<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 22:12:41 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[UIPFO-45] Mask or replace special characters to prevent CQL injection</title>
                <link>https://folio-org.atlassian.net/browse/UIPFO-45</link>
                <project id="10240" key="UIPFO">ui-plugin-find-organization</project>
                    <description>&lt;p&gt;&lt;b&gt;Overview:&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;Mask or replace the CQL special characters &lt;tt&gt;* ? ^&lt;/tt&gt;&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Steps to Reproduce:&lt;/b&gt;&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;Open the new order screen: &lt;a href=&quot;https://folio-snapshot.dev.folio.org/orders/create&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-snapshot.dev.folio.org/orders/create&lt;/a&gt;&#160;&lt;/li&gt;
	&lt;li&gt;Click Organization look-up&lt;/li&gt;
	&lt;li&gt;Use Search in &quot;All&quot; with one of these search strings:
	&lt;ul&gt;
		&lt;li&gt;a&lt;/li&gt;
		&lt;li&gt;a*&lt;/li&gt;
		&lt;li&gt;a?&lt;/li&gt;
		&lt;li&gt;a^&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;&lt;b&gt;Expected Results:&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;Find records where a word beginning with &lt;tt&gt;a&lt;/tt&gt; is in at least one of the searched fields.&lt;/p&gt;

&lt;p&gt;Example result set:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Alexander Street Press&lt;/li&gt;
	&lt;li&gt;Amazon.com&lt;/li&gt;
	&lt;li&gt;American Chemical Society&lt;/li&gt;
	&lt;li&gt;Naxos of America, Inc.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;A search using correct CQL is used.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Actual Results:&lt;/b&gt;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;tt&gt;a&lt;/tt&gt; yields CQL &lt;tt&gt;=&quot;a*&quot;&lt;/tt&gt;, this is correct and returns the expected four results.&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;a*&lt;/tt&gt; yields CQL &lt;tt&gt;=&quot;a&amp;#42;&amp;#42;&quot;&lt;/tt&gt;, this is wrong, the backend returns 400 with &#171;org.folio.cql2pgjson.exception.QueryValidationException: &amp;#42; right truncation wildcard must be followed by space or end of string, but found &amp;#42;&#187; and the front-end incorrectly shows &#171;No results found for &quot;a*&quot;. Please check your spelling and filters.&#187;&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;a?&lt;/tt&gt; yields CQL &lt;tt&gt;=&quot;a&amp;#63;&amp;#42;&quot;&lt;/tt&gt;, this is wrong, the backend returns 400 with &#171;org.folio.cql2pgjson.exception.QueryValidationException: ? wildcard not allowed in full text query string&#187; and the front-end incorrectly shows &#171;No results found for &quot;a?&quot;. Please check your spelling and filters.&#187;&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;a^&lt;/tt&gt; yields CQL &lt;tt&gt;=&quot;a&amp;#94;&amp;#42;&quot;&lt;/tt&gt;, this is incorrect CQL because ^ is a special CQL character that is only allowed at the beginning of the search string. The backend is forgiving and returns the expected four results; this may change, though. Therefore the CQL should be fixed.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The &lt;tt&gt;=&lt;/tt&gt; operator runs a full text word search: &lt;a href=&quot;https://dev.folio.org/faqs/explain-cql/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://dev.folio.org/faqs/explain-cql/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;In full text word search punctuation is ignored.&lt;/p&gt;

&lt;p&gt;One way to fix this issue to replace each &lt;tt&gt;* ? ^&lt;/tt&gt; with a comma.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Additional Information:&lt;/b&gt;&lt;br/&gt;
See &quot;masking&quot; in CQL spec: &lt;a href=&quot;https://www.loc.gov/standards/sru/cql/contextSets/theCqlContextSet.html&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.loc.gov/standards/sru/cql/contextSets/theCqlContextSet.html&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Interested parties:&lt;/b&gt;&lt;br/&gt;
&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=70121%3A92c13c93-4bd7-43ce-a9fb-7337fdb5c0e9&quot; class=&quot;user-hover&quot; rel=&quot;70121:92c13c93-4bd7-43ce-a9fb-7337fdb5c0e9&quot; data-account-id=&quot;70121:92c13c93-4bd7-43ce-a9fb-7337fdb5c0e9&quot; accountid=&quot;70121:92c13c93-4bd7-43ce-a9fb-7337fdb5c0e9&quot; rel=&quot;noreferrer&quot;&gt;Sara Colglazier&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="78722">UIPFO-45</key>
            <summary>Mask or replace special characters to prevent CQL injection</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10003" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p4.svg">P4</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10001">Duplicate</resolution>
                                                        <assignee accountid="712020:954aac8a-bfab-442c-92fe-93bc90a8b8e1">Yury Saukou</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                    </labels>
                <created>Tue, 17 Oct 2023 10:22:18 +0000</created>
                <updated>Wed, 1 Nov 2023 13:41:12 +0000</updated>
                            <resolved>Wed, 1 Nov 2023 13:41:11 +0000</resolved>
                                    <version>5.0.0</version>
                                                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                <comments>
                                                            <comment id="187519" author="6371fa3b77acd224b33c1afd" created="Tue, 31 Oct 2023 14:26:02 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; on refinement we decided to mark this ticket with P4 priority and set Quesnellia release, if you don&apos;t agree please provide more details and we will take a look and re-prioritized&lt;/p&gt;</comment>
                                                            <comment id="187520" author="712020:954aac8a-bfab-442c-92fe-93bc90a8b8e1" created="Wed, 1 Nov 2023 12:55:45 +0000"  >&lt;p&gt;After a little investigation, it turned out that the plugin (like most other applications) &lt;a href=&quot;https://github.com/folio-org/stripes-acq-components/blob/fc2f33dfcfd00a083c930d9ef9cd3e5e19f6630f/lib/AcqList/utils/queryUtils.js#L73C32-L73C46&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;uses&lt;/a&gt; the &#8220;&lt;a href=&quot;https://github.com/folio-org/stripes-util/blob/master/lib/escapeCqlValue.js#L9&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;escapeCqlValue&lt;/a&gt;&#8221; function from &#8220;stripes-util&#8221; to clear the query from special characters.&lt;br/&gt;
Since the same ticket already exists for `stripes-util` (
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;STUTL-33&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/STUTL-33&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;escapeCqlValue for &amp;quot; \ ^ * ?&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            STUTL-33
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Blocked&lt;/span&gt;
            &lt;/span&gt;
), the question arises: do we need to change anything? If it&apos;s planned to change the behavior of &quot;escapeCqlValue&quot; function to exclude more special characters, then we should not change anything, otherwise, we need to replace this utility with a custom one.&lt;/p&gt;

&lt;p&gt;&#1089;&#1089; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A2f7b6349-450b-419a-ba54-c181f51383ad&quot; class=&quot;user-hover&quot; rel=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; data-account-id=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; accountid=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; rel=&quot;noreferrer&quot;&gt;Dennis Bridges&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=615afd1cd9820f0070a09ef0&quot; class=&quot;user-hover&quot; rel=&quot;615afd1cd9820f0070a09ef0&quot; data-account-id=&quot;615afd1cd9820f0070a09ef0&quot; accountid=&quot;615afd1cd9820f0070a09ef0&quot; rel=&quot;noreferrer&quot;&gt;Zak Burke&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="187521" author="557058:7fb61edd-2bf6-4f3a-9e98-eb9b7444cf67" created="Wed, 1 Nov 2023 13:41:12 +0000"  >&lt;p&gt;based on discussion on refinement&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10002">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="39595">STUTL-33</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="39595">STUTL-33</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="63688" name="find-org-asterisk.png" size="89743" author="5ee89462f7aa140abd82d11d" created="Tue, 17 Oct 2023 10:41:05 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10185"><![CDATA[Thunderjet]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10367"><![CDATA[TBD]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i08b5s:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10046" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Release</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10079"><![CDATA[Quesnelia (R1 2024)]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="196">ACQ Sprint 177</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10044" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 31 Oct 2023 14:26:02 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>