ragflow

mirror of https://github.com/infiniflow/ragflow.git synced 2026-05-26 18:57:20 +08:00

Files

Xing Hong c428187350 Fix: validate kb_ids as UUIDs before SQL interpolation in use_sql (#14087 )

### What problem does this PR solve?

The use_sql() function in dialog_service.py constructed SQL WHERE
clauses and Infinity table names by directly interpolating kb_id values
using Python f-strings, with no validation of the input values. A
malformed or maliciously crafted kb_id (introduced via a compromised
admin account or a separate injection vector) could alter the structure
of the generated SQL query, potentially leading to unauthorized data
access or data manipulation.

This PR adds strict UUID format validation for all kb_id values before
they are interpolated into any SQL string, causing requests with invalid
IDs to fail fast with a ValueError rather than executing a tampered
query.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

2026-05-09 10:52:06 +08:00

joint_services

Fix: IMAGE2TEXT→CHAT fallback with model_type normalization in tenant_model_service (#14704 )

2026-05-09 10:40:58 +08:00

services

Fix: validate kb_ids as UUIDs before SQL interpolation in use_sql (#14087 )

2026-05-09 10:52:06 +08:00

__init__.py

Feat: add skills space to context engine (#13908 )

2026-04-30 12:36:03 +08:00

db_models.py

Fix secret key inconsistency cross the RAGFlow servers (#14591 )