Browse Source

REPORT-56220 数据连接越权漏洞修复

bugfix/11.0
Henry.Wang 3 years ago
parent
commit
83aa0647da
  1. 2
      designer-base/src/main/java/com/fr/design/mainframe/authority/DSColumnAuthorityChecker.java
  2. 3
      designer-base/src/main/java/com/fr/design/mainframe/authority/ElementAuthorityChecker.java
  3. 7
      designer-base/src/main/java/com/fr/design/mainframe/authority/FormulaAuthorityChecker.java
  4. 2
      designer-base/src/main/java/com/fr/design/mainframe/authority/NameDatabaseConnectionAuthorityChecker.java
  5. 2
      designer-base/src/main/java/com/fr/design/mainframe/authority/NameTableDataAuthorityChecker.java

2
designer-base/src/main/java/com/fr/design/mainframe/authority/DSColumnAuthorityChecker.java

@ -1,6 +1,7 @@
package com.fr.design.mainframe.authority; package com.fr.design.mainframe.authority;
import com.fr.report.cell.cellattr.core.group.DSColumn; import com.fr.report.cell.cellattr.core.group.DSColumn;
import org.jetbrains.annotations.Nullable;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashSet; import java.util.HashSet;
@ -9,6 +10,7 @@ import java.util.Set;
public class DSColumnAuthorityChecker extends ElementAuthorityChecker<DSColumn> { public class DSColumnAuthorityChecker extends ElementAuthorityChecker<DSColumn> {
@Override @Override
@Nullable
Set<String> getNoAuthDatasetNames(DSColumn dsColumn, Set<String> authDatasetNames) { Set<String> getNoAuthDatasetNames(DSColumn dsColumn, Set<String> authDatasetNames) {
if (!authDatasetNames.contains(dsColumn.getDSName())) { if (!authDatasetNames.contains(dsColumn.getDSName())) {
return new HashSet<>(Arrays.asList(dsColumn.getDSName())); return new HashSet<>(Arrays.asList(dsColumn.getDSName()));

3
designer-base/src/main/java/com/fr/design/mainframe/authority/ElementAuthorityChecker.java

@ -1,5 +1,6 @@
package com.fr.design.mainframe.authority; package com.fr.design.mainframe.authority;
import org.jetbrains.annotations.Nullable;
import sun.reflect.generics.reflectiveObjects.ParameterizedTypeImpl; import sun.reflect.generics.reflectiveObjects.ParameterizedTypeImpl;
import java.lang.reflect.Type; import java.lang.reflect.Type;
@ -15,6 +16,7 @@ public abstract class ElementAuthorityChecker<T> {
* @param: authConnectionNames 有权限的数据连接名 * @param: authConnectionNames 有权限的数据连接名
* @return 如果有返回名称没有返回null * @return 如果有返回名称没有返回null
*/ */
@Nullable
Set<String> getNoAuthConnectionNames(T t, Set<String> authConnectionNames) { Set<String> getNoAuthConnectionNames(T t, Set<String> authConnectionNames) {
return null; return null;
} }
@ -26,6 +28,7 @@ public abstract class ElementAuthorityChecker<T> {
* @param: authDatasetNames 有权限的服务器数据集名 * @param: authDatasetNames 有权限的服务器数据集名
* @return 如果有返回名称没有返回null * @return 如果有返回名称没有返回null
*/ */
@Nullable
Set<String> getNoAuthDatasetNames(T t, Set<String> authDatasetNames) { Set<String> getNoAuthDatasetNames(T t, Set<String> authDatasetNames) {
return null; return null;
} }

7
designer-base/src/main/java/com/fr/design/mainframe/authority/FormulaAuthorityChecker.java

@ -1,6 +1,7 @@
package com.fr.design.mainframe.authority; package com.fr.design.mainframe.authority;
import com.fr.base.Formula; import com.fr.base.Formula;
import org.jetbrains.annotations.Nullable;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashSet; import java.util.HashSet;
@ -9,11 +10,13 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
public class FormulaAuthorityChecker extends ElementAuthorityChecker<Formula> { public class FormulaAuthorityChecker extends ElementAuthorityChecker<Formula> {
private static final Pattern FORMULA_PATTERN = Pattern.compile("^=SQL\\(\"(.+?)\",");
@Override @Override
@Nullable
public Set<String> getNoAuthConnectionNames(Formula formula, Set<String> authConnectionNames) { public Set<String> getNoAuthConnectionNames(Formula formula, Set<String> authConnectionNames) {
String content = formula.getContent(); String content = formula.getContent();
Pattern pattern = Pattern.compile("^=SQL\\(\"(.+?)\","); Matcher matcher = FORMULA_PATTERN.matcher(content);
Matcher matcher = pattern.matcher(content);
if (matcher.find()) { if (matcher.find()) {
if (!authConnectionNames.contains(matcher.group(1))) { if (!authConnectionNames.contains(matcher.group(1))) {
return new HashSet<>(Arrays.asList(matcher.group(1))); return new HashSet<>(Arrays.asList(matcher.group(1)));

2
designer-base/src/main/java/com/fr/design/mainframe/authority/NameDatabaseConnectionAuthorityChecker.java

@ -1,6 +1,7 @@
package com.fr.design.mainframe.authority; package com.fr.design.mainframe.authority;
import com.fr.data.impl.NameDatabaseConnection; import com.fr.data.impl.NameDatabaseConnection;
import org.jetbrains.annotations.Nullable;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashSet; import java.util.HashSet;
@ -9,6 +10,7 @@ import java.util.stream.Collectors;
public class NameDatabaseConnectionAuthorityChecker extends ElementAuthorityChecker<NameDatabaseConnection> { public class NameDatabaseConnectionAuthorityChecker extends ElementAuthorityChecker<NameDatabaseConnection> {
@Override @Override
@Nullable
Set<String> getNoAuthConnectionNames(NameDatabaseConnection nameDatabaseConnection, Set<String> authConnectionNames) { Set<String> getNoAuthConnectionNames(NameDatabaseConnection nameDatabaseConnection, Set<String> authConnectionNames) {
String name = nameDatabaseConnection.getName(); String name = nameDatabaseConnection.getName();
if (!authConnectionNames.contains(name)) { if (!authConnectionNames.contains(name)) {

2
designer-base/src/main/java/com/fr/design/mainframe/authority/NameTableDataAuthorityChecker.java

@ -1,6 +1,7 @@
package com.fr.design.mainframe.authority; package com.fr.design.mainframe.authority;
import com.fr.data.impl.NameTableData; import com.fr.data.impl.NameTableData;
import org.jetbrains.annotations.Nullable;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashSet; import java.util.HashSet;
@ -8,6 +9,7 @@ import java.util.Set;
public class NameTableDataAuthorityChecker extends ElementAuthorityChecker<NameTableData> { public class NameTableDataAuthorityChecker extends ElementAuthorityChecker<NameTableData> {
@Override @Override
@Nullable
Set<String> getNoAuthDatasetNames(NameTableData nameTableData, Set<String> authDatasetNames) { Set<String> getNoAuthDatasetNames(NameTableData nameTableData, Set<String> authDatasetNames) {
if (!authDatasetNames.contains(nameTableData.getName())) { if (!authDatasetNames.contains(nameTableData.getName())) {
return new HashSet<>(Arrays.asList(nameTableData.getName())); return new HashSet<>(Arrays.asList(nameTableData.getName()));

Loading…
Cancel
Save