{
  "same_root_cause": true,
  "root_cause_description": "Lombok @Data annotation auto-generates public setters for all non-final fields in datasource configuration classes. Jackson's default deserialization strategy invokes any public setter that matches a JSON key. The illegalParameters field holds a hardcoded blocklist of dangerous JDBC parameters. When an attacker includes 'illegalParameters': [] in the JSON request, Jackson overwrites the blocklist before getJdbc() validation runs, allowing forbidden parameters to reach the JDBC URL.",
  "shared_sinks": [
    {
      "file_path": "core/core-backend/src/main/java/io/dataease/datasource/provider/CalciteProvider.java",
      "method": "getConnection",
      "line_start": 406,
      "line_end": 442,
      "description": "Deserializes the Base64-encoded configuration string into the specific datasource type class using JsonUtil.parseObject(). This is where Jackson calls the auto-generated setters."
    },
    {
      "file_path": "core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java",
      "method": "getJdbc",
      "line_start": 18,
      "line_end": 52,
      "description": "Constructs the JDBC URL and validates it against illegalParameters. If the blocklist was overwritten, this check passes and returns a malicious URL."
    }
  ],
  "shared_trust_boundary": "HTTP API request from authenticated admin crosses into server-side Jackson deserialization and JDBC URL construction.",
  "variant_equivalence": "All tested variants reach the exact same sink (CalciteProvider.getConnection -> JsonUtil.parseObject -> getJdbc) and rely on the same root cause (Jackson binding to the auto-generated setter for illegalParameters). The only differences are the entry point endpoint (/validate vs /save), the datasource type enum value (mysql vs mariadb vs pg vs oracle), or the encoding/casing of the parameter string. None of these change the underlying root cause."
}