From 3c52cc26c4cca1000294346cf99a84b25d38bfb2 Mon Sep 17 00:00:00 2001
From: taojinlong <jinlong@fit2cloud.com>
Date: Tue, 14 Oct 2025 17:35:28 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E6=95=B0=E6=8D=AE?=
 =?UTF-8?q?=E9=9B=86=E5=AD=98=E5=9C=A8SQL=E6=B3=A8=E5=85=A5=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../main/java/io/dataease/datasource/provider/EsProvider.java  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/core/core-backend/src/main/java/io/dataease/datasource/provider/EsProvider.java b/core/core-backend/src/main/java/io/dataease/datasource/provider/EsProvider.java
index baf6e6fcc0..2421e874ba 100644
--- a/core/core-backend/src/main/java/io/dataease/datasource/provider/EsProvider.java
+++ b/core/core-backend/src/main/java/io/dataease/datasource/provider/EsProvider.java
@@ -95,6 +95,9 @@ public class EsProvider extends Provider {
         try {
             String sql;
             if (datasourceRequest.getTable() != null) {
+                if (!getTables(datasourceRequest).stream().map(DatasetTableDTO::getTableName).collect(Collectors.toList()).contains(datasourceRequest.getTable())) {
+                    DEException.throwException("无效的表名！");
+                }
                 sql = "select * from \"" + datasourceRequest.getTable() + "\" limit 0";
             } else {
                 sql = datasourceRequest.getQuery();