[NXP-25953] String named parameters are not escaped when building the query - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3-SNAPSHOT
Fix Version/s: QualifiedToSchedule
Component/s: Query & PageProvider

Tags:
- nbm

Description

How to reproduce:

define a new page provider:

<genericPageProvider class="org.nuxeo.elasticsearch.provider.ElasticSearchNxqlPageProvider" name="list_docs">
      <trackUsage>true</trackUsage>
      <property name="coreSession">#{documentManager}</property>
      <searchDocumentType>list_docs_pp</searchDocumentType>
      <pattern>SELECT * FROM Document WHERE ecm:isVersion = 0 AND ecm:isTrashed = 0 AND ecm:path STARTSWITH :docPath</pattern>
      <pageSize>40</pageSize>
</genericPageProvider>

set the named parameters :docPath with a value containing a single quote like Bob's Workspace

=> The method NXQLQueryBuilder.getQuery() does not use the method NXQL.prepareStringLiteral() when replacing a String value for a named parameters

if (quoteParameters) {
  pattern = buildPattern(pattern, key, "'" + parameter + "'");
} else {
  pattern = buildPattern(pattern, key, parameter.toString());
}

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Gildas Lefevre

Participants:

Gildas Lefevre

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2018-10-12 20:39

Updated:

2018-10-29 15:33