diff --git a/backend/src/entities/company-info/company-info.controller.ts b/backend/src/entities/company-info/company-info.controller.ts index 4a5a6ece5..1b4e19afd 100644 --- a/backend/src/entities/company-info/company-info.controller.ts +++ b/backend/src/entities/company-info/company-info.controller.ts @@ -81,8 +81,8 @@ import { IRemoveUserFromCompany, IRevokeUserInvitationInCompany, ISuspendUsersInCompany, - IUnsuspendUsersInCompany, IToggleCompanyTestConnectionsMode, + IUnsuspendUsersInCompany, IUpdateCompanyName, IUpdateUsers2faStatusInCompany, IUpdateUsersCompanyRoles, @@ -173,6 +173,7 @@ export class CompanyInfoController { description: 'Get company name by id.', type: FoundCompanyNameDs, }) + @Throttle({ default: { limit: isTest() ? 200 : 10, ttl: 60000 } }) @Get('name/:companyId') async getCompanyNameById(@Param('companyId') companyId: string): Promise { return await this.getCompanyNameUseCase.execute(companyId); diff --git a/backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts b/backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts index 50157dc6f..a86bbfacd 100644 --- a/backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts +++ b/backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts @@ -1,5 +1,6 @@ import { BadRequestException } from '@nestjs/common'; import { ConnectionTypesEnum } from '@rocketadmin/shared-code/dist/src/shared/enums/connection-types-enum.js'; +import { isReadOnlyMongoAggregationPipeline } from '../../../../ai-core/tools/query-validators.js'; import { slackPostMessage } from '../../../../helpers/slack/slack-post-message.js'; const FORBIDDEN_SQL_KEYWORDS = [ @@ -175,6 +176,14 @@ export function checkMongoQueryIsSafe(query: string): QuerySafetyResult { } } + if (!isReadOnlyMongoAggregationPipeline(query)) { + return { + isSafe: false, + reason: + 'Query must be a read-only aggregation pipeline (write stages or server-side JavaScript operators such as $out, $merge, $function, $accumulator, $where are not allowed)', + }; + } + return { isSafe: true }; }