From 232667bf43a4cce6f73d5f54e9bca25aa67cba22 Mon Sep 17 00:00:00 2001 From: xueqingkun Date: Wed, 24 Jul 2024 14:08:21 +0800 Subject: [PATCH] =?UTF-8?q?1.=20=E6=8F=92=E5=85=A5=E5=8E=9F=E5=AD=90?= =?UTF-8?q?=E6=8C=87=E6=A0=87=E5=8A=9F=E8=83=BD=E6=B7=BB=E5=8A=A0=E6=A0=A1?= =?UTF-8?q?=E9=AA=8C=E9=80=BB=E8=BE=91=202.=20=E9=87=8D=E6=96=B0=E8=B0=83?= =?UTF-8?q?=E6=95=B4=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../police/service/ModelIndexService.java | 7 +++ .../service/impl/ModelIndexServiceImpl.java | 51 +++++++++++++++++-- .../police/service/impl/ModelServiceImpl.java | 6 +-- 3 files changed, 57 insertions(+), 7 deletions(-) diff --git a/src/main/java/com/supervision/police/service/ModelIndexService.java b/src/main/java/com/supervision/police/service/ModelIndexService.java index 01bb98e..b46d481 100644 --- a/src/main/java/com/supervision/police/service/ModelIndexService.java +++ b/src/main/java/com/supervision/police/service/ModelIndexService.java @@ -44,5 +44,12 @@ public interface ModelIndexService extends IService { */ Boolean saveCaseAtomicResult(CaseAtomicResultWrapper caseAtomicResultWrapper); + /** + * 检查sql语句是否合法 + * @param sql sql语句 + * @return + */ + boolean checkSql(String sql); + } diff --git a/src/main/java/com/supervision/police/service/impl/ModelIndexServiceImpl.java b/src/main/java/com/supervision/police/service/impl/ModelIndexServiceImpl.java index 6267e36..30ec2c2 100644 --- a/src/main/java/com/supervision/police/service/impl/ModelIndexServiceImpl.java +++ b/src/main/java/com/supervision/police/service/impl/ModelIndexServiceImpl.java @@ -4,6 +4,8 @@ import cn.hutool.core.collection.CollUtil; import cn.hutool.core.lang.Assert; import cn.hutool.core.util.StrUtil; import cn.hutool.json.JSONUtil; +import com.alibaba.druid.sql.ast.SQLStatement; +import com.alibaba.druid.sql.dialect.mysql.parser.MySqlStatementParser; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; import com.baomidou.mybatisplus.core.metadata.IPage; import com.baomidou.mybatisplus.core.toolkit.Wrappers; @@ -24,15 +26,14 @@ import com.supervision.police.service.ComDictionaryService; import com.supervision.police.service.ModelAtomicIndexService; import com.supervision.police.service.ModelCaseService; import com.supervision.police.service.ModelIndexService; +import com.supervision.utils.SqlParserUtil; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; -import java.util.Map; +import java.util.*; import java.util.stream.Collectors; /** @@ -57,6 +58,9 @@ public class ModelIndexServiceImpl extends ServiceImpl allowedTables; @Override @Transactional(transactionManager = "dataSourceTransactionManager",rollbackFor = Exception.class) public R selectAll(ModelIndex modelIndex, Integer page, Integer size) { @@ -143,6 +147,11 @@ public class ModelIndexServiceImpl extends ServiceImpl addOrUpdAtomic(ModelAtomicIndex modelAtomicIndex) { int i = 0; + if (StringUtils.equals("2", modelAtomicIndex.getIndexSource())){ + // 如果查询类型为数据查询,则校验查询语句 + Assert.notEmpty(modelAtomicIndex.getQueryLang(), "查询语言不能为空"); + Assert.isFalse(checkSql(modelAtomicIndex.getQueryLang()), "查询语句不合法"); + } if (StringUtils.isEmpty(modelAtomicIndex.getId())) { i = modelAtomicIndexService.getMapper().insert(modelAtomicIndex); } else { @@ -251,6 +260,40 @@ public class ModelIndexServiceImpl extends ServiceImpl tableList = SqlParserUtil.extractTableNames(sqlStatement); + if (CollUtil.isEmpty(tableList)){ + log.warn("checkSql:未检测到表"); + return false; + } + + long count = tableList.stream().filter(table -> !this.allowedTables.contains(table)).count(); + if (count > 0){ + log.warn("checkSql:表{}不在允许的表列表中",tableList); + return false; + } + return true; + } + /** * 清空案件下的评估结果 * @param caseId 案件id diff --git a/src/main/java/com/supervision/police/service/impl/ModelServiceImpl.java b/src/main/java/com/supervision/police/service/impl/ModelServiceImpl.java index de5c85b..7b54c9e 100644 --- a/src/main/java/com/supervision/police/service/impl/ModelServiceImpl.java +++ b/src/main/java/com/supervision/police/service/impl/ModelServiceImpl.java @@ -19,6 +19,7 @@ import com.supervision.police.dto.JudgeLogic; import com.supervision.police.dto.caseScore.CaseScoreDetailBuilder; import com.supervision.police.mapper.*; import com.supervision.police.mybatis.RowSqlMapper; +import com.supervision.police.service.ModelIndexService; import com.supervision.police.service.ModelService; import com.supervision.utils.SqlParserUtil; import lombok.RequiredArgsConstructor; @@ -52,8 +53,7 @@ public class ModelServiceImpl implements ModelService { private final RowSqlMapper rowSqlMapper; - @Value("${case.evidence.table}") - private List allowedTables; + private final ModelIndexService modelIndexService; @Override public R analyseCase(AnalyseCaseDTO analyseCaseDTO) { @@ -300,7 +300,7 @@ public class ModelServiceImpl implements ModelService { params.put("party_a", analyseCaseDTO.getLawActorName()); params.put("party_b", analyseCaseDTO.getLawParty()); boolean success = false; - if (checkSql(sql,allowedTables)){ + if (modelIndexService.checkSql(sql)){ success = parseResult(rowSqlMapper.selectList(sql, params, Map.class)); } result.setAtomicResult(success ? "1" : "0");