修复代码审查问题: SQL参数化/关系查询逻辑/数据库密码校验

Agent-Logs-Url: https://github.com/qinfendebingshuo/guanghulab/sessions/ade2eb4a-06f6-42c6-a33a-fe0503789458

Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-04-03 07:36:33 +00:00 committed by GitHub
parent 37912abc51
commit 28c5516a39
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 17 additions and 15 deletions

View File

@ -17,7 +17,12 @@ const pool = new Pool({
host: process.env.ZY_DB_HOST || '127.0.0.1',
port: parseInt(process.env.ZY_DB_PORT || '5432', 10),
user: process.env.ZY_DB_USER || 'zy_admin',
password: process.env.ZY_DB_PASS || '',
password: process.env.ZY_DB_PASS || (() => {
if (process.env.NODE_ENV === 'production') {
console.error('[DB] 严重: 生产环境未配置ZY_DB_PASS');
}
return '';
})(),
database: process.env.ZY_DB_NAME || 'age_os',
max: 10,
idleTimeoutMillis: 30000,

View File

@ -201,12 +201,13 @@ async function queryNodes(input) {
}
const limit = Math.min(input.limit || 50, 200);
values.push(limit);
const sql = `SELECT id, title, node_type, parent_id, path, tags, source, source_url, content_url, summary, status, owner, created_at, updated_at
FROM brain_nodes
WHERE ${conditions.join(' AND ')}
ORDER BY updated_at DESC
LIMIT ${limit}`;
LIMIT $${paramIndex}`;
const result = await db.query(sql, values);

View File

@ -50,22 +50,18 @@ async function getRelations(input) {
const values = [];
let paramIndex = 1;
if (dir === 'outgoing' || dir === 'both') {
if (dir === 'both') {
conditions.push(`(from_node_id = $${paramIndex} OR to_node_id = $${paramIndex})`);
values.push(node_id);
paramIndex++;
} else if (dir === 'outgoing') {
conditions.push(`from_node_id = $${paramIndex}`);
values.push(node_id);
paramIndex++;
}
if (dir === 'incoming' || dir === 'both') {
if (dir === 'both') {
// 用 OR 合并
conditions[0] = `(from_node_id = $1 OR to_node_id = $${paramIndex})`;
values.push(node_id);
paramIndex++;
} else {
conditions.push(`to_node_id = $${paramIndex}`);
values.push(node_id);
paramIndex++;
}
} else {
conditions.push(`to_node_id = $${paramIndex}`);
values.push(node_id);
paramIndex++;
}
if (relation_type) {