Skip to content

Commit

Permalink
fix: fix multiple tokenization expressions in one queries failing
Browse files Browse the repository at this point in the history 
This generated invalid AQL syntax, but it was not an AQL injection
vulnerability because all user data was passed as variables
(parametrized, outside the query string), and it was also not feasible
to construct a query that would do mutations or read any persistent data
by exploiting this bug.
  • Loading branch information
@Yogu
Yogu committed Jan 18, 2023
1 parent 3c5d080 commit 2e0baca
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 2 deletions.
13 changes: 13 additions & 0 deletions spec/regression/logistics/tests/flex-search.graphql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,30 @@ query containsAnyWord {
deliveryNumber
}
}

query containsAllWords {
flexSearchDeliveries(flexSearchFilter: { description_contains_all_words: "all words" }) {
deliveryNumber
}
}

query containsAllPrefixes {
flexSearchDeliveries(flexSearchFilter: { description_contains_all_prefixes: "all prefixes" }) {
deliveryNumber
}
}

query multipleTokenizationExpressions {
flexSearchDeliveries(
flexSearchFilter: {
description_contains_all_prefixes: "phrase"
itemsAggregation: { itemNumber_contains_all_prefixes: "1002" }
}
) {
deliveryNumber
}
}

query containsAllPrefixesWithEmptyFilter {
flexSearchDeliveries(
filter: {}
Expand Down
13 changes: 12 additions & 1 deletion spec/regression/logistics/tests/flex-search.result.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,18 @@
]
}
},
"multipleTokenizationExpressions": {
"data": {
"flexSearchDeliveries": [
{
"deliveryNumber": "1000173"
},
{
"deliveryNumber": "1000522"
}
]
}
},
"containsAllPrefixesWithEmptyFilter": {
"data": {
"flexSearchDeliveries": [
Expand Down Expand Up @@ -80,7 +92,6 @@
"expressionFulltext": {
"data": {
"flexSearchDeliveries": [

{
"deliveryNumber": "1000173"
},
Expand Down
2 changes: 1 addition & 1 deletion src/database/arangodb/aql-generator.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1943,5 +1943,5 @@ export function generateTokenizationQuery(
aql`${aql.identifier('token_' + i)}: TOKENS(${value.expression}, ${value.analyzer})`,
);
}
return aql`RETURN { ${aql.join(fragments, aql`',\n`)} }`;
return aql`RETURN { ${aql.join(fragments, aql`,\n`)} }`;
}

0 comments on commit 2e0baca

Please sign in to comment.