CQL identifiers=")" fails with "invalid regular expression: parentheses () not balanced" SQL Injection

Description

The CQL query

is valid, parentheses need no masking inside of quotes.

Apply urlencoding:

Invoke curl:

There is SQL injection resulting in this error message:

This is the produced SQL:

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch June 12, 2019 at 3:40 PM

Fixed in RMB 25.
Added unit test: https://github.com/folio-org/mod-inventory-storage/commit/d541df0a2087cda4ae0c15ad7c0431cd4969d655

Jakub Skoczen June 12, 2019 at 9:43 AM

has this been fixed in RMB 25?

Done

Details
Assignee
Julian Ladisch
Reporter
Julian Ladisch
Labels
back-endplatform-backlogsecuritytriagedui-only
Priority
P2
Story Points
1
Sprint
None
Development Team
Core: Platform
Fix versions
16.0.0
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created June 6, 2019 at 1:35 PM

Updated June 14, 2019 at 2:20 PM

Resolved June 12, 2019 at 3:40 PM

Configure

TestRail: Cases

TestRail: Runs

CQL identifiers=")" fails with "invalid regular expression: parentheses () not balanced" SQL Injection

Description

CSP Request Details

CSP Rejection Details

Potential Workaround

Linked issues

blocks

is blocked by

relates to

Checklist

TestRail: Results

Activity

Julian Ladisch June 12, 2019 at 3:40 PM

Jakub Skoczen June 12, 2019 at 9:43 AM

DetailsAssigneeJulian LadischJulian LadischReporterJulian LadischJulian LadischLabelsback-endplatform-backlogsecuritytriagedui-onlyPriorityP2Story Points1SprintNone+1Development TeamCore: PlatformFix versions16.0.0TestRail: CasesOpen TestRail: CasesTestRail: RunsOpen TestRail: Runs

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Fix versions

TestRail: Cases

TestRail: Runs

Details
Assignee
Julian Ladisch
Reporter
Julian Ladisch
Labels
back-endplatform-backlogsecuritytriagedui-only
Priority
P2
Story Points
1
Sprint
None
Development Team
Core: Platform
Fix versions
16.0.0
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs