# Patch Analysis: CVE-2026-40899 Fix ## Fix Commit - **Commit**: `16a950f96089b2a90e37d82304ede714a40902ba` - **Title**: `fix: 【漏洞】Arbitrary File Read (Credential Exfiltration)` - **Files changed**: 9 datasource type classes in `core/core-backend/src/main/java/io/dataease/datasource/type/` - `CK.java`, `Db2.java`, `H2.java`, `Impala.java`, `Mongo.java`, `Mysql.java`, `Pg.java`, `Redshift.java`, `Sqlserver.java` ## What the Fix Changes In each affected class, a single annotation was added above the `illegalParameters` (or `ILLEGAL_PARAMETERS` / `getH2IllegalParameters`) field/method: ```java @JsonIgnore private List illegalParameters = Arrays.asList(...); ``` This prevents Jackson's `ObjectMapper` from invoking the auto-generated setter when the incoming JSON contains a key matching the property name. Because the classes are annotated with Lombok `@Data`, every non-final field gets a public setter. Before the fix, an attacker could include `"illegalParameters": []` in the Base64-encoded datasource configuration JSON, causing Jackson to overwrite the hardcoded blocklist with an attacker-controlled value. ## Fix Assumptions 1. **Jackson respects `@JsonIgnore` on shadowed fields**: The fix assumes that placing `@JsonIgnore` on the subclass field is sufficient to prevent Jackson from binding user input to that property. Our standalone Java test confirmed this assumption: when a child class shadows a parent's field with `@JsonIgnore`, Jackson does not bind JSON values to either the child's or the parent's property. 2. **All vulnerable entry points use the same deserialization path**: Every JDBC datasource type is deserialized via `JsonUtil.parseObject(configuration, .class)` inside `CalciteProvider.getConnection()`. The fix covers all these type classes. 3. **No other field needs the same protection**: The fix only protects `illegalParameters`. It assumes no other field in these classes, if overwritten, would allow bypassing the JDBC parameter validation. ## What the Fix Does NOT Cover 1. **Other `@Data` classes with security-sensitive fields**: The codebase contains many other `@Data` classes that may have security-sensitive initialized fields. While the datasource type classes were fixed, the root cause pattern (`@Data` + non-final security field + Jackson deserialization from untrusted input) could exist elsewhere. 2. **Making blocklists immutable**: The fix does not make `illegalParameters` `final`, `static final`, or remove the setter entirely. If another deserialization framework (e.g., Fastjson, Gson, or a custom parser) were used, it could still overwrite the field because the underlying setter still exists. 3. **Oracle.java**: `Oracle.java` was NOT modified in the fix commit. However, its `getOracleIllegalParameters()` is a **method**, not a field, so Lombok `@Data` does not generate a setter for it, and Jackson cannot bind to it. Oracle is therefore not vulnerable to this specific attack vector, but this was an implicit omission rather than an explicit decision. 4. **URL / encoding bypasses in `getJdbc()`**: The validation logic in `getJdbc()` remains unchanged. It relies on `URLDecoder.decode()` + case-insensitive string matching. The fix assumes this is sufficient to catch all parameter injection attempts. 5. **`driver` field manipulation**: The `driver` field in each datasource type class is still deserializable. While `CalciteProvider.getConnection()` loads the driver via `jdbcClassLoader.loadClass(configuration.getDriver())`, an attacker who can place a malicious JAR on the server's driver path could combine driver field manipulation with a custom driver class. This is a separate attack surface not addressed by the fix. ## Comparison: Before vs After **Before fix**: - Attacker sends Base64-encoded JSON: `{"type":"mysql","extraParams":"allowloadlocalinfile=true","illegalParameters":[]}` - Jackson deserializes into `Mysql.class`, calling `setIllegalParameters([])` - `getJdbc()` iterates over the empty list, finds no match, and constructs a JDBC URL with `allowloadlocalinfile=true` - MySQL driver connects and honors `LOCAL INFILE`, enabling arbitrary file read **After fix**: - Attacker sends the same JSON - Jackson sees `@JsonIgnore` on `Mysql.illegalParameters` and skips the property entirely - `getJdbc()` iterates over the original hardcoded list `["maxAllowedPacket", "autoDeserialize", ..., "allowloadlocalinfile", ...]` - The forbidden parameter is detected and a `DEException` is thrown with `Illegal parameter: allowloadlocalinfile` ## Completeness Assessment The fix is **complete for the specific reported vulnerability** (blocklist bypass via `@Data` setter injection). However, it is a **symptom-level fix** rather than a root-cause fix. The deeper root cause is the dangerous combination of: - Lombok `@Data` generating public setters for ALL non-final fields - Jackson auto-detecting and invoking those setters on untrusted input - Security-critical fields (`illegalParameters`) being mutable instance fields A more robust fix would: 1. Make `illegalParameters` a `private static final` constant (no setter at all) 2. Or add a global Jackson mixin/module that ignores all `illegalParameters` properties 3. Or switch from `@Data` to `@Getter` + `@Setter` on individual safe fields, avoiding blanket setter generation ## Variant Search Conclusion After exhaustive source-code review and targeted variant testing (see `vuln_variant/rca_report.md`), **no bypass of this fix was found**. The `@JsonIgnore` annotation successfully prevents the reported attack vector, and no alternate entry point or alternate field was identified that could achieve the same blocklist bypass on the fixed version.