiceUtils.java
View File

@ -1,51 +0,0 @@
package io.dataease.commons.utils;
import io.dataease.commons.exception.DEException;
import io.dataease.controller.request.BaseQueryRequest;
import io.dataease.controller.request.OrderRequest;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.List;
import java.util.function.Function;
import java.util.stream.Collectors;
public class ServiceUtils {
public static List<OrderRequest> getDefaultOrder(List<OrderRequest> orders) {
if (orders == null || orders.size() < 1) {
OrderRequest orderRequest = new OrderRequest();
orderRequest.setName("update_time");
orderRequest.setType("desc");
orders = new ArrayList<>();
orders.add(orderRequest);
return orders;
}
return orders;
}
/**
* 获取前端全选的id列表
* @param queryRequest 查询条件
* @param func 查询id列表的数据库查询
* @return
*/
public static<T> void getSelectAllIds( T batchRequest, BaseQueryRequest queryRequest, Function<BaseQueryRequest, List<String>> func) {
if (queryRequest.isSelectAll()) {
List<String> ids = func.apply(queryRequest);
if (!ids.isEmpty()) {
ids = ids.stream()
.filter(id -> !queryRequest.getUnSelectIds().contains(id))
.collect(Collectors.toList());
}
queryRequest.setIds(ids);
try {
Method setIds = batchRequest.getClass().getDeclaredMethod("setIds", List.class);
setIds.invoke(batchRequest, ids);
} catch (Exception e) {
LogUtil.error(e.getMessage(), e);
DEException.throwException("请求没有setIds方法");
}
}
}
}

58
backend/src/main/java/io/dataease/controller/sys/I18nController.java
View File

@ -1,58 +0,0 @@
package io.dataease.controller.sys;
import io.dataease.commons.constants.I18nConstants;
import io.dataease.commons.exception.DEException;
import io.dataease.commons.utils.LogUtil;
import io.dataease.i18n.Lang;
import io.dataease.i18n.Translator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RestController;
import springfox.documentation.annotations.ApiIgnore;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Created by liqiang on 2019/4/1.
*/
@ApiIgnore
@RestController
public class I18nController {
private static final int FOR_EVER = 3600 * 24 * 30 * 12 * 10; //10 years in second
@Value("${run.mode:release}")
private String runMode;
@GetMapping("lang/change/{lang}")
public void changeLang(@PathVariable String lang, HttpServletRequest request, HttpServletResponse response) {
Lang targetLang = Lang.getLangWithoutDefault(lang);
if (targetLang == null) {
response.setStatus(HttpServletResponse.SC_NOT_ACCEPTABLE);
LogUtil.error("Invalid parameter: " + lang);
DEException.throwException(Translator.get("error_lang_invalid"));
}
Cookie cookie = new Cookie(I18nConstants.LANG_COOKIE_NAME, targetLang.getDesc());
cookie.setPath("/");
cookie.setMaxAge(FOR_EVER);
response.addCookie(cookie);
//重新登录
if ("release".equals(runMode)) {
Cookie f2cCookie = new Cookie("DE_SESSION_ID", "deleteMe");
f2cCookie.setPath("/");
f2cCookie.setMaxAge(0);
response.addCookie(f2cCookie);
}
//本地测试用
if ("local".equals(runMode)) {
if (request != null) {
request.getSession(true).setAttribute(I18nConstants.LANG_COOKIE_NAME, lang);
}
}
}
}

23
backend/src/main/java/io/dataease/service/dataset/DataSetTableService.java
View File

@ -2000,30 +2000,7 @@ public class DataSetTableService {
data.add(r);
}
}
} else if (StringUtils.equalsIgnoreCase(suffix, "csv")) {
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
String s = reader.readLine();// first line
String[] split = s.split(",");
for (String s1 : split) {
TableField tableField = new TableField();
tableField.setFieldName(s1);
tableField.setRemarks(s1);
tableField.setFieldType("TEXT");
fields.add(tableField);
}
int num = 1;
String line;
while ((line = reader.readLine()) != null) {
if (isPreview) {
if (num > 100) {
break;
}
}
data.add(line.split(","));
num++;
}
}
String[] fieldArray = fields.stream().map(TableField::getFieldName).toArray(String[]::new);
// 校验excel字段是否重名