Mask or replace special characters to prevent CQL injection

Description

Overview:

Mask or replace the CQL special characters * ? ^

Steps to Reproduce:

  1. Open the new order screen: https://folio-snapshot.dev.folio.org/orders/create 

  2. Click Organization look-up

  3. Use Search in "All" with one of these search strings:

    • a

    • a*

    • a?

    • a^

Expected Results:

Find records where a word beginning with a is in at least one of the searched fields.

Example result set:

  • Alexander Street Press

  • Amazon.com

  • American Chemical Society

  • Naxos of America, Inc.

A search using correct CQL is used.

Actual Results:

  • a yields CQL ="a*", this is correct and returns the expected four results.

  • a* yields CQL ="a**", this is wrong, the backend returns 400 with «org.folio.cql2pgjson.exception.QueryValidationException: * right truncation wildcard must be followed by space or end of string, but found *» and the front-end incorrectly shows «No results found for "a*". Please check your spelling and filters.»

  • a? yields CQL ="a?*", this is wrong, the backend returns 400 with «org.folio.cql2pgjson.exception.QueryValidationException: ? wildcard not allowed in full text query string» and the front-end incorrectly shows «No results found for "a?". Please check your spelling and filters.»

  • a^ yields CQL ="a^*", this is incorrect CQL because ^ is a special CQL character that is only allowed at the beginning of the search string. The backend is forgiving and returns the expected four results; this may change, though. Therefore the CQL should be fixed.

The = operator runs a full text word search: https://dev.folio.org/faqs/explain-cql/

In full text word search punctuation is ignored.

One way to fix this issue to replace each * ? ^ with a comma.

Additional Information:
See "masking" in CQL spec: https://www.loc.gov/standards/sru/cql/contextSets/theCqlContextSet.html

Interested parties:

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Attachments

1

Checklist

hide

TestRail: Results

Activity

Show:

Mikita Siadykh November 1, 2023 at 1:41 PM

based on discussion on refinement

Yury Saukou November 1, 2023 at 12:55 PM
Edited

After a little investigation, it turned out that the plugin (like most other applications) uses the “escapeCqlValue” function from “stripes-util” to clear the query from special characters.
Since the same ticket already exists for `stripes-util` (), the question arises: do we need to change anything? If it's planned to change the behavior of "escapeCqlValue" function to exclude more special characters, then we should not change anything, otherwise, we need to replace this utility with a custom one.

сс

Serhii_Nosko October 31, 2023 at 2:26 PM

Hi on refinement we decided to mark this ticket with P4 priority and set Quesnellia release, if you don't agree please provide more details and we will take a look and re-prioritized

Duplicate

Details

Assignee

Reporter

Priority

Story Points

Sprint

Development Team

Thunderjet

Release

Quesnelia (R1 2024)

RCA Group

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created October 17, 2023 at 10:22 AM
Updated November 1, 2023 at 1:41 PM
Resolved November 1, 2023 at 1:41 PM
TestRail: Cases
TestRail: Runs