# RCA Report: CVE-2026-40899 ## Summary DataEase community edition ≤ v2.10.20 allows an authenticated administrator to bypass the server-side JDBC parameter blocklist by exploiting Lombok's `@Data` annotation on datasource configuration classes. The `@Data` annotation auto-generates public setters for all fields, including the `illegalParameters` blocklist field. When Spring's Jackson JSON binder deserializes the incoming datasource configuration, it calls this setter and overwrites the hardcoded blocklist with an attacker-supplied value (e.g., an empty array). As a result, forbidden parameters such as `allowloadlocalinfile=true` can be injected into the JDBC URL, enabling arbitrary file read via a rogue MySQL server. ## Impact - **Package/component affected**: `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java` (and sibling datasource type classes: Pg, Impala, Sqlserver, Db2, H2, CK, Redshift, Mongo) - **Affected versions**: DataEase community edition ≤ v2.10.20 - **Fixed versions**: v2.10.21 - **Risk level**: Medium (CVSS 3.1: 6.5) - **Consequences**: A privileged user can bypass the JDBC parameter blocklist, inject dangerous MySQL parameters (e.g., `allowLoadLocalInfile`), and trigger arbitrary file read from the DataEase server host. ## Root Cause The datasource type classes (e.g., `Mysql.java`) are annotated with Lombok `@Data`, which generates a public setter for every non-final field. The field `illegalParameters` holds a hardcoded list of dangerous JDBC parameter names that must be blocked. Because Jackson's default deserialization strategy invokes any public setter that matches a JSON key, an attacker can include `"illegalParameters": []` in the same JSON request that defines the datasource. This overwrites the blocklist before the `getJdbc()` validation logic runs, allowing any subsequently supplied `extraParams` to pass validation unchecked. The fix commit is `16a950f96089b2a90e37d82304ede714a40902ba` ("fix: 【漏洞】Arbitrary File Read (Credential Exfiltration)"). It adds `@JsonIgnore` to the `illegalParameters` field in all affected datasource type classes, preventing Jackson from ever binding user input to that field. ## Reproduction Steps 1. Run `repro/reproduction_steps.sh` 2. The script: - Pulls the official DataEase Docker images for v2.10.20 (vulnerable) and v2.10.21 (fixed) - Starts each image in `desktop` mode (which bypasses token-based authentication) on separate ports - Waits for the real `/de2api/datasource/types` endpoint to respond - Sends an HTTP POST to `/de2api/datasource/validate` with a Base64-encoded malicious MySQL configuration containing `"illegalParameters": []` and `"extraParams": "allowloadlocalinfile=true"` - Captures and compares the responses 3. Expected evidence: - **Vulnerable (v2.10.20)**: The server returns a JDBC connection error (`Communications link failure`), proving that `getJdbc()` did **not** reject the forbidden parameter and instead attempted to open a connection. - **Fixed (v2.10.21)**: The server returns `Illegal parameter: allowloadlocalinfile`, proving that the blocklist was enforced and the bypass was blocked. ## Evidence - `logs/vulnerable_response.json`: ```json {"code":40001,"msg":"DEException(code=40001, msg=Communications link failure\n\nThe last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.)","data":null} ``` - `logs/fixed_response.json`: ```json {"code":40001,"msg":"DEException(code=40001, msg=Illegal parameter: allowloadlocalinfile)","data":null} ``` - `repro/runtime_manifest.json` documents the exact endpoints, payloads, and responses for both versions. ## Recommendations / Next Steps 1. **Primary fix**: Apply `@JsonIgnore` (or equivalent Jackson ignore annotation) to all blocklist/whitelist fields on configuration beans that must not be user-modifiable. This is exactly what the DataEase maintainers did in v2.10.21. 2. **Defense in depth**: Consider making `illegalParameters` a `private final` field initialized in the constructor or a `static final` constant, so there is no setter at all — even for other deserialization frameworks. 3. **Upgrade guidance**: Users on DataEase ≤ v2.10.20 should upgrade to v2.10.21 or later immediately. 4. **Testing recommendations**: Add an integration test that POSTs a datasource configuration containing an `illegalParameters` override to the live `/de2api/datasource/validate` endpoint and asserts that the response is a blocklist rejection, not a connection attempt. ## Additional Notes - **Idempotency**: `repro/reproduction_steps.sh` has been executed twice consecutively from a clean state and produced the same results both times. - **Edge cases / limitations**: The reproduction uses the `desktop` Spring profile to bypass authentication, which is the simplest way to reach the vulnerable endpoint without implementing RSA-encrypted login. This does not affect the validity of the reproduction because the vulnerable code path (Jackson deserialization of `Mysql` followed by `getJdbc()` validation) is identical across all profiles.