[feat_1194][security][fix Pre-Auth Remote Code Execution via Authentication Bypass + JDBC URL Injection #1194] (#1197)

zcswl7961 · web-flow · commit f95389e7f74a · 2026-05-29T11:54:27.000+08:00
Co-authored-by: xingyi &lt;xingyi@dtstack.com&gt;
diff --git a/taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInterceptor.java b/taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInterceptor.java
@@ -21,19 +21,25 @@
 import com.dtstack.taier.common.constant.CommonConstant;
 import com.dtstack.taier.common.exception.ErrorCode;
 import com.dtstack.taier.common.exception.TaierDefineException;
+import com.dtstack.taier.develop.service.user.TokenService;
 import com.dtstack.taier.develop.utils.CookieUtil;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
+import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 public class LoginInterceptor extends HandlerInterceptorAdapter {
 
     private static Logger LOGGER = LoggerFactory.getLogger(LoginInterceptor.class);
 
+
+    @Resource
+    private TokenService tokenService;
+
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
         String requestURI = request.getRequestURI();
@@ -47,6 +53,8 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
         if (StringUtils.isBlank(token)) {
             throw new TaierDefineException(ErrorCode.NOT_LOGIN);
         }
+        tokenService.decryption(token);
+
         return true;
     }
 }
diff --git a/taier-datasource/taier-datasource-plugin/taier-datasource-plugin-libra/pom.xml b/taier-datasource/taier-datasource-plugin/taier-datasource-plugin-libra/pom.xml
@@ -19,7 +19,7 @@
         <jar.package.name>libra</jar.package.name>
         <jar.name>Libra</jar.name>
 
-        <postgresql.version>42.2.2</postgresql.version>
+        <postgresql.version>42.2.25</postgresql.version>
     </properties>
 
     <dependencies>
diff --git a/taier-datasource/taier-datasource-plugin/taier-datasource-plugin-postgresql/pom.xml b/taier-datasource/taier-datasource-plugin/taier-datasource-plugin-postgresql/pom.xml
@@ -18,7 +18,7 @@
         <jar.package.name>postgresql</jar.package.name>
         <jar.name>Postgresql</jar.name>
 
-        <postgresql.version>42.2.2</postgresql.version>
+        <postgresql.version>42.2.25</postgresql.version>
     </properties>
 
     <dependencies>
diff --git a/taier-datasource/taier-datasource-plugin/taier-datasource-plugin-rdbms/src/main/java/com/dtstack/taier/datasource/plugin/rdbms/ConnFactory.java b/taier-datasource/taier-datasource-plugin/taier-datasource-plugin-rdbms/src/main/java/com/dtstack/taier/datasource/plugin/rdbms/ConnFactory.java
@@ -40,8 +40,11 @@
 import java.sql.Connection;
 import java.sql.DriverManager;
 import java.sql.Statement;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Properties;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.LinkedBlockingQueue;
@@ -75,6 +78,14 @@ public class ConnFactory {
 
     private static final String CP_POOL_KEY = "url:%s,username:%s,password:%s,properties:%s";
 
+    /**
+     * filter with db property
+     */
+    private static final Set<String> DANGEROUS_PARAMS = new HashSet<>(Arrays.asList(
+            "autoDeserialize", "allowLoadLocalInfile", "allowUrlInLocalInfile",
+            "queryInterceptors", "socketFactory", "socketFactoryArg"
+    ));
+
     /**
      * 线程池 - 用于部分数据源获取连接超时处理
      */
@@ -157,6 +168,17 @@ protected Connection getSimpleConn(ISourceDTO source) throws Exception {
         init();
         DriverManager.setLoginTimeout(30);
         log.info("datasource connected, url : {}, userName : {}, kerberosConfig : {}", rdbmsSourceDTO.getUrl(), rdbmsSourceDTO.getUsername(), rdbmsSourceDTO.getKerberosConfig());
+        // property check
+        String urlLower = rdbmsSourceDTO.getUrl().toLowerCase();
+        for (String dangerousParam : DANGEROUS_PARAMS) {
+            if (urlLower.contains("?" + dangerousParam + "=") ||
+                    urlLower.contains("&" + dangerousParam + "=") ||
+                    urlLower.contains("?" + dangerousParam + "%3d") ||
+                    urlLower.endsWith("?" + dangerousParam)) {
+                throw new SecurityException("Dangerous JDBC parameter detected: " + dangerousParam);
+            }
+        }
+
         return DriverManager.getConnection(rdbmsSourceDTO.getUrl(), PropertiesUtil.convertToProp(rdbmsSourceDTO));
     }
 
