Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]普通用户可上传插件至任意代码执行 #2431

Closed
Ryze-T opened this issue Jun 15, 2022 · 2 comments
Closed

[Bug]普通用户可上传插件至任意代码执行 #2431

Ryze-T opened this issue Jun 15, 2022 · 2 comments
Assignees
Labels
状态:待反馈 类型:bug Something isn't working

Comments

@Ryze-T
Copy link

Ryze-T commented Jun 15, 2022

DataEase 版本
最新版

运行方式(安装包运行 or 源码运行 ?)
安装包运行

浏览器版本
任意

Bug 描述
普通用户可上传插件至任意代码执行

Bug 重现步骤(有截图更好)
在官网编译插件,并在主要连接presto的功能处加入恶意代码:
image
插件安装处未鉴权,普通用户可调用接口上传插件:
image
上传成功后普通用户新建presto数据源:
image
查看dnslog平台:
image
命令成功执行

@Ryze-T Ryze-T added the 类型:bug Something isn't working label Jun 15, 2022
@maninhill maninhill changed the title [Bug] [Bug]普通用户可上传插件至任意代码执行 Jun 15, 2022
@xuwei-fit2cloud
Copy link
Contributor

感谢反馈,我们尽快修复。

@maninhill
Copy link
Contributor

v1.11.2 已修复,详情请参考:https://github.com/dataease/dataease/releases/tag/v1.11.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
状态:待反馈 类型:bug Something isn't working
Projects
None yet
Development

No branches or pull requests

6 participants