From 085363c443b29a6d49739c875294f9667450f931 Mon Sep 17 00:00:00 2001 From: Artem Niehrieiev Date: Wed, 3 Jun 2026 06:59:02 +0000 Subject: [PATCH 1/2] add throttle decorator to getCompanyNameById endpoint --- backend/src/entities/company-info/company-info.controller.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/backend/src/entities/company-info/company-info.controller.ts b/backend/src/entities/company-info/company-info.controller.ts index 4a5a6ece5..1b4e19afd 100644 --- a/backend/src/entities/company-info/company-info.controller.ts +++ b/backend/src/entities/company-info/company-info.controller.ts @@ -81,8 +81,8 @@ import { IRemoveUserFromCompany, IRevokeUserInvitationInCompany, ISuspendUsersInCompany, - IUnsuspendUsersInCompany, IToggleCompanyTestConnectionsMode, + IUnsuspendUsersInCompany, IUpdateCompanyName, IUpdateUsers2faStatusInCompany, IUpdateUsersCompanyRoles, @@ -173,6 +173,7 @@ export class CompanyInfoController { description: 'Get company name by id.', type: FoundCompanyNameDs, }) + @Throttle({ default: { limit: isTest() ? 200 : 10, ttl: 60000 } }) @Get('name/:companyId') async getCompanyNameById(@Param('companyId') companyId: string): Promise { return await this.getCompanyNameUseCase.execute(companyId); From 9bbf497c951e4f38b09c0b81957c01619ebb1f05 Mon Sep 17 00:00:00 2001 From: Artem Niehrieiev Date: Wed, 3 Jun 2026 07:46:12 +0000 Subject: [PATCH 2/2] add validation for read-only MongoDB aggregation pipelines in checkMongoQueryIsSafe function --- .../panel/utils/check-query-is-safe.util.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts b/backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts index 50157dc6f..a86bbfacd 100644 --- a/backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts +++ b/backend/src/entities/visualizations/panel/utils/check-query-is-safe.util.ts @@ -1,5 +1,6 @@ import { BadRequestException } from '@nestjs/common'; import { ConnectionTypesEnum } from '@rocketadmin/shared-code/dist/src/shared/enums/connection-types-enum.js'; +import { isReadOnlyMongoAggregationPipeline } from '../../../../ai-core/tools/query-validators.js'; import { slackPostMessage } from '../../../../helpers/slack/slack-post-message.js'; const FORBIDDEN_SQL_KEYWORDS = [ @@ -175,6 +176,14 @@ export function checkMongoQueryIsSafe(query: string): QuerySafetyResult { } } + if (!isReadOnlyMongoAggregationPipeline(query)) { + return { + isSafe: false, + reason: + 'Query must be a read-only aggregation pipeline (write stages or server-side JavaScript operators such as $out, $merge, $function, $accumulator, $where are not allowed)', + }; + } + return { isSafe: true }; }