PIN-4557: Safer mongodb regex filters (#197)

src/main/scala/it/pagopa/interop/purposeprocess/common/readmodel/ReadModelPurposeQueries.scala

@@ -143,8 +143,8 @@ object ReadModelPurposeQueries extends ReadModelQuery {
     val eServicesIdsFilter = mapToVarArgs(eServicesIds.map(Filters.eq("data.eserviceId", _)))(Filters.or)
     val consumersIdsFilter = mapToVarArgs(consumersIds.map(Filters.eq("data.consumerId", _)))(Filters.or)
     val titleFilter        =
-      if (exactMatchOnTitle) title.map(n => Filters.regex("data.title", s"^$n$$", "i"))
-      else title.map(Filters.regex("data.title", _, "i"))
+      if (exactMatchOnTitle) title.map(n => safeRegex("data.title", s"^$n$$", "i"))
+      else title.map(safeRegex("data.title", _, "i"))
     mapToVarArgs(
       eServicesIdsFilter.toList ++ consumersIdsFilter.toList ++ statesFilter.toList ++ titleFilter.toList // :+ permissionFilter
     )(Filters.and).getOrElse(Filters.empty())

src/main/scala/it/pagopa/interop/purposeprocess/common/readmodel/ReadModelQuery.scala

@@ -1,5 +1,12 @@
 package it.pagopa.interop.purposeprocess.common.readmodel
 
+import org.mongodb.scala.bson.conversions.Bson
+import org.mongodb.scala.model.Filters
+
 trait ReadModelQuery {
   def mapToVarArgs[A, B](l: Seq[A])(f: Seq[A] => B): Option[B] = Option.when(l.nonEmpty)(f(l))
+
+  def escape(str: String): String = str.replaceAll("([.*+?^${}()|\\[\\]\\\\])", "\\\\$1")
+  def safeRegex(fieldName: String, pattern: String, options: String): Bson =
+    Filters.regex(fieldName, escape(pattern), options)
 }