From b2a7bb4aa05818e163678c911803a7d64ade4e5c Mon Sep 17 00:00:00 2001
From: mystarry-sky <zilan1986@163.com>
Date: Wed, 23 Apr 2025 19:55:27 +0800
Subject: [PATCH] =?UTF-8?q?CVE-2025-31672=20poi=20=E4=BF=AE=E5=A4=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ApiTest/pom.xml                               |  2 +-
 openGauss-datakit/visualtool-common/pom.xml   |  1 -
 .../service/ops/impl/HostServiceImpl.java     | 17 ++++++------
 plugins/alert-monitor/pom.xml                 |  2 --
 plugins/base-ops/pom.xml                      | 10 +++++--
 pom.xml                                       | 27 ++++++++++++++++---
 6 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/ApiTest/pom.xml b/ApiTest/pom.xml
index 3ebbbe510..2b0fe5ff0 100644
--- a/ApiTest/pom.xml
+++ b/ApiTest/pom.xml
@@ -20,7 +20,7 @@
         <hutool.version>5.3.5</hutool.version>
         <mysql-connector-j.version>9.1.0</mysql-connector-j.version>
         <jackson-dataformat-yaml.version>2.13.0</jackson-dataformat-yaml.version>
-        <poi.version>5.3.0</poi.version>
+        <poi.version>5.4.0</poi.version>
 
         <testng.suite>src/test/resources/testng.xml</testng.suite>
     </properties>
diff --git a/openGauss-datakit/visualtool-common/pom.xml b/openGauss-datakit/visualtool-common/pom.xml
index b648757b5..153df99e2 100644
--- a/openGauss-datakit/visualtool-common/pom.xml
+++ b/openGauss-datakit/visualtool-common/pom.xml
@@ -137,7 +137,6 @@
         <dependency>
             <groupId>com.alibaba</groupId>
             <artifactId>easyexcel</artifactId>
-            <version>3.1.1</version>
         </dependency>
 
         <dependency>
diff --git a/openGauss-datakit/visualtool-service/src/main/java/org/opengauss/admin/system/service/ops/impl/HostServiceImpl.java b/openGauss-datakit/visualtool-service/src/main/java/org/opengauss/admin/system/service/ops/impl/HostServiceImpl.java
index dd2a024ff..f099ea5d5 100644
--- a/openGauss-datakit/visualtool-service/src/main/java/org/opengauss/admin/system/service/ops/impl/HostServiceImpl.java
+++ b/openGauss-datakit/visualtool-service/src/main/java/org/opengauss/admin/system/service/ops/impl/HostServiceImpl.java
@@ -242,7 +242,12 @@ public class HostServiceImpl extends ServiceImpl<OpsHostMapper, OpsHostEntity> i
 
     private List<HostRecord> readExcelFile(InputStream inputStream) {
         HostRecordDataListener hostRecordDataListener = new HostRecordDataListener(this, isSwitchingLanguage);
-        return EasyExcel.read(inputStream, HostRecord.class, hostRecordDataListener).sheet().doReadSync();
+        try {
+            return EasyExcel.read(inputStream, HostRecord.class, hostRecordDataListener).sheet().doReadSync();
+        } catch (Exception e) {
+            log.error("Failed to parse data.", e);
+            throw new OpsException("Failed to parse data.");
+        }
     }
 
     private Map<String, List<HostRecord>> groupHostRecordsByIP(List<HostRecord> hostRecords) {
@@ -447,25 +452,22 @@ public class HostServiceImpl extends ServiceImpl<OpsHostMapper, OpsHostEntity> i
     @Transactional(rollbackFor = Exception.class)
     public boolean edit(String hostId, HostBody hostBody) {
         OpsHostEntity hostEntity = checkHostExist(hostId);
-
         if (StringUtils.isBlank(hostBody.getName())) {
             throw new OpsException("Host name cannot be empty");
         }
         if (ObjectUtils.isEmpty(hostBody.getPort())) {
             throw new OpsException("Host port cannot be empty");
         }
-        if (!hostEntity.getPrivateIp().equals(hostBody.getPrivateIp())
-                || !hostEntity.getPublicIp().equals(hostBody.getPublicIp())) {
+        if (!hostEntity.getPrivateIp().equals(hostBody.getPrivateIp()) || !hostEntity.getPublicIp()
+            .equals(hostBody.getPublicIp())) {
             throw new OpsException("Host public and private IP cannot be modified");
         }
         if (StringUtils.isAnyBlank(hostBody.getUsername(), hostBody.getPassword())) {
             throw new OpsException("Host username and password cannot be empty");
         }
-
         SshLogin sshLogin = new SshLogin(hostBody.getPublicIp(), hostBody.getPort(), hostBody.getUsername(),
-                encryptionUtils.decrypt(hostBody.getPassword()));
+            encryptionUtils.decrypt(hostBody.getPassword()));
         HostInfoVo hostInfoVo = getHostInfoVo(jschExecutorService.createSession(sshLogin));
-
         hostEntity.setName(hostBody.getName());
         hostEntity.setPort(hostBody.getPort());
         hostEntity.setRemark(hostBody.getRemark());
@@ -474,7 +476,6 @@ public class HostServiceImpl extends ServiceImpl<OpsHostMapper, OpsHostEntity> i
         hostEntity.setCpuArch(hostInfoVo.getCpuArch());
         hostEntity.setHostname(hostInfoVo.getHostname());
         updateById(hostEntity);
-
         opsHostTagRelService.cleanHostTag(hostId);
         opsHostTagService.addTag(HostTagInputDto.of(hostBody.getTags(), hostId));
         return true;
diff --git a/plugins/alert-monitor/pom.xml b/plugins/alert-monitor/pom.xml
index 1ade8eb9f..dca1425ad 100644
--- a/plugins/alert-monitor/pom.xml
+++ b/plugins/alert-monitor/pom.xml
@@ -163,12 +163,10 @@
         <dependency>
             <groupId>org.apache.poi</groupId>
             <artifactId>poi</artifactId>
-            <version>4.1.2</version>
         </dependency>
         <dependency>
             <groupId>org.apache.poi</groupId>
             <artifactId>poi-ooxml</artifactId>
-            <version>4.1.2</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
diff --git a/plugins/base-ops/pom.xml b/plugins/base-ops/pom.xml
index 561e318b2..f1c0c0cf7 100644
--- a/plugins/base-ops/pom.xml
+++ b/plugins/base-ops/pom.xml
@@ -14,7 +14,6 @@
     <packaging>jar</packaging>
     <properties>
         <junit.version>4.13</junit.version>
-        <easyexcel.version>3.1.1</easyexcel.version>
         <build.frontend.skip>false</build.frontend.skip>
     </properties>
 
@@ -38,7 +37,14 @@
         <dependency>
             <groupId>com.alibaba</groupId>
             <artifactId>easyexcel</artifactId>
-            <version>${easyexcel.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.gitee.starblues</groupId>
+            <artifactId>spring-brick-bootstrap</artifactId>
         </dependency>
         <dependency>
             <groupId>com.gitee.starblues</groupId>
diff --git a/pom.xml b/pom.xml
index 507533738..3470e071d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,7 +22,7 @@
         <mybatis-spring-boot.version>2.1.4</mybatis-spring-boot.version>
         <mybatis-plus.version>3.5.2</mybatis-plus.version>
         <pagehelper.boot.version>1.3.1</pagehelper.boot.version>
-        <commons.io.version>2.14.0</commons.io.version>
+        <commons.io.version>2.18.0</commons.io.version>
         <commons.fileupload.version>1.4</commons.fileupload.version>
         <commons.collections.version>3.2.2</commons.collections.version>
         <fastjson.version>1.2.83</fastjson.version>
@@ -35,7 +35,8 @@
         <hutool.version>5.3.5</hutool.version>
         <opengauss-jdbc.version>3.0.0</opengauss-jdbc.version>
         <servlet-api.version>4.0.1</servlet-api.version>
-
+        <easyexcel.version>4.0.3</easyexcel.version>
+        <poi.version>5.4.0</poi.version>
         <web.path/>
         <web.build.path/>
         <web.resources.path/>
@@ -186,7 +187,21 @@
                 <artifactId>spring-brick-bootstrap</artifactId>
                 <version>${spring-brick.version}</version>
             </dependency>
-
+            <dependency>
+                <groupId>com.alibaba</groupId>
+                <artifactId>easyexcel</artifactId>
+                <version>${easyexcel.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.poi</groupId>
+                <artifactId>poi</artifactId>
+                <version>${poi.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.poi</groupId>
+                <artifactId>poi-ooxml</artifactId>
+                <version>${poi.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.gitee.starblues</groupId>
                 <artifactId>spring-brick-maven-packager</artifactId>
@@ -270,6 +285,8 @@
                     <source>${java.version}</source>
                     <target>${java.version}</target>
                     <encoding>${project.build.sourceEncoding}</encoding>
+                    <meminitial>4096m</meminitial>
+                    <maxmem>4096m</maxmem>
                 </configuration>
             </plugin>
 
@@ -280,6 +297,10 @@
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-surefire-plugin</artifactId>
                     <version>3.0.0-M7</version>
+                    <configuration>
+                        <!-- 限制测试进程内存 -->
+                        <argLine>-Xmx512m</argLine>
+                    </configuration>
                 </plugin>
                 <plugin>
                     <groupId>org.jacoco</groupId>
-- 
Gitee