From bf0efaca0765cbe043a57786c701c23d352b454c Mon Sep 17 00:00:00 2001
From: "si@aidatagov.com" <si@aidatagov.com>
Date: Sun, 30 Mar 2025 14:13:12 +0800
Subject: [PATCH] =?UTF-8?q?=E9=98=B2=E6=AD=A2=E6=B3=A8=E5=85=A5=E6=95=8F?=
 =?UTF-8?q?=E6=84=9F=E8=AF=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../module_admin/service/metasecurity_service.py              | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/vue-fastapi-backend/module_admin/service/metasecurity_service.py b/vue-fastapi-backend/module_admin/service/metasecurity_service.py
index ef6b61c..28a2305 100644
--- a/vue-fastapi-backend/module_admin/service/metasecurity_service.py
+++ b/vue-fastapi-backend/module_admin/service/metasecurity_service.py
@@ -289,6 +289,10 @@ class MetaSecurityService:
             raise ServiceException(data='', message='用户不存在')
         if not page_object.password == user[0].password:
             raise ServiceException(data='', message='用户密码错误！')
+        forbidden_keywords = ["UPDATE", "DELETE", "INSERT", "DROP", "ALTER", "TRUNCATE"]
+        pattern = re.compile(r"\b(" + "|".join(forbidden_keywords) + r")\b", re.IGNORECASE)
+        if pattern.search(page_object.sqlStr):
+            raise ServiceException(data='', message='SQL 中包含敏感词（UPDATE, DELETE, INSERT, DROP, ALTER, TRUNCATE），禁止执行！')
         query_user = await UserDao.get_user_by_id(query_db, user_id=user[0].user_id)
         role_id_list = [item.role_id for item in query_user.get('user_role_info')]
         #2.测试数据源连接是否正常