1. 插入原子指标功能添加校验逻辑

2. 重新调整代码

src/main/java/com/supervision/police/service/ModelIndexService.java

@@ -44,5 +44,12 @@ public interface ModelIndexService extends IService<ModelIndex> {
      */
     Boolean saveCaseAtomicResult(CaseAtomicResultWrapper caseAtomicResultWrapper);
 
+    /**
+     * 检查sql语句是否合法
+     * @param sql sql语句
+     * @return
+     */
+    boolean checkSql(String sql);
+
 }
 

src/main/java/com/supervision/police/service/impl/ModelIndexServiceImpl.java

@@ -4,6 +4,8 @@ import cn.hutool.core.collection.CollUtil;
 import cn.hutool.core.lang.Assert;
 import cn.hutool.core.util.StrUtil;
 import cn.hutool.json.JSONUtil;
+import com.alibaba.druid.sql.ast.SQLStatement;
+import com.alibaba.druid.sql.dialect.mysql.parser.MySqlStatementParser;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.core.toolkit.Wrappers;
@@ -24,15 +26,14 @@ import com.supervision.police.service.ComDictionaryService;
 import com.supervision.police.service.ModelAtomicIndexService;
 import com.supervision.police.service.ModelCaseService;
 import com.supervision.police.service.ModelIndexService;
+import com.supervision.utils.SqlParserUtil;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
-import java.util.ArrayList;
+import java.util.*;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
 import java.util.stream.Collectors;
 
 /**
@@ -57,6 +58,9 @@ public class ModelIndexServiceImpl extends ServiceImpl<ModelIndexMapper, ModelIn
     private final ModelAtomicResultMapper modelAtomicResultMapper;
 
     private final CasePersonMapper casePersonMapper;
+
+    @Value("${case.evidence.table}")
+    private List<String> allowedTables;
     @Override
     @Transactional(transactionManager = "dataSourceTransactionManager",rollbackFor = Exception.class)
     public R<?> selectAll(ModelIndex modelIndex, Integer page, Integer size) {
@@ -143,6 +147,11 @@ public class ModelIndexServiceImpl extends ServiceImpl<ModelIndexMapper, ModelIn
     @Transactional(transactionManager = "dataSourceTransactionManager",rollbackFor = Exception.class)
     public R<?> addOrUpdAtomic(ModelAtomicIndex modelAtomicIndex) {
         int i = 0;
+        if (StringUtils.equals("2", modelAtomicIndex.getIndexSource())){
+            // 如果查询类型为数据查询，则校验查询语句
+            Assert.notEmpty(modelAtomicIndex.getQueryLang(), "查询语言不能为空");
+            Assert.isFalse(checkSql(modelAtomicIndex.getQueryLang()), "查询语句不合法");
+        }
         if (StringUtils.isEmpty(modelAtomicIndex.getId())) {
             i = modelAtomicIndexService.getMapper().insert(modelAtomicIndex);
         } else {
@@ -251,6 +260,40 @@ public class ModelIndexServiceImpl extends ServiceImpl<ModelIndexMapper, ModelIn
     }
 
 
+    @Override
+    public boolean checkSql(String sql) {
+        if (StringUtils.isEmpty(sql)) {
+            return false;
+        }
+        if (CollUtil.isEmpty(this.allowedTables)){
+            log.info("checkSql:未配置允许的表");
+            return false;
+        }
+        MySqlStatementParser parser = new MySqlStatementParser(sql);
+        SQLStatement sqlStatement = SqlParserUtil.parseStatement(parser);
+        if (Objects.isNull(sqlStatement)) {
+            log.warn("checkSql sql:{}语句解析失败", sql);
+            return false;
+        }
+        String sqlType = SqlParserUtil.detectSQLType(sqlStatement);
+        if (!"SELECT".equals(sqlType)) {
+            log.warn("checkSql:只支持查询类型语句");
+            return false;
+        }
+        List<String> tableList = SqlParserUtil.extractTableNames(sqlStatement);
+        if (CollUtil.isEmpty(tableList)){
+            log.warn("checkSql:未检测到表");
+            return false;
+        }
+
+        long count = tableList.stream().filter(table -> !this.allowedTables.contains(table)).count();
+        if (count > 0){
+            log.warn("checkSql:表{}不在允许的表列表中",tableList);
+            return false;
+        }
+        return true;
+    }
+
     /**
      * 清空案件下的评估结果
      * @param caseId 案件id

src/main/java/com/supervision/police/service/impl/ModelServiceImpl.java

@@ -19,6 +19,7 @@ import com.supervision.police.dto.JudgeLogic;
 import com.supervision.police.dto.caseScore.CaseScoreDetailBuilder;
 import com.supervision.police.mapper.*;
 import com.supervision.police.mybatis.RowSqlMapper;
+import com.supervision.police.service.ModelIndexService;
 import com.supervision.police.service.ModelService;
 import com.supervision.utils.SqlParserUtil;
 import lombok.RequiredArgsConstructor;
@@ -52,8 +53,7 @@ public class ModelServiceImpl implements ModelService {
 
     private final RowSqlMapper rowSqlMapper;
 
-    @Value("${case.evidence.table}")
+    private final ModelIndexService modelIndexService;
-    private List<String> allowedTables;
 
     @Override
     public R<?> analyseCase(AnalyseCaseDTO analyseCaseDTO) {
@@ -300,7 +300,7 @@ public class ModelServiceImpl implements ModelService {
         params.put("party_a", analyseCaseDTO.getLawActorName());
         params.put("party_b", analyseCaseDTO.getLawParty());
         boolean success = false;
-        if (checkSql(sql,allowedTables)){
+        if (modelIndexService.checkSql(sql)){
             success = parseResult(rowSqlMapper.selectList(sql, params, Map.class));
         }
         result.setAtomicResult(success ? "1" : "0");