Several CQL queries doesn’t mask special characters leading to CQL injection that cause exceptions.
Example:
A slash in inventory item barcode causes this exception:
feign.FeignException$BadRequest: [400 Bad Request] during [GET] to [http://okapi.okapi.svc.cluster.local:9130/inventory/items?query=barcode%3D%3DA%20THE%20086/829-2] [InventoryClient#getItemsByQuery(String)]: [org.folio.cql2pgjson.exception.QueryValidationException: org.z3950.zing.cql.CQLParseException: expected boolean, got '/': barcode==A THE 086/829-2]
Affected characters:
/ slash
\ backslash
space
“ double quotes
* start
? question mark
^ caret
\
And probably others.
Solution:
Use StringUtil.cqlEncode to put the string into quotes and to encode any special CQL character.
Replace any id== query with a /{id} endpoint query to completely avoid any CQL overhead.
Several CQL queries doesn’t mask special characters leading to CQL injection that cause exceptions.
Example:
A slash in inventory item barcode causes this exception:
feign.FeignException$BadRequest: [400 Bad Request] during [GET] to [http://okapi.okapi.svc.cluster.local:9130/inventory/items?query=barcode%3D%3DA%20THE%20086/829-2] [InventoryClient#getItemsByQuery(String)]: [org.folio.cql2pgjson.exception.QueryValidationException: org.z3950.zing.cql.CQLParseException: expected boolean, got '/': barcode==A THE 086/829-2]Affected characters:
/ slash
\ backslash
space
“ double quotes
* start
? question mark
^ caret
\
And probably others.
Solution:
Use StringUtil.cqlEncode to put the string into quotes and to encode any special CQL character.
Replace any id== query with a /{id} endpoint query to completely avoid any CQL overhead.