Uploaded image for project: 'ui-users'
  1. ui-users
  2. UIU-2163

Missing id causes invalid CQL id==()

    XMLWordPrintable

    Details

    • Template:
      Standard Bug Write-Up Format
    • Sprint:
      Prokopovych - Sprint 114
    • Story Points:
      0.5
    • Development Team:
      Prokopovych
    • Release:
      R2 2021
    • Affected Institution:
      GBV, TAMU

      Description

      This error message pops up:

      ERROR: in module @folio/users, operation GET on resource 'loanPolicies' failed, saying: org.folio.cql2pgjson.exception.QueryValidationException: org.z3950.zing.cql.CQLParseException: expected index or term, got ')'ERROR: in module @folio/users, operation GET on resource 'loanPolicies' failed, saying: org.folio.cql2pgjson.exception.QueryValidationException: org.z3950.zing.cql.CQLParseException: expected index or term, got ')' 

      Wayne Schneider thinks the query string is not appropriately escaped, so the parens are parsed as part of the CQL rather than part of the string.

      This is the sample data loan record https://github.com/folio-org/mod-circulation-storage/blob/v12.2.1/sample-data/loans/bridget-jones-baby-item.json :

      {
        "id": "40f5e9d9-38ac-458e-ade7-7795bd821652",
        "userId": "47f7eaea-1a18-4058-907c-62b7d095c61b",
        "itemId": "1b6d3338-186e-4e35-9e75-1b886b0da53e",
        "loanDate": "2017-03-05T18:32:31Z",
        "dueDate": "2017-03-19T18:32:31Z",
        "action": "checkedout",
        "itemStatus": "Checked out",
        "status": {
          "name": "Open"
        },
        "renewalCount": 0
      } 

      Note that there is no "loanPolicyId" , no "overdueFinePolicyId"  and no  "lostItemPolicyId".

      These properties are optional.

      The front-end fetches the loan data from the /circulation/loans API that returns

          "loanPolicy" : {
            "name" : null
          },
          "overdueFinePolicy" : {
            "name" : null
          },
          "lostItemPolicy" : {
            "name" : null
          },
      

      This is the CQL query that the front-end sends to the /loan-policy-storage/loan-policies API:

      id==()
      

      It seems that Stripes creates the CQL query:
      https://github.com/folio-org/ui-users/blob/v6.0.5/src/routes/LoansListingContainer.js#L44
      https://github.com/folio-org/ui-users/blob/v6.0.5/src/routes/LoanDetailContainer.js#L77

      Stripes should always put the value into quotes and use escapeCqlValue:

      id=="$val"
      

      where $val is

      escapeCqlValue(id)
      

      This avoid CQL injection.

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                zburke Zak_Burke
                Reporter:
                jroot Jason Root
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases