Skip to content

1.13.3#339

Merged
erupts merged 53 commits intomasterfrom
develop
Feb 3, 2026
Merged

1.13.3#339
erupts merged 53 commits intomasterfrom
develop

Conversation

@erupts
Copy link
Owner

@erupts erupts commented Feb 3, 2026

🐞 修复 TAB_TREE 组件数据无法保存的 bug (会导致角色菜单无法保存)
🐞 修复 @vl 注解 color 配置失效的 bug
🐞 修复 notice 在分页时会一直加载的 bug
🐞 修复 erupt-job 启动报错的 bug
🧩 优化 CkEditor 组件,给予初始高度,解决有概率加载失败的问题
🧩 优化 LocalDateTime 类型的 Gson 适配,支持读写 LocalDate 类型的数据
🧩 大模型名称调整 QWen 调整为 Qwen
🌟 erupt-ai 支持渲染数学公式与流程图
🌟 MCP 增加 Open API 授权机制
🌟 @tpl 注解支持跳转 Angular 路由,并且可以将当前行的数据作为 URL 参数,语法:/{field}
🌟 erupt-flow 支持自定义打印模板的能力
🌟 支持控制全局 UI 主题色,主色不再是蓝色可自由定义(#app.js

erupts added 30 commits January 4, 2026 23:34
@erupts
upgrade erupt-web
1a56ca8
@erupts
add erupt-print module
7032a10
@erupts
Merge remote-tracking branch 'origin/develop' into develop
9b5ba8a
@erupts
add erupt-print module
46d8393
@erupts
remove sample h2 pwd
0034b05
@erupts
Init print
c0571a5
@erupts
Fix job init
2923aa4
@erupts
@ChoiceType.trigger repeat to onchange
f86d667
@erupts
大模型名称调整 QWen 调整为 Qwen 更新后需要在大模型管理中手动修改
872ac82
@erupts
后续版本会删除 ChoiceTrigger 请使用 onchange 代替
bef3b45
@erupts
optimize erupt-print
26c6574
@erupts
upgrade erupt-web
a871525
@erupts
upgrade erupt-web
2b19b37
@erupts
erupt-ai 支持渲染数学公式与图
67f3255
@erupts
优化 LocalDateTime 类型的 Gson 适配,支持读写 LocalDate 类型的数据
ad4d7a5
@erupts
Merge remote-tracking branch 'origin/develop' into develop
1658ded
@erupts
Choice 组件支持配置下拉框选项的颜色
749509e
@erupts
Fix @dynamic validate bug
b074ee2
@erupts
add print api
1bdc716
@erupts
add print api
f7dcb31
@erupts
add print var support
a0d8eb5
@erupts
add print var support
906dbbb
@erupts
update config
fb03a1d
@erupts
remove EruptPrintBind, enhance EruptPrintTpl, and add API for templat…
3dd42e1 
…es with login authentication
@erupts
upgrade to 1.13.3
9935895
@erupts
Replace JavaScript chunks with updated versions
d31e382
@erupts
update application.yml: add datasource credentials and system-prompt …
1c1dcb4 
…configuration
@erupts
update application.yml: add datasource credentials and system-prompt …
c4ee3b7 
…configuration
@erupts
Optimize notice web
56ede45
@erupts
Add sense filter support to /messages API in EruptNoticeController
1efe5cc
erupts added 23 commits January 19, 2026 22:26
@erupts
Add selectByPath method to EruptLambdaQuery and /scenes API to …
cbffa77 
…`EruptNoticeController`
@erupts
Update notice scene naming and parameter handling
8578a50 
Renamed the notice scene name from "ERUPT_FLOW" to "Flow" for clarity and consistency. Additionally, changed the request parameter from "sense" to "scene" in EruptNoticeController to improve readability and align with naming conventions.
@erupts
Add NoticeUrlOpenWay enum and urlOpenWay field to NoticeMessage
68fb3cb
@erupts
Update erupt-web
ebb8dde
@erupts
Update template path handling and support ROUTER mode
3cf59f4
@erupts
Optimize code
f853c09
@erupts
Refactor and enhance Erupt Print and Cube modules
dea3b1e 
Updated `EruptPrintTpl` to use `UEDITOR` for HTML editing. Refactored Cube-related classes to rename and restructure dimensions, measures, and data sources, adding MySQL configuration for Cube. Introduced `CurrentUser` implementation in Erupt Print to fetch current user UID and adjusted `CubeDashboard` field order for clarity.
@erupts
Add enableFunctionCall property and conditional checks in LLMService
8f37d14
@erupts
Refactor Erupt Print to add variable replacement logic and integrate …
3450b32 
…`repeatVar` in print method
@erupts
Fix @vl color mission bug
06b6382
@erupts
Fix LLM message miss bug
5962dfa
@erupts
Optimize erupt-ai
87da3ca
@erupts
Refactor Erupt Print module to replace repeatVar logic with Velocit…
5d075d5 
…y template engine for variable rendering. Add `valueMapping` parameter to `generateEruptDataMap` and update related methods for enhanced data transformation.
@erupts
update erupt-web
9b04102
@erupts
init print menu
59654e1
@erupts
Optimize flow-print
cb984c5
@erupts
Optimize flow-print
74872cf
@erupts
Optimize Cube Operator
660fc5b
@erupts
Add erupt print config model
c48fa3c
@erupts
Merge remote-tracking branch 'origin/develop' into develop
a5173f7
@erupts
update erupt-web
973503a
@erupts
Optimize erupt cube
c1a5c0c
@erupts
add maven-release.sh
9152883
@erupts erupts merged commit ca2c24b into master Feb 3, 2026
1 of 3 checks passed
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 3, 2026
View reviewed changes
erupt-print/src/main/java/xyz/erupt/print/service/EruptPrintService.java
ctx.put(value.code(), value.value());
}
StringWriter out = new StringWriter();
velocityEngine.evaluate(ctx, out, EruptPrintService.class.getSimpleName(), template);

Check failure

Code scanning / CodeQL

Server-side template injection Critical

Template, which may contain code, depends on a
user-provided value
Loading
.

Copilot Autofix

AI 5 days ago

In general, to fix this kind of issue, you must ensure that untrusted input is never interpreted as template code. Instead, treat user input purely as data to be interpolated into a server-controlled template, or render untrusted content using escaping so that template syntax is not executed. If dynamic templates are a requirement, they must not be directly specified by arbitrary clients; instead, use a curated set of templates stored server-side and referenced by an identifier, or introduce a safe, restricted template engine/sandbox.

For this specific codebase, the minimal fix without changing observable functionality too much is to stop evaluating the raw request body content as a Velocity template. A safe pattern is: the request body is treated as data (plain text) that may contain placeholder markers for variables, but we escape it so that Velocity does not interpret its control structures or method calls. Apache Velocity provides org.apache.velocity.tools.generic.EscapeTool, which can be used to escape special characters in untrusted input before embedding them in templates. However, here the entire template itself is untrusted, so the better change is architectural: only allow server-defined templates to be evaluated, and treat the user-provided content as data. The simplest local change we can make inside the shown snippets is to stop passing content as the template to render. Instead, we can treat it as an ordinary string with no template processing—i.e., bypass Velocity for user-provided templates—and only use render for templates that are defined server-side.

Because we are constrained to the shown snippets, the least intrusive, clearly safe change is to modify EruptPrintController.print so that the untrusted content is not sent to eruptPrintService.render at all. We can still allow DataProxyInvoke to process it (as that is custom application logic), but we will avoid Velocity evaluation entirely for user-provided strings. Concretely:

  • In EruptPrintController.print, replace the initialization of contentReference so it just wraps content instead of calling eruptPrintService.render(content, ...).
  • Leave EruptPrintService.render as-is for use by other, presumably safe callers that provide server-controlled templates.
    This change removes the tainted data path into the Velocity sink, eliminating the SSTI vulnerability for this endpoint while preserving its high-level behavior of taking an input string, optionally transforming it via DataProxyInvoke, and returning the result.
Suggested changeset 1
erupt-print/src/main/java/xyz/erupt/print/controller/EruptPrintController.java
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/erupt-print/src/main/java/xyz/erupt/print/controller/EruptPrintController.java b/erupt-print/src/main/java/xyz/erupt/print/controller/EruptPrintController.java
--- a/erupt-print/src/main/java/xyz/erupt/print/controller/EruptPrintController.java
+++ b/erupt-print/src/main/java/xyz/erupt/print/controller/EruptPrintController.java
@@ -35,7 +35,7 @@
     public R<String> print(@PathVariable String erupt, @PathVariable String id, @RequestBody String content) {
         EruptModel eruptModel = EruptCoreService.getErupt(erupt);
         Object data = DataProcessorManager.getEruptDataProcessor(eruptModel.getClazz()).findDataById(eruptModel, EruptUtil.toEruptId(eruptModel, id));
-        AtomicReference<String> contentReference = new AtomicReference<>(eruptPrintService.render(content, EruptUtil.generateEruptDataMap(eruptModel, data, true)));
+        AtomicReference<String> contentReference = new AtomicReference<>(content);
         DataProxyInvoke.invoke(eruptModel, dataProxy -> contentReference.set(dataProxy.print(data, contentReference.get())));
         return R.ok(contentReference.get());
     }
EOF
@@ -35,7 +35,7 @@
public R<String> print(@PathVariable String erupt, @PathVariable String id, @RequestBody String content) {
EruptModel eruptModel = EruptCoreService.getErupt(erupt);
Object data = DataProcessorManager.getEruptDataProcessor(eruptModel.getClazz()).findDataById(eruptModel, EruptUtil.toEruptId(eruptModel, id));
AtomicReference<String> contentReference = new AtomicReference<>(eruptPrintService.render(content, EruptUtil.generateEruptDataMap(eruptModel, data, true)));
AtomicReference<String> contentReference = new AtomicReference<>(content);
DataProxyInvoke.invoke(eruptModel, dataProxy -> contentReference.set(dataProxy.print(data, contentReference.get())));
return R.ok(contentReference.get());
}
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@erupts