FactoryAssistant
/
back-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

【漏洞处理】freemarker模板注入问题 禁止解析ObjectConstructor,Execute

Browse Source 
(提示:部分依赖尚未上传maven官仓,依赖下载失败请配置jeecg私服)
dev
zhangdaiscott 2 years ago
parent 20889e8724
commit acb48179ab
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File

10
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/dynamic/db/FreemarkerParseFactory.java
Unescape View File

@ -34,11 +34,11 @@ public class FreemarkerParseFactory {
/** /**
* *
*/ */
private static final Configuration TPL_CONFIG = new Configuration(); private static final Configuration TPL_CONFIG = new Configuration(Configuration.DEFAULT_INCOMPATIBLE_IMPROVEMENTS);
/** /**
* SQL * SQL
*/ */
private static final Configuration SQL_CONFIG = new Configuration(); private static final Configuration SQL_CONFIG = new Configuration(Configuration.DEFAULT_INCOMPATIBLE_IMPROVEMENTS);
private static StringTemplateLoader stringTemplateLoader = new StringTemplateLoader(); private static StringTemplateLoader stringTemplateLoader = new StringTemplateLoader();
@ -47,8 +47,7 @@ public class FreemarkerParseFactory {
.compile("(?ms)/\\*.*?\\*/|^\\s*//.*?$"); .compile("(?ms)/\\*.*?\\*/|^\\s*//.*?$");
static { static {
TPL_CONFIG.setClassForTemplateLoading( TPL_CONFIG.setClassForTemplateLoading(new FreemarkerParseFactory().getClass(), "/");
new FreemarkerParseFactory().getClass(), "/");
TPL_CONFIG.setNumberFormat("0.#####################"); TPL_CONFIG.setNumberFormat("0.#####################");
SQL_CONFIG.setTemplateLoader(stringTemplateLoader); SQL_CONFIG.setTemplateLoader(stringTemplateLoader);
SQL_CONFIG.setNumberFormat("0.#####################"); SQL_CONFIG.setNumberFormat("0.#####################");
@ -57,6 +56,7 @@ public class FreemarkerParseFactory {
//update-begin-author:taoyan date:2022-8-10 for: freemarker模板注入问题 禁止解析ObjectConstructorExecute和freemarker.template.utility.JythonRuntime。 //update-begin-author:taoyan date:2022-8-10 for: freemarker模板注入问题 禁止解析ObjectConstructorExecute和freemarker.template.utility.JythonRuntime。
//https://ackcent.com/in-depth-freemarker-template-injection/ //https://ackcent.com/in-depth-freemarker-template-injection/
TPL_CONFIG.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
SQL_CONFIG.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); SQL_CONFIG.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
//update-end-author:taoyan date:2022-8-10 for: freemarker模板注入问题 禁止解析ObjectConstructorExecute和freemarker.template.utility.JythonRuntime。 //update-end-author:taoyan date:2022-8-10 for: freemarker模板注入问题 禁止解析ObjectConstructorExecute和freemarker.template.utility.JythonRuntime。
} }
@ -169,7 +169,7 @@ public class FreemarkerParseFactory {
//"where and" //"where and"
String whereAnd = DataBaseConstant.SQL_WHERE+" and"; String whereAnd = DataBaseConstant.SQL_WHERE+" and";
//", where" //", where"
String commaWhere = SymbolConstant.COMMA+" "+DataBaseConstant.SQL_WHERE; String commaWhere = SymbolConstant.COMMA+" "+ DataBaseConstant.SQL_WHERE;
//", " //", "
String commaSpace = SymbolConstant.COMMA + " "; String commaSpace = SymbolConstant.COMMA + " ";
if (sql.endsWith(DataBaseConstant.SQL_WHERE) || sql.endsWith(whereSpace)) { if (sql.endsWith(DataBaseConstant.SQL_WHERE) || sql.endsWith(whereSpace)) {

12
pom.xml
Unescape View File

@ -49,13 +49,13 @@
<hutool.version>5.3.8</hutool.version> <hutool.version>5.3.8</hutool.version>
<!-- 持久层 --> <!-- 持久层 -->
<mybatis-plus.version>3.5.1</mybatis-plus.version> <mybatis-plus.version>3.5.3</mybatis-plus.version>
<dynamic-datasource-spring-boot-starter.version>3.2.0</dynamic-datasource-spring-boot-starter.version> <dynamic-datasource-spring-boot-starter.version>3.2.0</dynamic-datasource-spring-boot-starter.version>
<druid.version>1.1.22</druid.version> <druid.version>1.1.22</druid.version>
<minidao.version>1.9.1</minidao.version> <minidao.version>1.9.2</minidao.version>
<!-- 积木报表--> <!-- 积木报表-->
<jimureport-spring-boot-starter.version>1.5.9</jimureport-spring-boot-starter.version> <jimureport-spring-boot-starter.version>1.6.1</jimureport-spring-boot-starter.version>
<commons.version>2.6</commons.version> <commons.version>2.6</commons.version>
<aliyun-java-sdk-dysmsapi.version>2.1.0</aliyun-java-sdk-dysmsapi.version> <aliyun-java-sdk-dysmsapi.version>2.1.0</aliyun-java-sdk-dysmsapi.version>
<aliyun.oss.version>3.11.2</aliyun.oss.version> <aliyun.oss.version>3.11.2</aliyun.oss.version>
@ -63,7 +63,7 @@
<shiro.version>1.12.0</shiro.version> <shiro.version>1.12.0</shiro.version>
<java-jwt.version>3.11.0</java-jwt.version> <java-jwt.version>3.11.0</java-jwt.version>
<shiro-redis.version>3.1.0</shiro-redis.version> <shiro-redis.version>3.1.0</shiro-redis.version>
<codegenerate.version>1.4.3</codegenerate.version> <codegenerate.version>1.4.4</codegenerate.version>
<autopoi-web.version>1.4.5</autopoi-web.version> <autopoi-web.version>1.4.5</autopoi-web.version>
<minio.version>8.0.3</minio.version> <minio.version>8.0.3</minio.version>
<justauth-spring-boot-starter.version>1.3.4</justauth-spring-boot-starter.version> <justauth-spring-boot-starter.version>1.3.4</justauth-spring-boot-starter.version>
@ -235,7 +235,7 @@
<dependency> <dependency>
<groupId>org.jeecgframework.boot</groupId> <groupId>org.jeecgframework.boot</groupId>
<artifactId>hibernate-re</artifactId> <artifactId>hibernate-re</artifactId>
<version>3.5.3-beta</version> <version>3.5.3</version>
</dependency> </dependency>
<!--mongon db--> <!--mongon db-->
@ -317,7 +317,7 @@
<dependency> <dependency>
<groupId>org.jeecgframework</groupId> <groupId>org.jeecgframework</groupId>
<artifactId>jeewx-api</artifactId> <artifactId>jeewx-api</artifactId>
<version>1.5.1</version> <version>1.5.2</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<artifactId>commons-beanutils</artifactId> <artifactId>commons-beanutils</artifactId>

Write Preview
Loading…
Cancel
Save