Skip to content

fix: sql injection#38295

Merged
crazywoola merged 59 commits into
mainfrom
fix/issue-38281-sql-injection
Jul 2, 2026
Merged

fix: sql injection#38295
crazywoola merged 59 commits into
mainfrom
fix/issue-38281-sql-injection

Conversation

@FFXN

@FFXN FFXN commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Important

  1. Make sure you have read our contribution guidelines
  2. Ensure there is an associated issue and you have been assigned to it
  3. Use the correct syntax to link this PR: Fixes #<issue number>.

Summary

fixes #38281

Screenshots

Before After
... ...

Checklist

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.
  • I ran make lint && make type-check (backend) and cd web && pnpm exec vp staged (frontend) to appease the lint gods

FFXN and others added 30 commits March 3, 2026 14:31
…m service including remote template service and database, return responding error message.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…m service including remote template service and database, return responding error message.
# Conflicts:
#	api/services/rag_pipeline/pipeline_template/remote/remote_retrieval.py
# Conflicts:
#	api/providers/vdb/vdb-weaviate/src/dify_vdb_weaviate/weaviate_vector.py
# Conflicts:
#	api/tests/unit_tests/controllers/service_api/dataset/test_hit_testing.py
…e image preview to fail on the chunks details page of the knowledge base.
…e image preview to fail on the chunks details page of the knowledge base.
… is generated for external preview or download only.
@FFXN FFXN requested a review from QuantumGhost as a code owner July 2, 2026 06:06
@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Pyrefly Type Coverage

Metric Base PR Delta
Type coverage 51.85% 51.85% -0.00%
Strict coverage 51.37% 51.37% -0.00%
Typed symbols 31,521 31,521 0
Untyped symbols 29,542 29,544 +2
Modules 2951 2951 0

@FFXN FFXN added this to the 1.16.0 milestone Jul 2, 2026
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.28%. Comparing base (2429b75) to head (fd0d2f4).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #38295   +/-   ##
=======================================
  Coverage   85.28%   85.28%           
=======================================
  Files        4983     4983           
  Lines      263129   263064   -65     
  Branches    49965    49955   -10     
=======================================
- Hits       224416   224367   -49     
+ Misses      34327    34314   -13     
+ Partials     4386     4383    -3     
Flag Coverage Δ
api 85.51% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jul 2, 2026
@crazywoola crazywoola added this pull request to the merge queue Jul 2, 2026
@QuantumGhost

Copy link
Copy Markdown
Contributor

The code in _search still uses f-string to build dynamic query. Is it possible to migrate those SQL to SQLAlchemy query builder?

Merged via the queue into main with commit d9884ef Jul 2, 2026
36 checks passed
@crazywoola crazywoola deleted the fix/issue-38281-sql-injection branch July 2, 2026 06:38
GareArc pushed a commit that referenced this pull request Jul 9, 2026
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
(cherry picked from commit d9884ef)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SQL Injection in Dify MyScale Vector Store via search_by_full_text

3 participants