kudzues/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-04-05 05:36:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): add tenant_id validation to prevent IDOR in data source binding (#34456)

Browse Source 
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Tim Ren
2026-04-02 21:17:02 +08:00
committed by GitHub
parent 2e29ac2829
commit 985b41c40b
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
api/controllers/console/datasets/data_source.py
View File

@@ -158,10 +158,11 @@ class DataSourceApi(Resource):
@login_required @login_required
@account_initialization_required @account_initialization_required
def patch(self, binding_id, action: Literal["enable", "disable"]): def patch(self, binding_id, action: Literal["enable", "disable"]):
_, current_tenant_id = current_account_with_tenant()
binding_id = str(binding_id) binding_id = str(binding_id)
with sessionmaker(db.engine, expire_on_commit=False).begin() as session: with sessionmaker(db.engine, expire_on_commit=False).begin() as session:
data_source_binding = session.execute( data_source_binding = session.execute(
select(DataSourceOauthBinding).filter_by(id=binding_id) select(DataSourceOauthBinding).filter_by(id=binding_id, tenant_id=current_tenant_id)
).scalar_one_or_none() ).scalar_one_or_none()
if data_source_binding is None: if data_source_binding is None:
raise NotFound("Data source binding not found.") raise NotFound("Data source binding not found.")