this repo has no description
fix: escape LIKE wildcards in search queries
Escape %, _, and \ in user-supplied search input before
building LIKE patterns to prevent unintended wildcard
matching.
+12
-2
+12
-2
internal/data/gorm_store.go
+12
-2
internal/data/gorm_store.go
···
3
3
import (
4
4
"context"
5
5
"fmt"
6
+
"strings"
6
7
"time"
7
8
8
9
"gorm.io/gorm"
9
10
"gorm.io/gorm/clause"
10
11
)
12
+
13
+
// escapeLike escapes SQL LIKE pattern wildcards (%, _) in user input
14
+
// so they are matched as literal characters.
15
+
func escapeLike(s string) string {
16
+
s = strings.ReplaceAll(s, `\`, `\\`)
17
+
s = strings.ReplaceAll(s, `%`, `\%`)
18
+
s = strings.ReplaceAll(s, `_`, `\_`)
19
+
return s
20
+
}
11
21
12
22
type GormStore struct {
13
23
db *gorm.DB
···
123
133
func (s *GormStore) SearchIRCLinks(ctx context.Context, query string, filter ClientFilter) ([]IRCLink, error) {
124
134
var links []IRCLink
125
135
// Simple LIKE search for cross-db compatibility
126
-
term := "%" + query + "%"
136
+
term := "%" + escapeLike(query) + "%"
127
137
// Exclude links with cached error previews using tiered TTLs:
128
138
// - Recent links (< 10 days old): error cache expires after 24h
129
139
// - Old links (>= 10 days old): error cache expires after 60 days
···
158
168
func (s *GormStore) SearchQuotes(ctx context.Context, query string, filter ClientFilter) ([]Quote, error) {
159
169
var quotes []Quote
160
170
// Simple LIKE search for cross-db compatibility
161
-
term := "%" + query + "%"
171
+
term := "%" + escapeLike(query) + "%"
162
172
q := s.db.WithContext(ctx).
163
173
Where("quote LIKE ? OR author LIKE ? OR quoteID IN (SELECT resource_id FROM tags WHERE resource_type = 'quote' AND tag LIKE ?)", term, term, term)
164
174
q = applyClientFilter(q, filter)