Uploaded image for project: 'ui-users'
  1. ui-users
  2. UIU-2163

Missing id causes invalid CQL id==()

    XMLWordPrintable

Details

    • Standard Bug Write-Up Format
    • Prokopovych - Sprint 114
    • 0.5
    • Prokopovych
    • R2 2021
    • GBV, TAMU

    Description

      This error message pops up:

      ERROR: in module @folio/users, operation GET on resource 'loanPolicies' failed, saying: org.folio.cql2pgjson.exception.QueryValidationException: org.z3950.zing.cql.CQLParseException: expected index or term, got ')'ERROR: in module @folio/users, operation GET on resource 'loanPolicies' failed, saying: org.folio.cql2pgjson.exception.QueryValidationException: org.z3950.zing.cql.CQLParseException: expected index or term, got ')' 

      wayne thinks the query string is not appropriately escaped, so the parens are parsed as part of the CQL rather than part of the string.

      This is the sample data loan record https://github.com/folio-org/mod-circulation-storage/blob/v12.2.1/sample-data/loans/bridget-jones-baby-item.json :

      {
        "id": "40f5e9d9-38ac-458e-ade7-7795bd821652",
        "userId": "47f7eaea-1a18-4058-907c-62b7d095c61b",
        "itemId": "1b6d3338-186e-4e35-9e75-1b886b0da53e",
        "loanDate": "2017-03-05T18:32:31Z",
        "dueDate": "2017-03-19T18:32:31Z",
        "action": "checkedout",
        "itemStatus": "Checked out",
        "status": {
          "name": "Open"
        },
        "renewalCount": 0
      } 

      Note that there is no "loanPolicyId" , no "overdueFinePolicyId"  and no  "lostItemPolicyId".

      These properties are optional.

      The front-end fetches the loan data from the /circulation/loans API that returns

          "loanPolicy" : {
            "name" : null
          },
          "overdueFinePolicy" : {
            "name" : null
          },
          "lostItemPolicy" : {
            "name" : null
          },
      

      This is the CQL query that the front-end sends to the /loan-policy-storage/loan-policies API:

      id==()
      

      It seems that Stripes creates the CQL query:
      https://github.com/folio-org/ui-users/blob/v6.0.5/src/routes/LoansListingContainer.js#L44
      https://github.com/folio-org/ui-users/blob/v6.0.5/src/routes/LoanDetailContainer.js#L77

      Stripes should always put the value into quotes and use escapeCqlValue:

      id=="$val"
      

      where $val is

      escapeCqlValue(id)
      

      This avoid CQL injection.

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                zburke Zak_Burke
                jroot Jason Root
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases