From e05196aaa295cbdc2412a22149f52b6080d269f4 Mon Sep 17 00:00:00 2001
From: yinq <yinq>
Date: Mon, 14 Jul 2025 15:52:49 +0800
Subject: [PATCH] =?UTF-8?q?update=20=E6=89=A7=E8=A1=8C=E8=87=AA=E5=AE=9A?=
 =?UTF-8?q?=E4=B9=89SQL=E6=9F=A5=E8=AF=A2=EF=BC=8C=E9=99=90=E5=88=B6?=
 =?UTF-8?q?=E5=8F=AA=E5=85=81=E8=AE=B8=E6=9F=A5=E8=AF=A2=E8=AF=AD=E5=8F=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../system/service/impl/SysDatabaseLinkServiceImpl.java      | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysDatabaseLinkServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysDatabaseLinkServiceImpl.java
index b4965e6..6e18f69 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysDatabaseLinkServiceImpl.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysDatabaseLinkServiceImpl.java
@@ -307,6 +307,11 @@ public class SysDatabaseLinkServiceImpl implements ISysDatabaseLinkService {
 
     @Override
     public List<LinkedHashMap<String, Object>> querySql(Long linkId, String sql) {
+        // 校验只允许查询SQL
+        String sqlTrim = sql.trim().toLowerCase(Locale.ROOT);
+        if (!(sqlTrim.startsWith("select") || sqlTrim.startsWith("with"))) {
+            throw new RuntimeException("只允许执行查询（SELECT/CTE）语句！");
+        }
         SysDatabaseLink link = baseMapper.selectById(linkId);
         if (link == null) {
             throw new RuntimeException("数据库连接信息不存在");