zentity icon indicating copy to clipboard operation
zentity copied to clipboard

Published 20 hours ago verified publisher icon zentity-io

fix: Escape quotes and backslashes when performing substitution

Open rpeng opened this issue 1 year ago • 3 comments

When performing entity resolution, ES documents may sometimes contain string fields that contain quotes or backslashes.

These will then be picked up by zentity and substituted into the template here, which causes it to escape out of the query.

At the worst case, a specially crafted document can cause zentity to perform arbitrary queries - but I haven't gotten around to making a POC for this 😄. We discovered this by seeing com.fasterxml.jackson.core.JsonParseException when performing certain queries.

rpeng avatar Jul 14 '22 21:07 rpeng

@davemoore- If this patch checks out, would it be possible to make a point release for this 🙏 ?

rpeng avatar Jul 14 '22 22:07 rpeng

@austince / @davemoore- Friendly bump - any chance someone has some extra time to take a look at this 🙏 ? It would be great to have the fix upstream instead of building from a fork 😄

rpeng avatar Jul 19 '22 05:07 rpeng

Hey @rpeng, thanks for the contribution! I unfortunately have no permissions in this repo, only @davemoore-.

austince avatar Jul 19 '22 13:07 austince