From ad0c3cdd7c002c20fb6b8c939e6f290227d2bf90 Mon Sep 17 00:00:00 2001
From: caoqianming <caoqianming@foxmail.com>
Date: Thu, 6 Jul 2023 16:58:04 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20dataset=20validate=E9=BB=98=E8=AE=A4sql?=
 =?UTF-8?q?=5Fquery=E4=B8=BA=E7=A9=BA/=E7=BC=BA=E5=B0=91=E6=9F=A5=E8=AF=A2?=
 =?UTF-8?q?=E5=8F=82=E6=95=B0=E6=8F=90=E7=A4=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/bi/serializers.py | 2 +-
 apps/bi/views.py       | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/bi/serializers.py b/apps/bi/serializers.py
index 22a88f6c..1225e89b 100644
--- a/apps/bi/serializers.py
+++ b/apps/bi/serializers.py
@@ -11,7 +11,7 @@ class DatasetCreateUpdateSerializer(CustomModelSerializer):
         exclude = EXCLUDE_FIELDS
     
     def validate(self, attrs):
-        sql_query = attrs['sql_query']
+        sql_query = attrs.get('sql_query', '')
         if sql_query:
             check_sql_safe(sql_query)
         return attrs
diff --git a/apps/bi/views.py b/apps/bi/views.py
index 8c561312..f9678556 100644
--- a/apps/bi/views.py
+++ b/apps/bi/views.py
@@ -70,6 +70,8 @@ class DatasetViewSet(CustomModelViewSet):
         
         if dt.sql_query:
             sql_f_ = check_sql_safe(dt.sql_query.format(**query))
+            if '{' in sql_f_:
+                raise ParseError('未指定查询参数') 
             sql_f_l = sql_f_.strip(';').split(';')
             hash_k = hash(sql_f_.strip(';'))
             hash_v = cache.get(hash_k, None)