REPORT-56220 数据连接越权漏洞修复

3 years ago · 83aa0647da
5 changed files with 15 additions and 3 deletions
--- a/designer-base/src/main/java/com/fr/design/mainframe/authority/DSColumnAuthorityChecker.java
+++ b/designer-base/src/main/java/com/fr/design/mainframe/authority/DSColumnAuthorityChecker.java
@ -1,6 +1,7 @@
 package com.fr.design.mainframe.authority;

 import com.fr.report.cell.cellattr.core.group.DSColumn;
+import org.jetbrains.annotations.Nullable;

 import java.util.Arrays;
 import java.util.HashSet;
@ -9,6 +10,7 @@ import java.util.Set;
 public class DSColumnAuthorityChecker extends ElementAuthorityChecker<DSColumn> {

    @Override
+    @Nullable
    Set<String> getNoAuthDatasetNames(DSColumn dsColumn, Set<String> authDatasetNames) {
        if (!authDatasetNames.contains(dsColumn.getDSName())) {
            return new HashSet<>(Arrays.asList(dsColumn.getDSName()));
--- a/designer-base/src/main/java/com/fr/design/mainframe/authority/ElementAuthorityChecker.java
+++ b/designer-base/src/main/java/com/fr/design/mainframe/authority/ElementAuthorityChecker.java
@ -1,5 +1,6 @@
 package com.fr.design.mainframe.authority;

+import org.jetbrains.annotations.Nullable;
 import sun.reflect.generics.reflectiveObjects.ParameterizedTypeImpl;

 import java.lang.reflect.Type;
@ -15,10 +16,11 @@ public abstract class ElementAuthorityChecker<T> {
     * @param: authConnectionNames 有权限的数据连接名
     * @return 如果有返回名称，没有返回null
     */
+    @Nullable
    Set<String> getNoAuthConnectionNames(T t, Set<String> authConnectionNames) {
        return null;
    }
-    
+

    /**
     * @Description 获取越权的服务器数据集
@ -26,6 +28,7 @@ public abstract class ElementAuthorityChecker<T> {
     * @param: authDatasetNames 有权限的服务器数据集名
     * @return 如果有返回名称，没有返回null
     */
+    @Nullable
    Set<String> getNoAuthDatasetNames(T t, Set<String> authDatasetNames) {
        return null;
    }
--- a/designer-base/src/main/java/com/fr/design/mainframe/authority/FormulaAuthorityChecker.java
+++ b/designer-base/src/main/java/com/fr/design/mainframe/authority/FormulaAuthorityChecker.java
@ -1,6 +1,7 @@
 package com.fr.design.mainframe.authority;

 import com.fr.base.Formula;
+import org.jetbrains.annotations.Nullable;

 import java.util.Arrays;
 import java.util.HashSet;
@ -9,11 +10,13 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;

 public class FormulaAuthorityChecker extends ElementAuthorityChecker<Formula> {
+    private static final Pattern FORMULA_PATTERN = Pattern.compile("^=SQL\\(\"(.+?)\",");
+
    @Override
+    @Nullable
    public Set<String> getNoAuthConnectionNames(Formula formula, Set<String> authConnectionNames) {
        String content = formula.getContent();
-        Pattern pattern = Pattern.compile("^=SQL\\(\"(.+?)\",");
-        Matcher matcher = pattern.matcher(content);
+        Matcher matcher = FORMULA_PATTERN.matcher(content);
        if (matcher.find()) {
            if (!authConnectionNames.contains(matcher.group(1))) {
                return new HashSet<>(Arrays.asList(matcher.group(1)));
--- a/designer-base/src/main/java/com/fr/design/mainframe/authority/NameDatabaseConnectionAuthorityChecker.java
+++ b/designer-base/src/main/java/com/fr/design/mainframe/authority/NameDatabaseConnectionAuthorityChecker.java
@ -1,6 +1,7 @@
 package com.fr.design.mainframe.authority;

 import com.fr.data.impl.NameDatabaseConnection;
+import org.jetbrains.annotations.Nullable;

 import java.util.Arrays;
 import java.util.HashSet;
@ -9,6 +10,7 @@ import java.util.stream.Collectors;

 public class NameDatabaseConnectionAuthorityChecker extends ElementAuthorityChecker<NameDatabaseConnection> {
    @Override
+    @Nullable
    Set<String> getNoAuthConnectionNames(NameDatabaseConnection nameDatabaseConnection, Set<String> authConnectionNames) {
        String name = nameDatabaseConnection.getName();
        if (!authConnectionNames.contains(name)) {
--- a/designer-base/src/main/java/com/fr/design/mainframe/authority/NameTableDataAuthorityChecker.java
+++ b/designer-base/src/main/java/com/fr/design/mainframe/authority/NameTableDataAuthorityChecker.java
@ -1,6 +1,7 @@
 package com.fr.design.mainframe.authority;

 import com.fr.data.impl.NameTableData;
+import org.jetbrains.annotations.Nullable;

 import java.util.Arrays;
 import java.util.HashSet;
@ -8,6 +9,7 @@ import java.util.Set;

 public class NameTableDataAuthorityChecker extends ElementAuthorityChecker<NameTableData> {
    @Override
+    @Nullable
    Set<String> getNoAuthDatasetNames(NameTableData nameTableData, Set<String> authDatasetNames) {
        if (!authDatasetNames.contains(nameTableData.getName())) {
            return new HashSet<>(Arrays.asList(nameTableData.getName()));