From e5dfbb23ac6fd3fc857fa93c5f6c4cb934db1458 Mon Sep 17 00:00:00 2001
From: gigibox <gigibox@163.com>
Date: 星期二, 20 六月 2023 16:18:48 +0800
Subject: [PATCH] 添加sql语句校验, 查询接口只允许查询操作

---
 kingdee/query.go |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/kingdee/query.go b/kingdee/query.go
index 3926f88..cfbaeb8 100644
--- a/kingdee/query.go
+++ b/kingdee/query.go
@@ -2,6 +2,7 @@
 
 import (
 	"encoding/json"
+	"strings"
 
 	"kingdee-dbapi/config"
 	"kingdee-dbapi/logger"
@@ -14,6 +15,12 @@
 	var sql = string(data)
 
 	logger.Debug("鎺ユ敹鍒版煡璇㈣姹�,%s", sql)
+
+	if !sqlCheck(sql) {
+		logger.Warn("璇嗗埆鍒板嵄闄╃殑sql璇彞, 鎷掔粷鎵ц. %s", sql)
+
+		return nil
+	}
 
 	if db == nil {
 		logger.Debug("鏁版嵁搴撴湭杩炴帴")
@@ -66,3 +73,18 @@
 
 	return nil
 }
+
+// 绠�鍗曡繃婊や笅sql璇彞,鎷掔粷澧炲垹鏀规搷浣�
+func sqlCheck(sql string) bool {
+	var dangerousWords = []string{"INSERT", "UPDATE", "DELETE", "ALTER", "DROP", "DECLARE", "EXECUTE", "EXEC", "INTO", "TRANCATE"}
+
+	var upperStr = strings.ToUpper(sql)
+
+	for _, word := range dangerousWords {
+		if strings.Contains(upperStr, word) {
+			return false
+		}
+	}
+
+	return true
+}

--
Gitblit v1.8.0