Browse Source

REPORT-56220 数据连接越权漏洞修复

bugfix/11.0
Henry.Wang 3 years ago
parent
commit
83aa0647da
  1. 2
      designer-base/src/main/java/com/fr/design/mainframe/authority/DSColumnAuthorityChecker.java
  2. 5
      designer-base/src/main/java/com/fr/design/mainframe/authority/ElementAuthorityChecker.java
  3. 7
      designer-base/src/main/java/com/fr/design/mainframe/authority/FormulaAuthorityChecker.java
  4. 2
      designer-base/src/main/java/com/fr/design/mainframe/authority/NameDatabaseConnectionAuthorityChecker.java
  5. 2
      designer-base/src/main/java/com/fr/design/mainframe/authority/NameTableDataAuthorityChecker.java

2
designer-base/src/main/java/com/fr/design/mainframe/authority/DSColumnAuthorityChecker.java

@ -1,6 +1,7 @@
package com.fr.design.mainframe.authority;
import com.fr.report.cell.cellattr.core.group.DSColumn;
import org.jetbrains.annotations.Nullable;
import java.util.Arrays;
import java.util.HashSet;
@ -9,6 +10,7 @@ import java.util.Set;
public class DSColumnAuthorityChecker extends ElementAuthorityChecker<DSColumn> {
@Override
@Nullable
Set<String> getNoAuthDatasetNames(DSColumn dsColumn, Set<String> authDatasetNames) {
if (!authDatasetNames.contains(dsColumn.getDSName())) {
return new HashSet<>(Arrays.asList(dsColumn.getDSName()));

5
designer-base/src/main/java/com/fr/design/mainframe/authority/ElementAuthorityChecker.java

@ -1,5 +1,6 @@
package com.fr.design.mainframe.authority;
import org.jetbrains.annotations.Nullable;
import sun.reflect.generics.reflectiveObjects.ParameterizedTypeImpl;
import java.lang.reflect.Type;
@ -15,10 +16,11 @@ public abstract class ElementAuthorityChecker<T> {
* @param: authConnectionNames 有权限的数据连接名
* @return 如果有返回名称没有返回null
*/
@Nullable
Set<String> getNoAuthConnectionNames(T t, Set<String> authConnectionNames) {
return null;
}
/**
* @Description 获取越权的服务器数据集
@ -26,6 +28,7 @@ public abstract class ElementAuthorityChecker<T> {
* @param: authDatasetNames 有权限的服务器数据集名
* @return 如果有返回名称没有返回null
*/
@Nullable
Set<String> getNoAuthDatasetNames(T t, Set<String> authDatasetNames) {
return null;
}

7
designer-base/src/main/java/com/fr/design/mainframe/authority/FormulaAuthorityChecker.java

@ -1,6 +1,7 @@
package com.fr.design.mainframe.authority;
import com.fr.base.Formula;
import org.jetbrains.annotations.Nullable;
import java.util.Arrays;
import java.util.HashSet;
@ -9,11 +10,13 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class FormulaAuthorityChecker extends ElementAuthorityChecker<Formula> {
private static final Pattern FORMULA_PATTERN = Pattern.compile("^=SQL\\(\"(.+?)\",");
@Override
@Nullable
public Set<String> getNoAuthConnectionNames(Formula formula, Set<String> authConnectionNames) {
String content = formula.getContent();
Pattern pattern = Pattern.compile("^=SQL\\(\"(.+?)\",");
Matcher matcher = pattern.matcher(content);
Matcher matcher = FORMULA_PATTERN.matcher(content);
if (matcher.find()) {
if (!authConnectionNames.contains(matcher.group(1))) {
return new HashSet<>(Arrays.asList(matcher.group(1)));

2
designer-base/src/main/java/com/fr/design/mainframe/authority/NameDatabaseConnectionAuthorityChecker.java

@ -1,6 +1,7 @@
package com.fr.design.mainframe.authority;
import com.fr.data.impl.NameDatabaseConnection;
import org.jetbrains.annotations.Nullable;
import java.util.Arrays;
import java.util.HashSet;
@ -9,6 +10,7 @@ import java.util.stream.Collectors;
public class NameDatabaseConnectionAuthorityChecker extends ElementAuthorityChecker<NameDatabaseConnection> {
@Override
@Nullable
Set<String> getNoAuthConnectionNames(NameDatabaseConnection nameDatabaseConnection, Set<String> authConnectionNames) {
String name = nameDatabaseConnection.getName();
if (!authConnectionNames.contains(name)) {

2
designer-base/src/main/java/com/fr/design/mainframe/authority/NameTableDataAuthorityChecker.java

@ -1,6 +1,7 @@
package com.fr.design.mainframe.authority;
import com.fr.data.impl.NameTableData;
import org.jetbrains.annotations.Nullable;
import java.util.Arrays;
import java.util.HashSet;
@ -8,6 +9,7 @@ import java.util.Set;
public class NameTableDataAuthorityChecker extends ElementAuthorityChecker<NameTableData> {
@Override
@Nullable
Set<String> getNoAuthDatasetNames(NameTableData nameTableData, Set<String> authDatasetNames) {
if (!authDatasetNames.contains(nameTableData.getName())) {
return new HashSet<>(Arrays.asList(nameTableData.getName()));

Loading…
Cancel
Save