fix: csv injection in annotations export (#29462)

Co-authored-by: hj24 <huangjian@dify.ai> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2025-12-15 17:14:05 +08:00
parent 2bf44057e9
commit bd7b1fc6fb
5 changed files with 271 additions and 7 deletions
--- a/api/tests/unit_tests/controllers/console/app/test_annotation_security.py
+++ b/api/tests/unit_tests/controllers/console/app/test_annotation_security.py
@@ -250,8 +250,8 @@ class TestAnnotationImportServiceValidation:
        """Test that invalid CSV format is handled gracefully."""
        from services.annotation_service import AppAnnotationService

-        # Create invalid CSV content
-        csv_content = 'invalid,csv,format\nwith,unbalanced,quotes,and"stuff'
+        # Create CSV with only one column (should require at least 2 columns for question and answer)
+        csv_content = "single_column_header\nonly_one_value"

        file = FileStorage(stream=io.BytesIO(csv_content.encode()), filename="test.csv", content_type="text/csv")

@@ -262,8 +262,9 @@ class TestAnnotationImportServiceValidation:

            result = AppAnnotationService.batch_import_app_annotations("app_id", file)

-            # Should return error message
+            # Should return error message about invalid format (less than 2 columns)
            assert "error_msg" in result
+            assert "at least 2 columns" in result["error_msg"].lower()

    def test_valid_import_succeeds(self, mock_app, mock_db_session):
        """Test that valid import request succeeds."""