🐛 fix: 修复部分可能形成 SQL 注入的风险

2025-03-26 13:41:18 +08:00
parent aca18fab0f
commit d4bcb8174e
3 changed files with 22 additions and 21 deletions
@@ -128,24 +128,23 @@ class SQLiteDatabase(BaseDatabase):
        except sqlite3.ProgrammingError:
            c = self._get_conn(self.db_path).cursor()

-        where_clause = ""
-        if session_id or provider_type:
-            where_clause += " WHERE "
-            has = False
-            if session_id:
-                where_clause += f"session_id = '{session_id}'"
-                has = True
-            if provider_type:
-                if has:
-                    where_clause += " AND "
-                where_clause += f"provider_type = '{provider_type}'"
+        conditions = []
+        params = []
+
+        if session_id:
+            conditions.append("session_id = ?")
+            params.append(session_id)
+
+        if provider_type:
+            conditions.append("provider_type = ?")
+            params.append(provider_type)
+
+        sql = "SELECT * FROM llm_history"
+        if conditions:
+            sql += " WHERE " + " AND ".join(conditions)
+
+        c.execute(sql, params)

-        c.execute(
-            """
-            SELECT * FROM llm_history
-            """
-            + where_clause
-        )
        res = c.fetchall()
        histories = []
        for row in res:
@@ -38,11 +38,13 @@ CREATE TABLE IF NOT EXISTS atri_vision(
 );

 CREATE TABLE IF NOT EXISTS webchat_conversation(
-    user_id TEXT,
-    cid TEXT,
+    user_id TEXT, -- 会话 id
+    cid TEXT, -- 对话 id
    history TEXT,
    created_at INTEGER,
    updated_at INTEGER,
    title TEXT,
    persona_id TEXT
-);
+);
+
+PRAGMA encoding = 'UTF-8';
@@ -128,7 +128,7 @@ class LLMRequestSubStage(Stage):

        # max context length
        if (
-            self.max_context_length != -1 # -1 为不限制
+            self.max_context_length != -1  # -1 为不限制
            and len(req.contexts) // 2 > self.max_context_length
        ):
            logger.debug("上下文长度超过限制，将截断。")