# REPRO-2026-00165: DataEase: JDBC parameter blocklist bypass via Lombok @Data setter exposure

## Summary
Status: published
Severity: medium
Type: security
Confidence: high

## Identifiers
REPRO ID: REPRO-2026-00165

CVE: CVE-2026-40899

## Package
Name: dataease
Ecosystem: github
Affected: <= v2.10.20
Fixed: v2.10.21

## Root Cause
# RCA Report: CVE-2026-40899

## Summary

DataEase community edition ≤ v2.10.20 allows an authenticated administrator to bypass the server-side JDBC parameter blocklist by exploiting Lombok's `@Data` annotation on datasource configuration classes. The `@Data` annotation auto-generates public setters for all fields, including the `illegalParameters` blocklist field. When Spring's Jackson JSON binder deserializes the incoming datasource configuration, it calls this setter and overwrites the hardcoded blocklist with an attacker-supplied value (e.g., an empty array). As a result, forbidden parameters such as `allowloadlocalinfile=true` can be injected into the JDBC URL, enabling arbitrary file read via a rogue MySQL server.

## Impact

- **Package/component affected**: `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java` (and sibling datasource type classes: Pg, Impala, Sqlserver, Db2, H2, CK, Redshift, Mongo)
- **Affected versions**: DataEase community edition ≤ v2.10.20
- **Fixed versions**: v2.10.21
- **Risk level**: Medium (CVSS 3.1: 6.5)
- **Consequences**: A privileged user can bypass the JDBC parameter blocklist, inject dangerous MySQL parameters (e.g., `allowLoadLocalInfile`), and trigger arbitrary file read from the DataEase server host.

## Root Cause

The datasource type classes (e.g., `Mysql.java`) are annotated with Lombok `@Data`, which generates a public setter for every non-final field. The field `illegalParameters` holds a hardcoded list of dangerous JDBC parameter names that must be blocked. Because Jackson's default deserialization strategy invokes any public setter that matches a JSON key, an attacker can include `"illegalParameters": []` in the same JSON request that defines the datasource. This overwrites the blocklist before the `getJdbc()` validation logic runs, allowing any subsequently supplied `extraParams` to pass validation unchecked.

The fix commit is `16a950f96089b2a90e37d82304ede714a40902ba` ("fix: 【漏洞】Arbitrary File Read (Credential Exfiltration)"). It adds `@JsonIgnore` to the `illegalParameters` field in all affected datasource type classes, preventing Jackson from ever binding user input to that field.

## Reproduction Steps

1. Run `repro/reproduction_steps.sh`
2. The script:
   - Pulls the official DataEase Docker images for v2.10.20 (vulnerable) and v2.10.21 (fixed)
   - Starts each image in `desktop` mode (which bypasses token-based authentication) on separate ports
   - Waits for the real `/de2api/datasource/types` endpoint to respond
   - Sends an HTTP POST to `/de2api/datasource/validate` with a Base64-encoded malicious MySQL configuration containing `"illegalParameters": []` and `"extraParams": "allowloadlocalinfile=true"`
   - Captures and compares the responses
3. Expected evidence:
   - **Vulnerable (v2.10.20)**: The server returns a JDBC connection error (`Communications link failure`), proving that `getJdbc()` did **not** reject the forbidden parameter and instead attempted to open a connection.
   - **Fixed (v2.10.21)**: The server returns `Illegal parameter: allowloadlocalinfile`, proving that the blocklist was enforced and the bypass was blocked.

## Evidence

- `logs/vulnerable_response.json`:
  ```json
  {"code":40001,"msg":"DEException(code=40001, msg=Communications link failure\n\nThe last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.)","data":null}
  ```
- `logs/fixed_response.json`:
  ```json
  {"code":40001,"msg":"DEException(code=40001, msg=Illegal parameter: allowloadlocalinfile)","data":null}
  ```
- `repro/runtime_manifest.json` documents the exact endpoints, payloads, and responses for both versions.

## Recommendations / Next Steps

1. **Primary fix**: Apply `@JsonIgnore` (or equivalent Jackson ignore annotation) to all blocklist/whitelist fields on configuration beans that must not be user-modifiable. This is exactly what the DataEase maintainers did in v2.10.21.
2. **Defense in depth**: Consider making `illegalParameters` a `private final` field initialized in the constructor or a `static final` constant, so there is no setter at all — even for other deserialization frameworks.
3. **Upgrade guidance**: Users on DataEase ≤ v2.10.20 should upgrade to v2.10.21 or later immediately.
4. **Testing recommendations**: Add an integration test that POSTs a datasource configuration containing an `illegalParameters` override to the live `/de2api/datasource/validate` endpoint and asserts that the response is a blocklist rejection, not a connection attempt.

## Additional Notes

- **Idempotency**: `repro/reproduction_steps.sh` has been executed twice consecutively from a clean state and produced the same results both times.
- **Edge cases / limitations**: The reproduction uses the `desktop` Spring profile to bypass authentication, which is the simplest way to reach the vulnerable endpoint without implementing RSA-encrypted login. This does not affect the validity of the reproduction because the vulnerable code path (Jackson deserialization of `Mysql` followed by `getJdbc()` validation) is identical across all profiles.


## Reproduction Details
Reproduced: 2026-05-25T14:12:06.407Z
Duration: 6684 seconds
Tool calls: 487
Turns: 408
Handoffs: 2


## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00165

    pruva-verify CVE-2026-40899

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00165&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00165/artifacts/bundle/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40899
- Source: https://github.com/dataease/dataease

## Artifacts
- bundle/repro/rca_report.md (analysis, 5173 bytes)
- bundle/repro/reproduction_steps.sh (reproduction_script, 9798 bytes)
- bundle/vuln_variant/rca_report.md (analysis, 8757 bytes)
- bundle/vuln_variant/reproduction_steps.sh (reproduction_script, 11396 bytes)
- bundle/context.json (other, 2660 bytes)
- bundle/metadata.json (other, 876 bytes)
- bundle/ticket.md (ticket, 4558 bytes)
- bundle/repro/start_dataease.sh (other, 5099 bytes)
- bundle/repro/logs/repro_run_3.log (log, 267 bytes)
- bundle/repro/logs/repro_run.log (log, 1535 bytes)
- bundle/repro/logs/repro_run_2.log (log, 602 bytes)
- bundle/repro/logs/start_dataease.log (log, 98 bytes)
- bundle/repro/logs/repro_run_compose.log (log, 668 bytes)
- bundle/repro/logs/repro_run_final.log (log, 450 bytes)
- bundle/repro/runtime_manifest.json (other, 1192 bytes)
- bundle/repro/validation_verdict.json (other, 2881 bytes)
- bundle/vuln_variant/test_variants_fixed.sh (other, 7938 bytes)
- bundle/vuln_variant/root_cause_equivalence.json (other, 1952 bytes)
- bundle/vuln_variant/patch_analysis.md (documentation, 5739 bytes)
- bundle/vuln_variant/variant_manifest.json (other, 4688 bytes)
- bundle/vuln_variant/validation_verdict.json (other, 3466 bytes)
- bundle/logs/vulnerable_response.json (other, 224 bytes)
- bundle/logs/fixed_response.json (other, 104 bytes)
- bundle/logs/variant_syntax_test.log (log, 843 bytes)
- bundle/logs/variant_repro_run.log (log, 728 bytes)
- bundle/logs/variant_test_run.log (log, 680 bytes)
- bundle/logs/variant_test_fix.py (script, 2070 bytes)
- bundle/logs/repro_retry.log (log, 668 bytes)
- bundle/logs/dataease-vuln_startup.log (log, 21610 bytes)
- bundle/logs/variant_syntax_test2.log (log, 843 bytes)
- bundle/logs/variant_test.py (script, 2130 bytes)
- bundle/logs/dataease-vuln_crash.log (log, 61 bytes)
- bundle/logs/dataease-fix-variant_startup.log (log, 23082 bytes)
- bundle/logs/repro_retry.pid (other, 6 bytes)
- bundle/logs/exploit.py (script, 976 bytes)
- bundle/logs/dataease-fix_startup.log (log, 60 bytes)
- bundle/test/file.txt (other, 13 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00165
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00165/artifacts/bundle/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00165

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev