fix(api): refactors the SQL LIKE pattern escaping logic to use a centralized utility function, ensuring consistent and secure handling of special characters across all database queries. (#30450)

Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-05-06 02:18:08 +08:00 · 2026-01-06 09:56:30 +08:00
parent de6262784c
commit 615c313f80
18 changed files with 648 additions and 36 deletions
--- a/api/services/external_knowledge_service.py
+++ b/api/services/external_knowledge_service.py
@ -35,7 +35,10 @@ class ExternalDatasetService:
            .order_by(ExternalKnowledgeApis.created_at.desc())
        )
        if search:
-            query = query.where(ExternalKnowledgeApis.name.ilike(f"%{search}%"))
+            from libs.helper import escape_like_pattern
+
+            escaped_search = escape_like_pattern(search)
+            query = query.where(ExternalKnowledgeApis.name.ilike(f"%{escaped_search}%", escape="\\"))

        external_knowledge_apis = db.paginate(
            select=query, page=page, per_page=per_page, max_per_page=100, error_out=False