Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-3415

Underscore treated as SQL special character on group and user name searches

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 3.3.3
    • Search

      Issue Summary

      The underscore character (_) is matching any character in a Crowd Query Language search.
      This occurs when searching for users and groups from the Crowd UI and when using the /rest/usermanagement/1/search REST API method.

      Steps to Reproduce

      1. Install a Vanilla instance of Crowd.
      2. Create a sample Internal Directory with default configuration.
      3. Add 4 groups to this sample directory:
        • Name: testing_search
        • Name: testingsearch
        • Name: testing-search
        • Name: testing1search
      4. In the Search Groups page, select the sample directory and do a search for string 'g-s'.
        • Only the testing-search group appears in the search result.
      5. Still in the Search Groups page, select the sample directory and do a search for string 'g_s'.

      Expected Results

      Only the testing_search group appears in the search result.

      Actual Results

      The following groups are shown in the search result as matching the search string:

      • testing-search
      • testing1search
      • testing_search

      Notes

      The underscore character is a wildcard for many database engines, matching any single character.
      This character is not escaped when passed along to the database.

      The same issue occurs when using the REST API method /rest/usermanagement/1/search to perform a CQL search.

      Workaround

      When performing searches from the UI you may escape the _ character.
      For example, searching for the string below would only return the testing_search group:

      g\_s

      There's no workaround for the REST API use case.

            [CWD-3415] Underscore treated as SQL special character on group and user name searches

            joe added a comment -

            This may be fixable through ('ESCAPE'). Replace the above example with:

            query.append("LIKE ?placeholder ESCAPE '\\'");
value = escapedSlashPercentAndUnderscoreWithBackslash(value);
hibernateQuery.setParameter("?placeholder", "%" + value + "%");

            joe added a comment - This may be fixable through ( 'ESCAPE' ). Replace the above example with: query.append("LIKE ?placeholder ESCAPE '\\'"); value = escapedSlashPercentAndUnderscoreWithBackslash(value); hibernateQuery.setParameter("?placeholder", "%" + value + "%");

            joe added a comment -

            The code uses a named parameter, so there is no SQL injection attack, but it treats the user input as part of a pattern rather than as a literal. Effectively:

            query.append("LIKE ?placeholder");
hibernateQuery.setParameter("?placeholder", "%" + value + "%");

            joe added a comment - The code uses a named parameter, so there is no SQL injection attack, but it treats the user input as part of a pattern rather than as a literal. Effectively: query.append("LIKE ?placeholder"); hibernateQuery.setParameter("?placeholder", "%" + value + "%");

              Unassigned Unassigned
              wwalser wwalser (Inactive)
              Affected customers:
              5 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated: