fix(migration): parameterize tenant_model_provider inserts in mysql_migration (#15313)

### Related issues Closes #15312 ### What problem does this PR solve? `tools/scripts/mysql_migration.py` built batch INSERT SQL for the `tenant_model_provider` stage using f-strings with raw `llm_factory` and `tenant_id` values. If either value contained a single quote, migration SQL could fail; this also created unnecessary SQL-injection risk in the migration path. This PR replaces string interpolation with parameterized SQL placeholders in `TenantModelProviderStage.execute()`. The migration now safely handles quoted values and executes deterministically across existing tenant data.
2026-06-29 15:31:05 +08:00 · 2026-06-01 19:29:41 -07:00
parent 09d0a17453
commit 088d8448ae
1 changed files with 15 additions and 8 deletions
--- a/tools/scripts/mysql_migration.py
+++ b/tools/scripts/mysql_migration.py
@@ -323,23 +323,30 @@ class TenantModelProviderStage(MigrationStage):
            logger.info(f"[DRY RUN] Would insert {len(records)} records")
            return len(records), self.target_tables
        
-        # Insert records in batches
+        # Insert records in batches with parameterized SQL to avoid quote breakage/injection
        batch_size = 100
        for i in range(0, len(records), batch_size):
            batch = records[i:i + batch_size]
-            values = []
+            placeholders = []
+            params = []
            for tenant_id, llm_factory in batch:
                record_id = self.generate_uuid()
-                values.append(f"('{record_id}', '{llm_factory}', '{tenant_id}', "
-                            f"{current_ts * 1000}, FROM_UNIXTIME({current_ts}), "
-                            f"{current_ts * 1000}, FROM_UNIXTIME({current_ts}))")
-            
+                placeholders.append("(%s, %s, %s, %s, FROM_UNIXTIME(%s), %s, FROM_UNIXTIME(%s))")
+                params.extend([
+                    record_id,
+                    llm_factory,
+                    tenant_id,
+                    current_ts * 1000,
+                    current_ts,
+                    current_ts * 1000,
+                    current_ts,
+                ])
            insert_sql = f"""
                INSERT INTO tenant_model_provider 
                (id, provider_name, tenant_id, create_time, create_date, update_time, update_date)
-                VALUES {', '.join(values)}
+                VALUES {', '.join(placeholders)}
            """
-            self.db.execute_sql(insert_sql)
+            self.db.execute_sql(insert_sql, params)
            rows_inserted += len(batch)
            logger.info(f"Inserted batch {i // batch_size + 1}: {len(batch)} records")