Big-Data-Lab
/
CET-cmd-2.0
6
0
Fork 1
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

【漏洞处理】freemarker模板注入问题 禁止解析ObjectConstructor,Execute 

(提示:部分依赖尚未上传maven官仓,依赖下载失败请配置jeecg私服)
This commit is contained in:
zhangdaiscott 2023-08-15 17:45:07 +08:00
parent 20889e8724
commit acb48179ab
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/dynamic/db/FreemarkerParseFactory.java
View File

@ -34,11 +34,11 @@ public class FreemarkerParseFactory {
/**
* 文件缓存
*/
private static final Configuration TPL_CONFIG = new Configuration();
private static final Configuration TPL_CONFIG = new Configuration(Configuration.DEFAULT_INCOMPATIBLE_IMPROVEMENTS);
/**
* SQL 缓存
*/
private static final Configuration SQL_CONFIG = new Configuration();
private static final Configuration SQL_CONFIG = new Configuration(Configuration.DEFAULT_INCOMPATIBLE_IMPROVEMENTS);
private static StringTemplateLoader stringTemplateLoader = new StringTemplateLoader();
@ -47,8 +47,7 @@ public class FreemarkerParseFactory {
.compile("(?ms)/\\*.*?\\*/|^\\s*//.*?$");
static {
TPL_CONFIG.setClassForTemplateLoading(
new FreemarkerParseFactory().getClass(), "/");
TPL_CONFIG.setClassForTemplateLoading(new FreemarkerParseFactory().getClass(), "/");
TPL_CONFIG.setNumberFormat("0.#####################");
SQL_CONFIG.setTemplateLoader(stringTemplateLoader);
SQL_CONFIG.setNumberFormat("0.#####################");
@ -57,6 +56,7 @@ public class FreemarkerParseFactory {
//update-begin-author:taoyan date:2022-8-10 for: freemarker模板注入问题 禁止解析ObjectConstructorExecute和freemarker.template.utility.JythonRuntime
//https://ackcent.com/in-depth-freemarker-template-injection/
TPL_CONFIG.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
SQL_CONFIG.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
//update-end-author:taoyan date:2022-8-10 for: freemarker模板注入问题 禁止解析ObjectConstructorExecute和freemarker.template.utility.JythonRuntime
}
@ -169,7 +169,7 @@ public class FreemarkerParseFactory {
//"where and"
String whereAnd = DataBaseConstant.SQL_WHERE+" and";
//", where"
String commaWhere = SymbolConstant.COMMA+" "+DataBaseConstant.SQL_WHERE;
String commaWhere = SymbolConstant.COMMA+" "+ DataBaseConstant.SQL_WHERE;
//", "
String commaSpace = SymbolConstant.COMMA + " ";
if (sql.endsWith(DataBaseConstant.SQL_WHERE) || sql.endsWith(whereSpace)) {

12
pom.xml
View File

@ -49,13 +49,13 @@
<hutool.version>5.3.8</hutool.version>
<!-- 持久层 -->
<mybatis-plus.version>3.5.1</mybatis-plus.version>
<mybatis-plus.version>3.5.3</mybatis-plus.version>
<dynamic-datasource-spring-boot-starter.version>3.2.0</dynamic-datasource-spring-boot-starter.version>
<druid.version>1.1.22</druid.version>
<minidao.version>1.9.1</minidao.version>
<minidao.version>1.9.2</minidao.version>
<!-- 积木报表-->
<jimureport-spring-boot-starter.version>1.5.9</jimureport-spring-boot-starter.version>
<jimureport-spring-boot-starter.version>1.6.1</jimureport-spring-boot-starter.version>
<commons.version>2.6</commons.version>
<aliyun-java-sdk-dysmsapi.version>2.1.0</aliyun-java-sdk-dysmsapi.version>
<aliyun.oss.version>3.11.2</aliyun.oss.version>
@ -63,7 +63,7 @@
<shiro.version>1.12.0</shiro.version>
<java-jwt.version>3.11.0</java-jwt.version>
<shiro-redis.version>3.1.0</shiro-redis.version>
<codegenerate.version>1.4.3</codegenerate.version>
<codegenerate.version>1.4.4</codegenerate.version>
<autopoi-web.version>1.4.5</autopoi-web.version>
<minio.version>8.0.3</minio.version>
<justauth-spring-boot-starter.version>1.3.4</justauth-spring-boot-starter.version>
@ -235,7 +235,7 @@
<dependency>
<groupId>org.jeecgframework.boot</groupId>
<artifactId>hibernate-re</artifactId>
<version>3.5.3-beta</version>
<version>3.5.3</version>
</dependency>
<!--mongon db-->
@ -317,7 +317,7 @@
<dependency>
<groupId>org.jeecgframework</groupId>
<artifactId>jeewx-api</artifactId>
<version>1.5.1</version>
<version>1.5.2</version>
<exclusions>
<exclusion>
<artifactId>commons-beanutils</artifactId>