Mask or replace special characters to prevent CQL injection
Description
CSP Request Details
None
CSP Rejection Details
None
Potential Workaround
None
Attachments
1
duplicates
relates to
Checklist
hideTestRail: Results
Activity
Show:

Mikita Siadykh November 1, 2023 at 1:41 PM
based on discussion on refinement

Yury Saukou November 1, 2023 at 12:55 PMEdited
After a little investigation, it turned out that the plugin (like most other applications) uses the “escapeCqlValue” function from “stripes-util” to clear the query from special characters.
Since the same ticket already exists for `stripes-util` (), the question arises: do we need to change anything? If it's planned to change the behavior of "escapeCqlValue" function to exclude more special characters, then we should not change anything, otherwise, we need to replace this utility with a custom one.
сс

Serhii_Nosko October 31, 2023 at 2:26 PM
Hi on refinement we decided to mark this ticket with P4 priority and set Quesnellia release, if you don't agree please provide more details and we will take a look and re-prioritized
Duplicate
Details
Details
Assignee

Reporter

Priority
Story Points
2
Sprint
None
Development Team
Thunderjet
Release
Quesnelia (R1 2024)
RCA Group
TBD
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created October 17, 2023 at 10:22 AM
Updated November 1, 2023 at 1:41 PM
Resolved November 1, 2023 at 1:41 PM
TestRail: Cases
TestRail: Runs
Overview:
Mask or replace the CQL special characters
* ? ^
Steps to Reproduce:
Open the new order screen: https://folio-snapshot.dev.folio.org/orders/create
Click Organization look-up
Use Search in "All" with one of these search strings:
a
a*
a?
a^
Expected Results:
Find records where a word beginning with
a
is in at least one of the searched fields.Example result set:
Alexander Street Press
Amazon.com
American Chemical Society
Naxos of America, Inc.
A search using correct CQL is used.
Actual Results:
a
yields CQL="a*"
, this is correct and returns the expected four results.a*
yields CQL="a**"
, this is wrong, the backend returns 400 with «org.folio.cql2pgjson.exception.QueryValidationException: * right truncation wildcard must be followed by space or end of string, but found *» and the front-end incorrectly shows «No results found for "a*". Please check your spelling and filters.»a?
yields CQL="a?*"
, this is wrong, the backend returns 400 with «org.folio.cql2pgjson.exception.QueryValidationException: ? wildcard not allowed in full text query string» and the front-end incorrectly shows «No results found for "a?". Please check your spelling and filters.»a^
yields CQL="a^*"
, this is incorrect CQL because ^ is a special CQL character that is only allowed at the beginning of the search string. The backend is forgiving and returns the expected four results; this may change, though. Therefore the CQL should be fixed.The
=
operator runs a full text word search: https://dev.folio.org/faqs/explain-cql/In full text word search punctuation is ignored.
One way to fix this issue to replace each
* ? ^
with a comma.Additional Information:
See "masking" in CQL spec: https://www.loc.gov/standards/sru/cql/contextSets/theCqlContextSet.html
Interested parties: