From 985b41c40bf33408c7ff63b17fbda4777c77f4be Mon Sep 17 00:00:00 2001
From: Tim Ren <137012659+xr843@users.noreply.github.com>
Date: Thu, 2 Apr 2026 21:17:02 +0800
Subject: [PATCH] fix(security): add tenant_id validation to prevent IDOR in
 data source binding (#34456)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 api/controllers/console/datasets/data_source.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/api/controllers/console/datasets/data_source.py b/api/controllers/console/datasets/data_source.py
index ac14349045..e623722b23 100644
--- a/api/controllers/console/datasets/data_source.py
+++ b/api/controllers/console/datasets/data_source.py
@@ -158,10 +158,11 @@ class DataSourceApi(Resource):
     @login_required
     @account_initialization_required
     def patch(self, binding_id, action: Literal["enable", "disable"]):
+        _, current_tenant_id = current_account_with_tenant()
         binding_id = str(binding_id)
         with sessionmaker(db.engine, expire_on_commit=False).begin() as session:
             data_source_binding = session.execute(
-                select(DataSourceOauthBinding).filter_by(id=binding_id)
+                select(DataSourceOauthBinding).filter_by(id=binding_id, tenant_id=current_tenant_id)
             ).scalar_one_or_none()
         if data_source_binding is None:
             raise NotFound("Data source binding not found.")