[UIU-2163] Missing id causes invalid CQL id==() - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: 6.0.0
Fix Version/s: 6.1.0
Labels:
Environment:

Multi-node K8s cluster backed by vSphere.

Template:

Standard Bug Write-Up Format
Sprint:
Prokopovych - Sprint 114
Story Points:
0.5
Development Team:
Prokopovych
Release:
R2 2021
Affected Institution:

GBV, TAMU

Description

Open https://folio-iris.dev.folio.org/ or https://folio-snapshot.dev.folio.org
Open the Users app
Find sample data user "Hilll, Justen Else" and open the user record
Click on "1 open loan" in the Loans accordion

This error message pops up:

ERROR: in module @folio/users, operation GET on resource 'loanPolicies' failed, saying: org.folio.cql2pgjson.exception.QueryValidationException: org.z3950.zing.cql.CQLParseException: expected index or term, got ')'ERROR: in module @folio/users, operation GET on resource 'loanPolicies' failed, saying: org.folio.cql2pgjson.exception.QueryValidationException: org.z3950.zing.cql.CQLParseException: expected index or term, got ')'

wayne thinks the query string is not appropriately escaped, so the parens are parsed as part of the CQL rather than part of the string.

This is the sample data loan record https://github.com/folio-org/mod-circulation-storage/blob/v12.2.1/sample-data/loans/bridget-jones-baby-item.json :

{
  "id": "40f5e9d9-38ac-458e-ade7-7795bd821652",
  "userId": "47f7eaea-1a18-4058-907c-62b7d095c61b",
  "itemId": "1b6d3338-186e-4e35-9e75-1b886b0da53e",
  "loanDate": "2017-03-05T18:32:31Z",
  "dueDate": "2017-03-19T18:32:31Z",
  "action": "checkedout",
  "itemStatus": "Checked out",
  "status": {
    "name": "Open"
  },
  "renewalCount": 0
}

Note that there is no "loanPolicyId" , no "overdueFinePolicyId" and no "lostItemPolicyId".

These properties are optional.

The front-end fetches the loan data from the /circulation/loans API that returns

    "loanPolicy" : {
      "name" : null
    },
    "overdueFinePolicy" : {
      "name" : null
    },
    "lostItemPolicy" : {
      "name" : null
    },

This is the CQL query that the front-end sends to the /loan-policy-storage/loan-policies API:

id==()

It seems that Stripes creates the CQL query:
https://github.com/folio-org/ui-users/blob/v6.0.5/src/routes/LoansListingContainer.js#L44
https://github.com/folio-org/ui-users/blob/v6.0.5/src/routes/LoanDetailContainer.js#L77

Stripes should always put the value into quotes and use escapeCqlValue:

id=="$val"

where $val is

escapeCqlValue(id)

This avoid CQL injection.

TestRail: Results

Attachments

Issue Links

blocks

UIU-2160 ERROR in module @folio/users, operation GET on resource loanPolicies

Closed

clones

UIU-2160 ERROR in module @folio/users, operation GET on resource loanPolicies

Closed

Activity

People

Assignee:: Zak_Burke

Reporter:: Jason Root

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 06/May/21 6:49 AM

Updated:: 14/May/21 5:46 PM

Resolved:: 14/May/21 5:46 PM

Missing id causes invalid CQL id==()