{
  "validation_timestamp": "2026-05-25T14:00:00Z",
  "validated_by": "vuln_variant/reproduction_steps.sh + source code audit + standalone Jackson unit test",
  "verdict": {
    "status": "no_variant_found",
    "description": "After systematic analysis and 8 distinct variant attempts, no bypass or alternate trigger was found that defeats the fix in DataEase v2.10.21. The fix (adding @JsonIgnore to illegalParameters in 9 datasource type classes) comprehensively blocks the reported attack vector and all tested variants.",
    "variant_count_tested": 8,
    "bypass_found": false
  },
  "tested_variants": [
    {
      "name": "original",
      "endpoint": "POST /de2api/datasource/validate",
      "payload_summary": "mysql type with extraParams=allowloadlocalinfile=true and illegalParameters=[]",
      "outcome": "blocked"
    },
    {
      "name": "mariadb",
      "endpoint": "POST /de2api/datasource/validate",
      "payload_summary": "mariadb type with extraParams=allowloadlocalinfile=true and illegalParameters=[]",
      "outcome": "blocked"
    },
    {
      "name": "direct_jdbcurl",
      "endpoint": "POST /de2api/datasource/validate",
      "payload_summary": "mysql type with urlType=jdbcUrl and jdbcUrl containing allowloadlocalinfile=true",
      "outcome": "blocked"
    },
    {
      "name": "double_encode",
      "endpoint": "POST /de2api/datasource/validate",
      "payload_summary": "mysql type with double-URL-encoded allowloadlocalinfile in extraParams",
      "outcome": "blocked"
    },
    {
      "name": "case_mixed",
      "endpoint": "POST /de2api/datasource/validate",
      "payload_summary": "mysql type with extraParams=ALLOWLOADLOCALINFILE=true",
      "outcome": "blocked"
    },
    {
      "name": "parent_field",
      "endpoint": "POST /de2api/datasource/validate",
      "payload_summary": "mysql type with capitalized IllegalParameters key instead of illegalParameters",
      "outcome": "blocked"
    },
    {
      "name": "oracle",
      "endpoint": "POST /de2api/datasource/validate",
      "payload_summary": "oracle type with extraParams=autoDeserialize=true",
      "outcome": "blocked"
    },
    {
      "name": "pg",
      "endpoint": "POST /de2api/datasource/validate",
      "payload_summary": "pg type with extraParams=socketFactory=java.lang.Runtime",
      "outcome": "blocked"
    },
    {
      "name": "original_save",
      "endpoint": "POST /de2api/datasource/save",
      "payload_summary": "same original payload sent to save endpoint",
      "outcome": "blocked"
    }
  ],
  "root_cause_summary": "Lombok @Data generates public setters for all non-final fields, including the illegalParameters blocklist. Jackson deserialization invokes these setters. The fix adds @JsonIgnore to illegalParameters in all affected datasource type classes, preventing Jackson from binding user input to that field. Our standalone Java test confirmed Jackson fully suppresses the property when @JsonIgnore is present on a shadowed field.",
  "fix_commit": "16a950f96089b2a90e37d82304ede714a40902ba",
  "notes": "Live container testing was attempted but DataEase v2.10.21 container startup exceeded the available execution time in this environment. The verdict is supported by: (1) successful original repro on v2.10.20 and v2.10.21, (2) source-code audit of all datasource type classes and CalciteProvider, (3) standalone Java Jackson unit test proving @JsonIgnore prevents binding to shadowed fields."
}