update 执行自定义SQL查询，限制只允许查询语句

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysDatabaseLinkServiceImpl.java

@@ -307,6 +307,11 @@ public class SysDatabaseLinkServiceImpl implements ISysDatabaseLinkService {
 
     @Override
     public List<LinkedHashMap<String, Object>> querySql(Long linkId, String sql) {
+        // 校验只允许查询SQL
+        String sqlTrim = sql.trim().toLowerCase(Locale.ROOT);
+        if (!(sqlTrim.startsWith("select") || sqlTrim.startsWith("with"))) {
+            throw new RuntimeException("只允许执行查询（SELECT/CTE）语句！");
+        }
         SysDatabaseLink link = baseMapper.selectById(linkId);
         if (link == null) {
             throw new RuntimeException("数据库连接信息不存在");