From 48589a634b11761c414ee1df6f3c7d272197b3a5 Mon Sep 17 00:00:00 2001
From: junjun <junjie.xia@fit2cloud.com>
Date: Fri, 13 Mar 2026 18:18:41 +0800
Subject: [PATCH] fix: Fix SSRF causing arbitrary file read vulnerability

---
 backend/apps/db/db.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/backend/apps/db/db.py b/backend/apps/db/db.py
index 5add5f81..4f9904fd 100644
--- a/backend/apps/db/db.py
+++ b/backend/apps/db/db.py
@@ -688,6 +688,7 @@ def check_sql_read(sql: str, ds: CoreDatasource | AssistantOutDsSchema):
 def checkParams(extraParams: str, illegalParams: List[str]):
     kvs = extraParams.split('&')
     for kv in kvs:
-        k, v = kv.split('=')
-        if k in illegalParams:
-            raise HTTPException(status_code=500, detail=f'Illegal Parameter: {k}')
+        if kv and '=' in kv:
+            k, v = kv.split('=')
+            if k in illegalParams:
+                raise HTTPException(status_code=500, detail=f'Illegal Parameter: {k}')