[MTE-149] Searchfn.searchPages does not escape illegal characters Created: 03/Oct/22  Updated: 04/Oct/22

Status: Open
Project: Magnolia Templating Essentials
Component/s: models
Affects Version/s: 2.0.2
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Kurt Rüegg Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

Steps to reproduce

  1. Use searchfn.searchPages with searchTerm="("
  2. See Exception in Log

Caused by: javax.jcr.RepositoryException: Exception building query: org.apache.lucene.queryParser.ParseException: Cannot parse '(': Encountered "<EOF>" at line 1, column 7.
Was expecting one of:
    <AND> ...
    <OR> ...
    <NOT> ...
    "+" ...
    "-" ...
    "(" ...
    ")" ...
    "*" ...
    "^" ...
    <QUOTED> ...
    <TERM> ...
    <FUZZY_SLOP> ...
    <PREFIXTERM> ...
    <WILDTERM> ...
    "[" ...
    "{" ...
    <NUMBER> ...

        at org.apache.jackrabbit.core.query.lucene.LuceneQueryBuilder.createQuery(LuceneQueryBuilder.java:244) ~[jackrabbit-core-2.20.4.jar:2.20.4]
        at org.apache.jackrabbit.core.query.lucene.QueryImpl.execute(QueryImpl.java:109) ~[jackrabbit-core-2.20.4.jar:2.20.4]
        at org.apache.jackrabbit.core.query.QueryImpl$1.perform(QueryImpl.java:132) ~[jackrabbit-core-2.20.4.jar:2.20.4]
        at org.apache.jackrabbit.core.query.QueryImpl$1.perform(QueryImpl.java:129) ~[jackrabbit-core-2.20.4.jar:2.20.4]
        at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:216) ~[jackrabbit-core-2.20.4.jar:2.20.4]
        at org.apache.jackrabbit.core.query.QueryImpl.execute(QueryImpl.java:128) ~[jackrabbit-core-2.20.4.jar:2.20.4]
        at info.magnolia.templating.functions.SearchTemplatingFunctions.searchContent(SearchTemplatingFunctions.java:163) ~[magnolia-templating-essentials-models-2.0.1.jar:?]
        at info.magnolia.templating.functions.SearchTemplatingFunctions.searchPages(SearchTemplatingFunctions.java:123) ~[magnolia-templating-essentials-models-2.0.1.jar:?]

Expected results

Special characters in searchTerm should be escaped in order to prevent any JCR2SQL-Injection and Exceptions.

Actual results

Exception as listed above.

Workaround

Reimplement the function and using JCR-SQL2 and binding the parameter using 

bindValue-Function.

Development notes


Generated at Mon Feb 12 07:41:59 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.