[MM-18036] Sanitize sql LIKE terms on search endpoints (#12044)

* Sanitize sql LIKE terms on search endpoints * Add search term sanitization in additional places
2025-02-25 18:55:24 -06:00 · 2019-09-11 10:56:12 +02:00
parent 8b969426f0
commit 814c234443
9 changed files with 62 additions and 32 deletions
--- a/store/sqlstore/user_store.go
+++ b/store/sqlstore/user_store.go
@@ -409,11 +409,13 @@ func applyRoleFilter(query sq.SelectBuilder, role string, isPostgreSQL bool) sq.
 		return query
 	}

-	roleParam := fmt.Sprintf("%%%s%%", role)
 	if isPostgreSQL {
+		roleParam := fmt.Sprintf("%%%s%%", sanitizeSearchTerm(role, "\\"))
 		return query.Where("u.Roles LIKE LOWER(?)", roleParam)
 	}

+	roleParam := fmt.Sprintf("%%%s%%", sanitizeSearchTerm(role, "*"))
+
 	return query.Where("u.Roles LIKE ? ESCAPE '*'", roleParam)
 }

@@ -1222,15 +1224,6 @@ func (us SqlUserStore) SearchInChannel(channelId string, term string, options *m
 	return us.performSearch(query, term, options)
 }

-var escapeLikeSearchChar = []string{
-	"%",
-	"_",
-}
-
-var ignoreLikeSearchChar = []string{
-	"*",
-}
-
 var spaceFulltextSearchChar = []string{
 	"<",
 	">",
@@ -1265,15 +1258,7 @@ func generateSearchQuery(query sq.SelectBuilder, terms []string, fields []string
 }

 func (us SqlUserStore) performSearch(query sq.SelectBuilder, term string, options *model.UserSearchOptions) ([]*model.User, *model.AppError) {
-	// These chars must be removed from the like query.
-	for _, c := range ignoreLikeSearchChar {
-		term = strings.Replace(term, c, "", -1)
-	}
-
-	// These chars must be escaped in the like query.
-	for _, c := range escapeLikeSearchChar {
-		term = strings.Replace(term, c, "*"+c, -1)
-	}
+	term = sanitizeSearchTerm(term, "*")

 	searchType := USER_SEARCH_TYPE_NAMES_NO_FULL_NAME
 	if options.AllowEmails {