From 8067d65e30b1ed3cec3b71c441614fbab6b08cab Mon Sep 17 00:00:00 2001
From: junjun <junjie.xia@fit2cloud.com>
Date: Mon, 8 Dec 2025 10:56:34 +0800
Subject: [PATCH] fix: Unauthenticated Arbitrary File Upload in SQLBot
 uploadExcel Endpoint

---
 backend/common/utils/whitelist.py        | 1 -
 frontend/src/views/ds/DatasourceForm.vue | 7 +++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/common/utils/whitelist.py b/backend/common/utils/whitelist.py
index c880fe53..b6565ac0 100644
--- a/backend/common/utils/whitelist.py
+++ b/backend/common/utils/whitelist.py
@@ -33,7 +33,6 @@
     "/system/assistant/info/*",
     "/system/assistant/app/*",
     "/system/assistant/picture/*",
-    "/datasource/uploadExcel",
     "/system/authentication/platform/status",
     "/system/authentication/login/*",
     "/system/authentication/sso/*",
diff --git a/frontend/src/views/ds/DatasourceForm.vue b/frontend/src/views/ds/DatasourceForm.vue
index a4c1d430..f4b5f7f6 100644
--- a/frontend/src/views/ds/DatasourceForm.vue
+++ b/frontend/src/views/ds/DatasourceForm.vue
@@ -16,6 +16,7 @@ import { setSize } from '@/utils/utils'
 import EmptyBackground from '@/views/dashboard/common/EmptyBackground.vue'
 import icon_fileExcel_colorful from '@/assets/datasource/icon_excel.png'
 import IconOpeDelete from '@/assets/svg/icon_delete.svg'
+import { useCache } from '@/utils/useCache'
 
 const props = withDefaults(
   defineProps<{
@@ -128,6 +129,10 @@ const close = () => {
   saveLoading.value = false
 }
 
+const { wsCache } = useCache()
+const token = wsCache.get('user.token')
+const headers = ref<any>({ 'X-SQLBOT-TOKEN': `Bearer ${token}` })
+
 const initForm = (item: any, editTable: boolean = false) => {
   isEditTable.value = false
   keywords.value = ''
@@ -539,6 +544,7 @@ defineExpose({
               v-if="form.filename && !form.id"
               class="upload-user"
               accept=".xlsx,.xls,.csv"
+              :headers="headers"
               :action="getUploadURL"
               :before-upload="beforeUpload"
               :on-error="onError"
@@ -554,6 +560,7 @@ defineExpose({
               v-else-if="!form.id"
               class="upload-user"
               accept=".xlsx,.xls,.csv"
+              :headers="headers"
               :action="getUploadURL"
               :before-upload="beforeUpload"
               :on-success="onSuccess"