Uploaded image for project: 'RAML Module Builder'
  1. RAML Module Builder
  2. RMB-725

StringUtil.cqlEncode masking CQL characters preventing CQL injection

    XMLWordPrintable

Details

    • CP: sprint 97
    • 1
    • None
    • Q3 2020

    Description

      The characters * ? ^ \ " have special meaning when used in a CQL string constant. CQL injection is possible if not properly masked/encoded. This may be result is severe security vulnerabilities.
      Write StringUtil.cqlEncode for reuse by all modules that use RMB.

      References:
      https://dev.folio.org/faqs/explain-cql/
      https://github.com/folio-org/raml-module-builder#cql-relations
      https://www.loc.gov/standards/sru/cql/spec.html
      https://www.loc.gov/standards/sru/cql/contextSets/theCqlContextSet.html

      TestRail: Results

        Attachments

          Issue Links

            relates to

            Bug - A problem which impairs or prevents the functions of the product. RMB-803 Fix URL encoding in BuildCQL preventing CQL injection

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODNOTIFY-81 Replace CQL = by ==, fix CQL injection, use url encoding

            • TBD - To be determined
            • Closed

            Activity

              People

                julianladisch Julian Ladisch
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases