From 754791efd3463c49a3fd334bce16d963de02e214 Mon Sep 17 00:00:00 2001
From: -LAN- <laipz8200@outlook.com>
Date: Wed, 25 Dec 2024 18:36:42 +0800
Subject: [PATCH] fix(file_factory): validate upload_file_id format as UUID
 (#12084)

Signed-off-by: -LAN- <laipz8200@outlook.com>
---
 api/factories/file_factory.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/api/factories/file_factory.py b/api/factories/file_factory.py
index 856cf62e3e..1e1e3fb796 100644
--- a/api/factories/file_factory.py
+++ b/api/factories/file_factory.py
@@ -1,4 +1,5 @@
 import mimetypes
+import uuid
 from collections.abc import Callable, Mapping, Sequence
 from typing import Any, cast
 
@@ -119,6 +120,11 @@ def _build_from_local_file(
     upload_file_id = mapping.get("upload_file_id")
     if not upload_file_id:
         raise ValueError("Invalid upload file id")
+    # check if upload_file_id is a valid uuid
+    try:
+        uuid.UUID(upload_file_id)
+    except ValueError:
+        raise ValueError("Invalid upload file id format")
     stmt = select(UploadFile).where(
         UploadFile.id == upload_file_id,
         UploadFile.tenant_id == tenant_id,