[UIPFO-45] Mask or replace special characters to prevent CQL injection Created: 17/Oct/23  Updated: 01/Nov/23  Resolved: 01/Nov/23

Status: Closed
Project: ui-plugin-find-organization
Components: None
Affects versions: 5.0.0
Fix versions: None

Type: Bug Priority: P4
Reporter: Julian Ladisch Assignee: Yury Saukou
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Attachments: PNG File find-org-asterisk.png    
Issue links:
Duplicate
duplicates STUTL-33 escapeCqlValue for " \ ^ * ? Blocked
Relates
relates to STUTL-33 escapeCqlValue for " \ ^ * ? Blocked
Sprint: ACQ Sprint 177
Story Points: 2
Development Team: Thunderjet
Release: Quesnelia (R1 2024)
RCA Group: TBD

 Description   

Overview:

Mask or replace the CQL special characters * ? ^

Steps to Reproduce:

  1. Open the new order screen: https://folio-snapshot.dev.folio.org/orders/create 
  2. Click Organization look-up
  3. Use Search in "All" with one of these search strings:
    • a
    • a*
    • a?
    • a^

Expected Results:

Find records where a word beginning with a is in at least one of the searched fields.

Example result set:

  • Alexander Street Press
  • Amazon.com
  • American Chemical Society
  • Naxos of America, Inc.

A search using correct CQL is used.

Actual Results:

  • a yields CQL ="a*", this is correct and returns the expected four results.
  • a* yields CQL ="a**", this is wrong, the backend returns 400 with «org.folio.cql2pgjson.exception.QueryValidationException: * right truncation wildcard must be followed by space or end of string, but found *» and the front-end incorrectly shows «No results found for "a*". Please check your spelling and filters.»
  • a? yields CQL ="a?*", this is wrong, the backend returns 400 with «org.folio.cql2pgjson.exception.QueryValidationException: ? wildcard not allowed in full text query string» and the front-end incorrectly shows «No results found for "a?". Please check your spelling and filters.»
  • a^ yields CQL ="a^*", this is incorrect CQL because ^ is a special CQL character that is only allowed at the beginning of the search string. The backend is forgiving and returns the expected four results; this may change, though. Therefore the CQL should be fixed.

The = operator runs a full text word search: https://dev.folio.org/faqs/explain-cql/

In full text word search punctuation is ignored.

One way to fix this issue to replace each * ? ^ with a comma.

Additional Information:
See "masking" in CQL spec: https://www.loc.gov/standards/sru/cql/contextSets/theCqlContextSet.html

Interested parties:
Sara Colglazier



 Comments   
Comment by Serhii_Nosko [ 31/Oct/23 ]

Hi Julian Ladisch on refinement we decided to mark this ticket with P4 priority and set Quesnellia release, if you don't agree please provide more details and we will take a look and re-prioritized

Comment by Yury Saukou [ 01/Nov/23 ]

After a little investigation, it turned out that the plugin (like most other applications) uses the “escapeCqlValue” function from “stripes-util” to clear the query from special characters.
Since the same ticket already exists for `stripes-util` ( STUTL-33 Blocked ), the question arises: do we need to change anything? If it's planned to change the behavior of "escapeCqlValue" function to exclude more special characters, then we should not change anything, otherwise, we need to replace this utility with a custom one.

сс Dennis Bridges Zak Burke

Comment by Mikita Siadykh [ 01/Nov/23 ]

based on discussion on refinement

Generated at Thu Feb 08 22:12:40 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.