opentiny · msslulu · Mar 31, 2026 · Apr 17, 2026 · Apr 23, 2026 · Apr 23, 2026
diff --git a/base/src/main/java/com/tinyengine/it/dynamic/dao/DynamicSqlProvider.java b/base/src/main/java/com/tinyengine/it/dynamic/dao/DynamicSqlProvider.java
@@ -15,9 +15,7 @@ public String select(Map<String, Object> params) {
 		Integer pageSize = (Integer) params.get("pageSize");
 		String orderBy = (String) params.get("orderBy");
 		String orderType = (String) params.get("orderType");
-
 		SQL sql = new SQL();
-
 		// 选择字段
 		if (fields != null && !fields.isEmpty()) {
 			for (String field : fields) {
@@ -29,6 +27,8 @@ public String select(Map<String, Object> params) {
 
 		sql.FROM(tableName);
 
+
+
 		// 条件
 		if (conditions != null && !conditions.isEmpty()) {
 			for (Map.Entry<String, Object> entry : conditions.entrySet()) {

diff --git a/base/src/main/java/com/tinyengine/it/dynamic/dto/DynamicQuery.java b/base/src/main/java/com/tinyengine/it/dynamic/dto/DynamicQuery.java
@@ -1,19 +1,25 @@
 package com.tinyengine.it.dynamic.dto;
 
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
 import lombok.Data;
 
 import java.util.List;
 import java.util.Map;
 
 @Data
 public class DynamicQuery {
-
+    @NotBlank(message = "表英文名不能为空")
+    @Pattern(regexp = "^[a-zA-Z_][a-zA-Z0-9_]*$", message = "模型名称格式不正确")
 	private String nameEn;          // 表名
 	private String nameCh;          // 表中文名
+	@Pattern(regexp = "^[a-zA-Z_][a-zA-Z0-9_]*$", message = "字段名称格式不正确")
 	private List<String> fields;       // 查询字段
-	@Pattern(regexp = "^[a-zA-Z_][a-zA-Z0-9_]*$", message = "字段名称格式不正确")
-	private List<String> fields;       // 查询字段
+	private List<@Pattern(regexp = "^[a-zA-Z_][a-zA-Z0-9_]*$", message = "字段名称格式不正确") String> fields;       // 查询字段
-	@Pattern(regexp = "^[a-zA-Z_][a-zA-Z0-9_]*$", message = "字段名称格式不正确")
-	private List<String> fields;       // 查询字段
+	private List<@Pattern(regexp = "^[a-zA-Z_][a-zA-Z0-9_]*$", message = "字段名称格式不正确") String> fields;       // 查询字段
 	private Map<String, Object> params; // 查询条件
 	private Integer currentPage = 1;       // 页码
 	private Integer pageSize = 10;     // 每页大小
+	@Pattern(regexp = "^[a-zA-Z_][a-zA-Z0-9_]*$", message = "排序字段格式不正确")
 	private String orderBy;            // 排序字段
+	@Pattern(regexp = "ASC|DESC", message = "排序方式必须为ASC或DESC")
 	private String orderType = "ASC";  // 排序方式
 }
diff --git a/base/src/main/java/com/tinyengine/it/dynamic/service/DynamicService.java b/base/src/main/java/com/tinyengine/it/dynamic/service/DynamicService.java
@@ -37,12 +37,11 @@ public List<JSONObject> query(DynamicQuery dto) {
 		String tableName = getTableName(dto.getNameEn());
 		Map<String, Object> params = new HashMap<>();
 		params.put("tableName", tableName);
-		params.put("fields", dto.getFields());
 		params.put("conditions", dto.getParams());
+		params.put("fields", dto.getFields());
 		params.put("pageNum", dto.getCurrentPage());
 		params.put("pageSize", dto.getPageSize());
-		params.put("orderBy", dto.getOrderBy());
-		params.put("orderType", dto.getOrderType());
+
 
 		return dynamicDao.select(params);
 	}
@@ -78,6 +77,10 @@ public Map<String, Object> queryWithPage(DynamicQuery dto) {
 		if( dto.getPageSize() == null || dto.getPageSize() <= 0) {
 			dto.setPageSize(10);
 		}
+		List<String> fields = dto.getFields();
+		// 验证字段列表
+		validateFields(fields);
+		// 验证表和数据
 		validateTableExists(dto.getNameEn());
 		validateTableAndData(dto.getNameEn(), dto.getParams());
 		List<JSONObject> list = query(dto);
@@ -206,6 +209,7 @@ public List<Map<String, Object>> getTableStructure(String tableName) {
 	 * 验证表和数据
 	 */
 	private void validateTableAndData(String tableName, Map<String, Object> data) {
+
 		if (tableName == null || tableName.trim().isEmpty()) {
 			throw new IllegalArgumentException("表名不能为空");
 		}
@@ -222,7 +226,21 @@ private void validateTableAndData(String tableName, Map<String, Object> data) {
 		// 验证字段名格式
 		for (String field : data.keySet()) {
 			if (!field.matches("^[a-zA-Z_][a-zA-Z0-9_]*$")) {
-				throw new IllegalArgumentException("字段名格式不正确: " + field);
+				throw new IllegalArgumentException("查询字段名格式不正确: " + field);
+			}
+		}
+	}
+
+	/**
+	 * 验证字段列表
+	 * @param fields
+	 */
+	private void validateFields(List<String> fields) {
+		if (fields != null) {
+			for (String field : fields) {
+				if (!field.matches("^[a-zA-Z_][a-zA-Z0-9_]*$")) {
+					throw new IllegalArgumentException("Field name format is invalid: " + field);
+				}
 			}
 		}
 	}

diff --git a/base/src/main/java/com/tinyengine/it/login/config/LoginConfig.java b/base/src/main/java/com/tinyengine/it/login/config/LoginConfig.java
@@ -44,9 +44,7 @@ public void addInterceptors(InterceptorRegistry registry) {
                 "/app-center/api/ai/chat",
                 "/app-center/api/chat/completions",
                 // 图片文件资源下载
-                "/material-center/api/resource/download/*",
-                //模型驱动
-                "/platform-center/api/model-data/**"
+                "/material-center/api/resource/download/*"
             );
     }
 }

diff --git a/base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java b/base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java
@@ -43,12 +43,10 @@ public class JwtUtil {
     private TokenBlacklistService tokenBlacklistService;
 
     private static final long EXPIRATION_TIME = 21600000L; // 6小时 = 6 * 60 * 60 * 1000 = 21600000 毫秒
-    private static final String DEFAULT_SECRET = "tiny-engine-backend-secret-key-at-jwt-login";
 
     // 避免启动时环境变量未加载的问题
     private static String getSecretString() {
-        return Optional.ofNullable(System.getenv("SECRET_STRING"))
-            .orElse(DEFAULT_SECRET);
+        return System.getenv("SECRET_STRING");
     }
 
     public static SecretKey getSecretKey() {