From 770a7ec3ea3790b79fa8d846826d6e9f29f2866a Mon Sep 17 00:00:00 2001
From: Yuanruirui <3079566302@qq.com>
Date: Wed, 13 May 2026 19:47:12 +0800
Subject: [PATCH] =?UTF-8?q?=E4=B8=8A=E4=BC=A0=E6=96=87=E4=BB=B6=E8=87=B3?=
 =?UTF-8?q?=20'w9'?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 w9/ai询问.txt | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 w9/ai询问.txt

diff --git a/w9/ai询问.txt b/w9/ai询问.txt
new file mode 100644
index 0000000..2222686
--- /dev/null
+++ b/w9/ai询问.txt
@@ -0,0 +1,10 @@
+⚠️ 潜在越权行为
+违规场景	风险描述	正确做法
+ListCommand 直接调用 ArticleRepository.findAll()	Command 跳过 Controller 直接访问数据层	Command → Controller → Repository
+CrawlerController 直接返回 List<Article> 原始引用	外部可修改文章列表，破坏封装	返回 Collections.unmodifiableList() 或副本
+HistoryCommand 暴露内部 List<String>	调用方可清空/修改历史记录	getHistory() 返回 new ArrayList<>(history)
+✅ 正确的调用链
+text
+用户输入 → Command (调用) → Controller → Repository → 返回数据
+                                    ↓
+                            (返回给 Command 展示)
\ No newline at end of file