[MODINVSTOR-293] CQL identifiers=")" fails with "invalid regular expression: parentheses () not balanced" SQL Injection - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: 15.4.0
Fix Version/s: 16.0.0
Labels:

Template:
customfield_11100 26604
Sprint:
CP: sprint 65
Story Points:
1
Development Team:
Core: Platform

Description

The CQL query

identifiers=")"

is valid, parentheses need no masking inside of quotes.
Apply urlencoding:

identifiers%3D%22%29%22

Invoke curl:

curl -H "X-Okapi-Tenant: diku"  http://localhost:8081/instance-storage/instances?query=identifiers%3D%22%29%22

There is SQL injection resulting in this error message:

ErrorMessage(fields=Map(Line -> 208, File -> regexp.c, SQLSTATE -> 2201B, Routine -> RE_compile_and_cache, V -> ERROR, Message -> invalid regular expression: parentheses () not balanced, Severity -> ERROR))

This is the produced SQL:

WHERE lower(f_unaccent(instance.jsonb->>'identifiers')) ~ lower(f_unaccent('(^|[[:punct:]]|[[:space:]]|(?=[[:punct:]]|[[:space:]])))($|[[:punct:]]|[[:space:]]|(?<=[[:punct:]]|[[:space:]]))')) LIMIT 10 OFFSET 0

TestRail: Results

Attachments

Issue Links

blocks

MODORDERS-262 PO with a POL whose productID has a paren, copied/edited from Instance cannot be saved

Closed

UIIN-569 Search for titles with value with parenthesis results in error messages when search term: All (title, contributor, identifier)

Closed

is blocked by

MODINVSTOR-285 upgrade to RMB 26 and resolve related issues

Closed

relates to

RMB-396 mask ) ] } in regexp to prevent SQL injection

Closed

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Jun/19 1:35 PM

Updated:: 14/Jun/19 2:20 PM

Resolved:: 12/Jun/19 3:40 PM

CQL identifiers=")" fails with "invalid regular expression: parentheses () not balanced" SQL Injection