Merge pull request #32 from DmitryBrus/textSearch-sqlInjection

Prevent sqlInjection in textSearch
slim-gears · Nov 26, 2023 · 869f50d · 869f50d
2 parents 504d862 + 7820a20
commit 869f50d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/...-orientdb/src/main/java/com/slimgears/rxrepo/orientdb/OrientDbSqlExpressionGenerator.java b/...-orientdb/src/main/java/com/slimgears/rxrepo/orientdb/OrientDbSqlExpressionGenerator.java
@@ -39,17 +39,14 @@ protected ExpressionTextGenerator.Interceptor createInterceptor() {
         return searchTextInterceptor;
     }
 
-    @SuppressWarnings("unchecked")
     private String onVisitSearchTextExpression(Function<? super ObjectExpression<?, ?>, String> visitor, BooleanBinaryOperationExpression<?, ?, String> expression, Supplier<String> visitedExpression) {
-        String searchText = ((ConstantExpression<?, String>)expression.right()).value()
-                .replace("\\", "\\\\");
-
         String concat = PropertyExpressions.searchableProperties(expression.left())
                 .map(PropertyExpression::asString)
                 .map(visitor)
                 .collect(Collectors.joining(" + ' ' + "));
 
-        return formatAndFixQuotes("((%s) containsText  '%s')").reduce(expression, concat, searchText);
+        String searchExpression = super.toSqlExpression(expression.right());
+        return formatAndFixQuotes("((%s) containsText %s)").reduce(expression, concat, searchExpression);
     }
 
     private String onVisitBinaryExpression(Function<? super ObjectExpression<?, ?>, String> visitor, BooleanBinaryOperationExpression<?, ?, ?> expression, Supplier<String> visitedExpression) {

diff --git a/rxrepo-test/src/main/java/com/slimgears/rxrepo/test/AbstractRepositoryTest.java b/rxrepo-test/src/main/java/com/slimgears/rxrepo/test/AbstractRepositoryTest.java
@@ -263,7 +263,7 @@ public void testInsertThenLiveSelectShouldReturnAdded() throws InterruptedExcept
                 .assertValueAt(10, NotificationPrototype::isCreate);
     }
 
-    @Test @UseLogLevel(LogLevel.TRACE)
+    @Test @UseLogLevel(LogLevel.DEBUG)
     public void testSearchTextWithSpecialChars() {
         products.update(Products.createOne().toBuilder()
                 .key(UniqueId.productId(1))
@@ -277,6 +277,18 @@ public void testSearchTextWithSpecialChars() {
         Assert.assertEquals(Long.valueOf(1), products.findAll(Product.$.searchText(":> Product / {with} (special) % [chars]; - and more\\")).count().blockingGet());
     }
 
+    @Test @UseLogLevel(LogLevel.DEBUG)
+    public void testSearchSqlInjection() {
+        products.update(Products.createOne().toBuilder()
+                        .key(UniqueId.productId(1))
+                        .name("Product").build())
+                .ignoreElement()
+                .blockingAwait();
+
+        Assert.assertEquals(Long.valueOf(0), products.findAll(Product.$.searchText("Product Foo' and 1=1 or 'a'='a")).count().blockingGet());
+    }
+
+
     @Test
     @UseLogLevel(LogLevel.TRACE)
     public void testInsertThenLiveSelectCountShouldReturnCount() throws InterruptedException {