Files
X-Agents/agent/app/agent/tools/impl/database.py
DESKTOP-72TV0V4\caoxiaozhu b2bc9988a9 feat: 重构前后端架构,添加Go后端和Python Agent服务
- 新增 Go 语言后端服务(server/),包含用户认证、Agent管理、数据库连接等API
- 新增 Python Agent 服务(agent/),实现Agent核心逻辑和工具集
- 前端从原生HTML迁移到Vue.js框架(web/src/)
- 添加 Docker Compose 支持(docker-compose.yml)
- 添加项目架构文档(docs/ARCHITECTURE.md)
- 添加环境变量示例(.env.example)和本地启动脚本(start-local.ps1)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 16:39:42 +08:00

97 lines
2.5 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
"""
数据库查询工具 - 安全的数据查询接口
"""
from typing import Dict, Any, List, Optional
import os
# 只读查询白名单 - 只允许 SELECT 语句
ALLOWED_TABLES = ["users", "agents", "sessions", "audit_logs"]
class DatabaseQueryTool:
"""
数据库查询工具
安全特性:
- 只允许 SELECT 查询
- 表名白名单
- 结果数量限制
"""
def __init__(self, connection_string: str = ""):
self.connection_string = connection_string or os.getenv(
"DATABASE_URL",
"postgresql://postgres:postgres@localhost:5432/x_agents"
)
self.max_rows = 100 # 最多返回100行
def query(self, sql: str, params: List[Any] = None) -> Dict[str, Any]:
"""
执行查询
Args:
sql: SQL 查询语句(必须是 SELECT
params: 查询参数
Returns:
查询结果
"""
# 安全检查1: 必须是 SELECT 语句
sql_upper = sql.strip().upper()
if not sql_upper.startswith("SELECT"):
return {
"success": False,
"error": "Only SELECT queries are allowed"
}
# 安全检查2: 禁止危险关键字
dangerous_keywords = [
"DROP", "DELETE", "INSERT", "UPDATE", "ALTER",
"CREATE", "TRUNCATE", "EXEC", "EXECUTE"
]
for keyword in dangerous_keywords:
if keyword in sql_upper:
return {
"success": False,
"error": f"Keyword '{keyword}' is not allowed"
}
# 安全检查3: 表名白名单
for table in ALLOWED_TABLES:
if f"FROM {table}" in sql_upper or f"JOIN {table}" in sql_upper:
# 表名在白名单中,允许
break
else:
# 没有找到白名单表
return {
"success": False,
"error": f"Table not in whitelist. Allowed: {ALLOWED_TABLES}"
}
# TODO: 实际执行查询(需要数据库连接)
# 这里返回模拟数据
return {
"success": True,
"message": "Query executed (mock mode - database not connected)",
"rows": [],
"columns": []
}
# 全局实例
db_tool = DatabaseQueryTool()
def query_data(sql: str) -> Dict[str, Any]:
"""
查询数据工具
Args:
sql: SELECT 查询语句
Returns:
查询结果
"""
return db_tool.query(sql)