From 9deebb83cd76c6a95c61ffc747da8b9cee7fdd71 Mon Sep 17 00:00:00 2001
From: Klesh Wong <klesh@qq.com>
Date: Thu, 12 Mar 2026 19:50:44 +0800
Subject: [PATCH] fix: cwe89 sql injection

---
 backend/server/services/pushapi.go | 20 ++++++++++++++++++++
 env.example                        |  1 +
 2 files changed, 21 insertions(+)

diff --git a/backend/server/services/pushapi.go b/backend/server/services/pushapi.go
index deabe12b10d..d99d4e9067d 100644
--- a/backend/server/services/pushapi.go
+++ b/backend/server/services/pushapi.go
@@ -18,12 +18,32 @@ limitations under the License.
 package services
 
 import (
+	"regexp"
+	"strings"
+
 	"github.com/apache/incubator-devlake/core/dal"
 	"github.com/apache/incubator-devlake/core/errors"
 )
 
 // InsertRow FIXME ...
 func InsertRow(table string, rows []map[string]interface{}) (int64, errors.Error) {
+	if !regexp.MustCompile(`^[a-zA-Z0-9_]+$`).MatchString(table) {
+		return 0, errors.BadInput.New("table name invalid")
+	}
+
+	if allowedTables := cfg.GetString("PUSH_API_ALLOWED_TABLES"); allowedTables != "" {
+		allow := false
+		for _, t := range strings.Split(allowedTables, ",") {
+			if strings.TrimSpace(t) == table {
+				allow = true
+				break
+			}
+		}
+		if !allow {
+			return 0, errors.Forbidden.New("table name is not in the allowed list")
+		}
+	}
+
 	err := db.Create(rows, dal.From(table))
 	if err != nil {
 		return 0, err
diff --git a/env.example b/env.example
index 58c89de1ac3..19acb7c94af 100755
--- a/env.example
+++ b/env.example
@@ -34,6 +34,7 @@ SKIP_SUBTASK_PROGRESS=false
 PORT=8080
 MODE=release
 
+# PUSH_API_ALLOWED_TABLES=table1,table2
 NOTIFICATION_ENDPOINT=
 NOTIFICATION_SECRET=