1. 插入原子指标功能添加校验逻辑

2. 重新调整代码
9 months ago · 232667bf43
parent 311670ce62
commit 232667bf43
3 changed files with 57 additions and 7 deletions
--- a/src/main/java/com/supervision/police/service/ModelIndexService.java
+++ b/src/main/java/com/supervision/police/service/ModelIndexService.java
@ -44,5 +44,12 @@ public interface ModelIndexService extends IService<ModelIndex> {
     */
    Boolean saveCaseAtomicResult(CaseAtomicResultWrapper caseAtomicResultWrapper);

+    /**
+     * 检查sql语句是否合法
+     * @param sql sql语句
+     * @return
+     */
+    boolean checkSql(String sql);
+
 }

--- a/src/main/java/com/supervision/police/service/impl/ModelIndexServiceImpl.java
+++ b/src/main/java/com/supervision/police/service/impl/ModelIndexServiceImpl.java
@ -4,6 +4,8 @@ import cn.hutool.core.collection.CollUtil;
 import cn.hutool.core.lang.Assert;
 import cn.hutool.core.util.StrUtil;
 import cn.hutool.json.JSONUtil;
+import com.alibaba.druid.sql.ast.SQLStatement;
+import com.alibaba.druid.sql.dialect.mysql.parser.MySqlStatementParser;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.core.toolkit.Wrappers;
@ -24,15 +26,14 @@ import com.supervision.police.service.ComDictionaryService;
 import com.supervision.police.service.ModelAtomicIndexService;
 import com.supervision.police.service.ModelCaseService;
 import com.supervision.police.service.ModelIndexService;
+import com.supervision.utils.SqlParserUtil;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;

-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.stream.Collectors;

 /**
@ -57,6 +58,9 @@ public class ModelIndexServiceImpl extends ServiceImpl<ModelIndexMapper, ModelIn
    private final ModelAtomicResultMapper modelAtomicResultMapper;

    private final CasePersonMapper casePersonMapper;
+
+    @Value("${case.evidence.table}")
+    private List<String> allowedTables;
    @Override
    @Transactional(transactionManager = "dataSourceTransactionManager",rollbackFor = Exception.class)
    public R<?> selectAll(ModelIndex modelIndex, Integer page, Integer size) {
@ -143,6 +147,11 @@ public class ModelIndexServiceImpl extends ServiceImpl<ModelIndexMapper, ModelIn
    @Transactional(transactionManager = "dataSourceTransactionManager",rollbackFor = Exception.class)
    public R<?> addOrUpdAtomic(ModelAtomicIndex modelAtomicIndex) {
        int i = 0;
+        if (StringUtils.equals("2", modelAtomicIndex.getIndexSource())){
+            // 如果查询类型为数据查询，则校验查询语句
+            Assert.notEmpty(modelAtomicIndex.getQueryLang(), "查询语言不能为空");
+            Assert.isFalse(checkSql(modelAtomicIndex.getQueryLang()), "查询语句不合法");
+        }
        if (StringUtils.isEmpty(modelAtomicIndex.getId())) {
            i = modelAtomicIndexService.getMapper().insert(modelAtomicIndex);
        } else {
@ -251,6 +260,40 @@ public class ModelIndexServiceImpl extends ServiceImpl<ModelIndexMapper, ModelIn
    }


+    @Override
+    public boolean checkSql(String sql) {
+        if (StringUtils.isEmpty(sql)) {
+            return false;
+        }
+        if (CollUtil.isEmpty(this.allowedTables)){
+            log.info("checkSql:未配置允许的表");
+            return false;
+        }
+        MySqlStatementParser parser = new MySqlStatementParser(sql);
+        SQLStatement sqlStatement = SqlParserUtil.parseStatement(parser);
+        if (Objects.isNull(sqlStatement)) {
+            log.warn("checkSql sql:{}语句解析失败", sql);
+            return false;
+        }
+        String sqlType = SqlParserUtil.detectSQLType(sqlStatement);
+        if (!"SELECT".equals(sqlType)) {
+            log.warn("checkSql:只支持查询类型语句");
+            return false;
+        }
+        List<String> tableList = SqlParserUtil.extractTableNames(sqlStatement);
+        if (CollUtil.isEmpty(tableList)){
+            log.warn("checkSql:未检测到表");
+            return false;
+        }
+
+        long count = tableList.stream().filter(table -> !this.allowedTables.contains(table)).count();
+        if (count > 0){
+            log.warn("checkSql:表{}不在允许的表列表中",tableList);
+            return false;
+        }
+        return true;
+    }
+
    /**
     * 清空案件下的评估结果
     * @param caseId 案件id
--- a/src/main/java/com/supervision/police/service/impl/ModelServiceImpl.java
+++ b/src/main/java/com/supervision/police/service/impl/ModelServiceImpl.java
@ -19,6 +19,7 @@ import com.supervision.police.dto.JudgeLogic;
 import com.supervision.police.dto.caseScore.CaseScoreDetailBuilder;
 import com.supervision.police.mapper.*;
 import com.supervision.police.mybatis.RowSqlMapper;
+import com.supervision.police.service.ModelIndexService;
 import com.supervision.police.service.ModelService;
 import com.supervision.utils.SqlParserUtil;
 import lombok.RequiredArgsConstructor;
@ -52,8 +53,7 @@ public class ModelServiceImpl implements ModelService {

    private final RowSqlMapper rowSqlMapper;

-    @Value("${case.evidence.table}")
-    private List<String> allowedTables;
+    private final ModelIndexService modelIndexService;

    @Override
    public R<?> analyseCase(AnalyseCaseDTO analyseCaseDTO) {
@ -300,7 +300,7 @@ public class ModelServiceImpl implements ModelService {
        params.put("party_a", analyseCaseDTO.getLawActorName());
        params.put("party_b", analyseCaseDTO.getLawParty());
        boolean success = false;
-        if (checkSql(sql,allowedTables)){
+        if (modelIndexService.checkSql(sql)){
            success = parseResult(rowSqlMapper.selectList(sql, params, Map.class));
        }
        result.setAtomicResult(success ? "1" : "0");