[UIPFO-45] Mask or replace special characters to prevent CQL injection Created: 17/Oct/23 Updated: 01/Nov/23 Resolved: 01/Nov/23 |
|
| Status: | Closed |
| Project: | ui-plugin-find-organization |
| Components: | None |
| Affects versions: | 5.0.0 |
| Fix versions: | None |
| Type: | Bug | Priority: | P4 |
| Reporter: | Julian Ladisch | Assignee: | Yury Saukou |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||
| Issue links: |
|
||||||||||||||||
| Sprint: | ACQ Sprint 177 | ||||||||||||||||
| Story Points: | 2 | ||||||||||||||||
| Development Team: | Thunderjet | ||||||||||||||||
| Release: | Quesnelia (R1 2024) | ||||||||||||||||
| RCA Group: | TBD | ||||||||||||||||
| Description |
|
Overview: Mask or replace the CQL special characters * ? ^ Steps to Reproduce:
Expected Results: Find records where a word beginning with a is in at least one of the searched fields. Example result set:
A search using correct CQL is used. Actual Results:
The = operator runs a full text word search: https://dev.folio.org/faqs/explain-cql/ In full text word search punctuation is ignored. One way to fix this issue to replace each * ? ^ with a comma. Additional Information: Interested parties: |
| Comments |
| Comment by Serhii_Nosko [ 31/Oct/23 ] |
|
Hi Julian Ladisch on refinement we decided to mark this ticket with P4 priority and set Quesnellia release, if you don't agree please provide more details and we will take a look and re-prioritized |
| Comment by Yury Saukou [ 01/Nov/23 ] |
|
After a little investigation, it turned out that the plugin (like most other applications) uses the “escapeCqlValue” function from “stripes-util” to clear the query from special characters. |
| Comment by Mikita Siadykh [ 01/Nov/23 ] |
|
based on discussion on refinement |