Security: Patch RCE via Terminology Poisoning and Add Auth Guard

[jackieya]

Summary

Fixed a Stored Prompt Injection vulnerability in terminology management that leads to Remote Code Execution (RCE) and hardened the upload API's access control.

Problem

The terminology management module allowed any authenticated user to upload Excel files with unsanitized description fields. These descriptions were directly spliced into the LLM's system prompt during inference.

An attacker could craft a terminology description that hijacks the LLM's reasoning logic, inducing it to output a PostgreSQL COPY ... TO PROGRAM statement. Since the core SQL execution path lacked semantic filtering for the COPY command, this resulted in arbitrary command execution on the host server or database server.

Fix

Implemented a two-layer defense mechanism to close this attack vector:

1. Semantic SQL Filtering (Architectural Guard):
   Modified backend/apps/db/db.py to add exp.Copy to the write_types blacklist within the check_sql_read() function. This leverages sqlglot to proactively intercept and block COPY commands at the semantic level:

   write_types = (
       exp.Insert, exp.Update, exp.Delete,
       exp.Create, exp.Drop, exp.Alter,
       exp.Merge, exp.Command, exp.Copy # Added exp.Copy to block RCE vectors
   )

2. API Authorization Hardening:
   Applied the @require_permissions decorator to the uploadExcel endpoint in backend/apps/terminology/api/terminology.py to ensure that only administrators can perform bulk terminology updates:

   @router.post("/uploadExcel", ...)
   @require_permissions(permission=SqlbotPermission(role=['ws_admin'])) # Restricted to admins
   async def upload_excel(...):

Testing

• Verified that COPY ... TO PROGRAM payloads are now correctly identified and blocked, raising a ValueError as expected.
• Verified that the upload_excel API rejects requests from non-admin users with appropriate authentication errors.

Disclosure Notes

The detailed vulnerability report, PoC script, and exploitation demonstration have been submitted to the project maintainers via email for responsible disclosure.

[Copilot]

Pull request overview

This PR hardens the platform against an RCE vector by blocking PostgreSQL COPY statements in the “read-only SQL” execution path and restricting bulk terminology uploads to workspace admins.

Changes:

• Block sqlglot-parsed COPY statements by adding exp.Copy to the write-operation blacklist in check_sql_read().
• Add an authorization guard (@require_permissions) to the terminology Excel upload endpoint.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
backend/apps/terminology/api/terminology.py	Adds a permissions decorator to restrict /uploadExcel terminology imports.
backend/apps/db/db.py	Extends semantic SQL filtering to treat COPY as a disallowed write operation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Decorator order means permission-denied requests won't be captured by @system_log. With the current order, require_permissions(...) runs before system_log(...), so if require_permissions raises (e.g., non-admin), the logging decorator never executes and the attempted import isn't audited. Consider swapping the decorators so @system_log(...) is above @require_permissions(...) (i.e., system_log(require_permissions(upload_excel))).

Suggested change

	@require_permissions(permission=SqlbotPermission(role=['ws_admin']))
	@system_log(LogConfig(operation_type=OperationType.IMPORT, module=OperationModules.TERMINOLOGY))
	@system_log(LogConfig(operation_type=OperationType.IMPORT, module=OperationModules.TERMINOLOGY))
	@require_permissions(permission=SqlbotPermission(role=['ws_admin']))