fix: 严格限制分支规则#AI Commit#

Author: zqburde

dss-orchestrator/orchestrators/dss-workflow/dss-flow-execution-server/src/main/scala/com/webank/wedatasphere/dss/flow/execution/entrance/utils/BranchExpressionUtils.scala

@@ -103,7 +103,7 @@ object BranchExpressionUtils extends Logging {
           if condition.nonEmpty && !isUnsupportedDefaultKeyword(condition) && (targetName.isDefined || onFailureTarget.isDefined) =>
           Some(BranchRule(condition, targetName, onFailureTarget))
         case _ => None
-      }
+      }.getOrElse(false)
     }
   }
 
@@ -120,7 +120,7 @@ object BranchExpressionUtils extends Logging {
         case None =>
           warn(s"Invalid branch rule syntax: $line")
           None
-      }
+      }.getOrElse(false)
     }
   }
 
@@ -149,11 +149,17 @@ object BranchExpressionUtils extends Logging {
     if (normalized.isEmpty) {
       false
     } else {
-      val expr = stripExpressionWrapper(normalized)
-      if (expr.equalsIgnoreCase("true")) return true
-      if (expr.equalsIgnoreCase("false")) return false
+      if (normalized.startsWith("${") && normalized.endsWith("}")) {
+        warn(s"Invalid branch condition syntax, wrapper ${} is not allowed: $condition")
+        return false
+      }
+      val expr = normalized
       if (isUnsupportedDefaultKeyword(expr)) return false
       val operators = Seq("==", "!=", ">=", "<=", ">", "<")
+      if (!operators.exists(expr.contains)) {
+        warn(s"Invalid branch condition syntax, explicit comparison is required: $condition")
+        return false
+      }
       operators.collectFirst {
         case operator if expr.contains(operator) =>
           val parts = expr.split(java.util.regex.Pattern.quote(operator), 2).map(_.trim)
@@ -171,17 +177,7 @@ object BranchExpressionUtils extends Logging {
                 false
             }
           }
-      }.getOrElse {
-        resolveValue(expr, context) match {
-          case Some(resolved) =>
-            val matched = resolved.equalsIgnoreCase("true") || resolved.nonEmpty
-            info(s"Branch condition evaluated: expr=$expr, value=$resolved, matched=$matched")
-            matched
-          case None =>
-            warn(s"Branch condition unresolved token: expr=$expr, contextKeys=${context.keys.toSeq.sorted.mkString(",")}")
-            false
-        }
-      }
+      }.getOrElse(false)
     }
   }
 
@@ -203,7 +199,7 @@ object BranchExpressionUtils extends Logging {
         context.get(normalized)
           .orElse(context.get(unquoted))
           .orElse(if (isLiteralToken(unquoted)) Some(unquoted) else None)
-      }
+      }.getOrElse(false)
     }
   }
 
@@ -239,7 +235,7 @@ object BranchExpressionUtils extends Logging {
           case ">" | "<" | ">=" | "<=" =>
             warn(s"Branch numeric comparison requires numeric operands: left=$left, operator=$operator, right=$right")
             false
-        }
+        }.getOrElse(false)
     }
   }
 

dss-orchestrator/orchestrators/dss-workflow/dss-workflow-server/src/main/java/com/webank/wedatasphere/dss/workflow/service/impl/DSSFlowServiceImpl.java

@@ -611,7 +611,7 @@ private List<BranchRuleHolder> parseBranchRules(String branchRuleText) {
             }
         }
         for (BranchRuleHolder holder : branchRuleMap.values()) {
-            if (StringUtils.isNotBlank(holder.condition) && !isUnsupportedDefaultKeyword(holder.condition) && (StringUtils.isNotBlank(holder.targetName) || StringUtils.isNotBlank(holder.onFailure))) {
+            if (StringUtils.isNotBlank(holder.condition) && !isUnsupportedDefaultKeyword(holder.condition) && isStrictBranchCondition(holder.condition) && (StringUtils.isNotBlank(holder.targetName) || StringUtils.isNotBlank(holder.onFailure))) {
                 branchRules.add(holder);
             }
         }
@@ -645,6 +645,17 @@ private IndexedBranchRuleKey buildIndexedBranchRuleKey(String ruleType, String r
         }
     }
 
+    private boolean isStrictBranchCondition(String condition) {
+        if (StringUtils.isBlank(condition)) {
+            return false;
+        }
+        String expr = condition.trim();
+        if (expr.startsWith("${") && expr.endsWith("}")) {
+            return false;
+        }
+        return expr.contains("==") || expr.contains("!=") || expr.contains(">=") || expr.contains("<=") || expr.contains(">") || expr.contains("<");
+    }
+
     private boolean isUnsupportedDefaultKeyword(String condition) {
         if (StringUtils.isBlank(condition)) {
             return false;