nbcio-boot因为升级mybatis-plus到3.5.3.1和JSQLParser 到4.6,引起的在线报表配置报错。
导致主页显示不出任务东西。
sql语句如下:
select DATE_FORMAT(c.days, '%Y%m') x, count(num) y from (select DATE_FORMAT(b.DEPLOY_TIME_, '%Y-%m-%d') AS days , count(a.KEY_) as num from (select DEPLOYMENT_ID_,KEY_,MAX(VERSION_) from act_re_procdef GROUP BY KEY_) a LEFT JOIN act_re_deployment b on a.DEPLOYMENT_ID_ = b.ID_ GROUP BY DATE_FORMAT(b.DEPLOY_TIME_, '%Y-%m-%d') ORDER BY b.DEPLOY_TIME_) c GROUP BY x ORDER BY x desc
在没有升级前是正常的,升级后出现问题,报错如下:
java.lang.ClassCastException: net.sf.jsqlparser.statement.select.SubSelect cannot be cast to net.sf.jsqlparser.schema.Table at org.jeecg.modules.online.config.c.a.a(OnlReportQueryBlackListHandler.java:118) at org.jeecg.modules.online.config.c.a.getQueryTableInfo(OnlReportQueryBlackListHandler.java:88) at org.jeecg.common.util.security.AbstractQueryBlackListHandler.isPass(AbstractQueryBlackListHandler.java:44) at org.jeecg.modules.online.cgreport.service.a.b.executeSelectSqlRoute(OnlCgreportAPIService.java:90) at org.jeecg.modules.online.cgreport.service.a.b.getData(OnlCgreportAPIService.java:80) at org.jeecg.modules.online.cgreport.service.a.b.getDataById(OnlCgreportAPIService.java:54) at org.jeecg.modules.online.cgreport.a.a.b(OnlCgreportAPI.java:207) at org.jeecg.modules.online.cgreport.a.a.a(OnlCgreportAPI.java:92) at org.jeecg.modules.online.cgreport.a.aFastClassBySpringCGLIB𝐹𝑎𝑠𝑡𝐶𝑙𝑎𝑠𝑠𝐵𝑦𝑆𝑝𝑟𝑖𝑛𝑔𝐶𝐺𝐿𝐼𝐵 a976ee88.invoke() at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:793) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763) at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) at org.jeecg.common.aspect.PermissionDataAspect.arround(PermissionDataAspect.java:66) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
看错误是OnlReportQueryBlackListHandler里面的错误,但因为online部分源代码没有开放,所以也看不到哪里出现错误了。
开始以为是jsqlparser的问题,到官方jsqlparser的相关资料与github上看也没看出什么,后来看jeecg-boot官方有相关的资料。
后面根据网上资料,应该还是新的安全黑名单机制出现了问题了,所以在AbstractQueryBlackListHandler类里的isPass修改如下:
/** * 校验sql语句 成功返回true * @param sql * @return */ public boolean isPass(String sql) { //List<QueryTable> list = this.getQueryTableInfo(sql.toLowerCase()); List<QueryTable> list = null; //【jeecg-boot/issues/4040】在线报表不支持子查询,解析报错 #4040 try { list = this.getQueryTableInfo(sql.toLowerCase()); } catch (Exception e) { log.warn("校验sql语句,解析报错:{}",e.getMessage()); } if(list==null){ return true; } log.info("--获取sql信息--", list.toString()); boolean flag = true; for (QueryTable table : list) { String name = table.getName(); String fieldString = ruleMap.get(name); // 有没有配置这张表 if (fieldString != null) { if ("*".equals(fieldString) || table.isAll()) { flag = false; log.warn("sql黑名单校验,表【"+name+"】禁止查询"); break; } else if (table.existSameField(fieldString)) { flag = false; break; } } } return flag; }
正常后显示如下主页:
