1. The building block report is based on the SSTI arbitrary code execution vulnerability
In the affected version of JeecgBoot, because the building block report/jeecg-boot/jmreport/queryFieldBySql Api interface does not perform identity verification, use Freemarker to process the sql parameters passed in by users, and unauthorized attackers can send http containing malicious sql parameters request to execute arbitrary code on the application side via SSTI.
2. pom.xml is modified as follows 1.6.1
<!-- 积木报表 -->
<dependency>
<groupId>org.jeecgframework.jimureport</groupId>
<artifactId>jimureport-spring-boot-starter</artifactId>
<version>1.6.1</version>
<exclusions>
<exclusion>
<groupId>org.jeecgframework</groupId>
<artifactId>autopoi-web</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.poi</groupId>
<artifactId>ooxml-schemas</artifactId>
</exclusion>
</exclusions>
</dependency>3. The following problems occur after the upgrade
org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [SELECT count(0) FROM jimu_report_data_source jrds WHERE 1 = 1 AND jrds.TYPE = ?]; nested exception is java.sql.SQLSyntaxErrorException: Unknown column 'jrds.TYPE' in 'where clause'
at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:239)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:70)
at org.springframework.jdbc.core.JdbcTemplate.translateException(JdbcTemplate.java:1541)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:667)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:713)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:738)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:794)
at org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate.queryForObject(NamedParameterJdbcTemplate.java:243)
at org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate.queryForObject(NamedParameterJdbcTemplate.java:252)
at org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate.queryForObject(NamedParameterJdbcTemplate.java:268)
at org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate$$FastClassBySpringCGLIB$$9d5423dc.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
at org.springframework.aop.framework.CglibAopProxy.invokeMethod(CglibAopProxy.java:386)
at org.springframework.aop.framework.CglibAopProxy.access$000(CglibAopProxy.java:85)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:704)
at org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate$$EnhancerBySpringCGLIB$$ee436ac5.queryForObject(<generated>)
at org.jeecgframework.minidao.aop.MiniDaoHandler.getReturnMinidaoResult(MiniDaoHandler.java:425)
at org.jeecgframework.minidao.aop.MiniDaoHandler.invoke(MiniDaoHandler.java:133)
4. It should be that the table jimu_report_data_source has added fields, the following two fields are added
tenant_id varchar 10 multi-tenant ID
type varchar 10 0 type (report: report; drag: dashboard)
5. At the same time, fix the freemarker template injection vulnerability by the way
//update-begin-author:taoyan date:2022-8-10 for: freemarker模板注入问题 禁止解析ObjectConstructor,Execute和freemarker.template.utility.JythonRuntime。
//https://ackcent.com/in-depth-freemarker-template-injection/
_tplConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
_sqlConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
//update-end-author:taoyan date:2022-8-10 for: freemarker模板注入问题 禁止解析ObjectConstructor,Execute和freemarker.template.utility.JythonRuntime。6. Effect picture
