From 6c2c7634f88653246ab432f47ca76571967fd7d9 Mon Sep 17 00:00:00 2001
From: jackieya <isjackie_haha@163.com>
Date: Thu, 12 Mar 2026 19:16:30 +0800
Subject: [PATCH 1/2] security: fix RCE via terminology poisoning and restrict
 upload access

---
 backend/apps/db/db.py                       | 2 +-
 backend/apps/terminology/api/terminology.py | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/apps/db/db.py b/backend/apps/db/db.py
index 5add5f81..c5223d75 100644
--- a/backend/apps/db/db.py
+++ b/backend/apps/db/db.py
@@ -670,7 +670,7 @@ def check_sql_read(sql: str, ds: CoreDatasource | AssistantOutDsSchema):
         write_types = (
             exp.Insert, exp.Update, exp.Delete,
             exp.Create, exp.Drop, exp.Alter,
-            exp.Merge, exp.Command
+            exp.Merge, exp.Command, exp.Copy
         )
 
         for stmt in statements:
diff --git a/backend/apps/terminology/api/terminology.py b/backend/apps/terminology/api/terminology.py
index 7240b278..6911f487 100644
--- a/backend/apps/terminology/api/terminology.py
+++ b/backend/apps/terminology/api/terminology.py
@@ -164,6 +164,7 @@ def inner():
 
 
 @router.post("/uploadExcel", summary=f"{PLACEHOLDER_PREFIX}upload_term")
+@require_permissions(permission=SqlbotPermission(role=['ws_admin']))
 @system_log(LogConfig(operation_type=OperationType.IMPORT, module=OperationModules.TERMINOLOGY))
 async def upload_excel(trans: Trans, current_user: CurrentUser, file: UploadFile = File(...)):
     ALLOWED_EXTENSIONS = {"xlsx", "xls"}

From 111e64d0a564388d1d3b870adaae58da30d667ed Mon Sep 17 00:00:00 2001
From: jackieya <isjackie_haha@163.com>
Date: Thu, 12 Mar 2026 19:39:55 +0800
Subject: [PATCH 2/2] refactor: optimize decorator order and fix HTTPException
 imports per review

---
 backend/apps/terminology/api/terminology.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/apps/terminology/api/terminology.py b/backend/apps/terminology/api/terminology.py
index 6911f487..b74cb19b 100644
--- a/backend/apps/terminology/api/terminology.py
+++ b/backend/apps/terminology/api/terminology.py
@@ -164,8 +164,8 @@ def inner():
 
 
 @router.post("/uploadExcel", summary=f"{PLACEHOLDER_PREFIX}upload_term")
-@require_permissions(permission=SqlbotPermission(role=['ws_admin']))
 @system_log(LogConfig(operation_type=OperationType.IMPORT, module=OperationModules.TERMINOLOGY))
+@require_permissions(permission=SqlbotPermission(role=['ws_admin']))
 async def upload_excel(trans: Trans, current_user: CurrentUser, file: UploadFile = File(...)):
     ALLOWED_EXTENSIONS = {"xlsx", "xls"}
     if not file.filename.lower().endswith(tuple(ALLOWED_EXTENSIONS)):