security: fix RCE via terminology poisoning and restrict upload access

jackieya · jackieya · commit 6c2c7634f886 · 2026-03-12T19:16:30.000+08:00
diff --git a/backend/apps/db/db.py b/backend/apps/db/db.py
@@ -670,7 +670,7 @@ def check_sql_read(sql: str, ds: CoreDatasource | AssistantOutDsSchema):
         write_types = (
             exp.Insert, exp.Update, exp.Delete,
             exp.Create, exp.Drop, exp.Alter,
-            exp.Merge, exp.Command
+            exp.Merge, exp.Command, exp.Copy
         )
 
         for stmt in statements:
diff --git a/backend/apps/terminology/api/terminology.py b/backend/apps/terminology/api/terminology.py
@@ -164,6 +164,7 @@ def inner():
 
 
 @router.post("/uploadExcel", summary=f"{PLACEHOLDER_PREFIX}upload_term")
+@require_permissions(permission=SqlbotPermission(role=['ws_admin']))
 @system_log(LogConfig(operation_type=OperationType.IMPORT, module=OperationModules.TERMINOLOGY))
 async def upload_excel(trans: Trans, current_user: CurrentUser, file: UploadFile = File(...)):
     ALLOWED_EXTENSIONS = {"xlsx", "xls"}

Original file line number	Diff line number	Diff line change
`@@ -670,7 +670,7 @@ def check_sql_read(sql: str, ds: CoreDatasource \| AssistantOutDsSchema):`
`670`	`670`	`write_types = (`
`671`	`671`	`exp.Insert, exp.Update, exp.Delete,`
`672`	`672`	`exp.Create, exp.Drop, exp.Alter,`
`673`		`- exp.Merge, exp.Command`
	`673`	`+ exp.Merge, exp.Command, exp.Copy`
`674`	`674`	`)`
`675`	`675`
`676`	`676`	`for stmt in statements:`