Add backslash escaping to redis text search values

westey-m · westey-m · commit 857077d41f6a · 2026-04-21T13:46:31.000Z
diff --git a/dotnet/src/VectorData/Redis/RedisFilterTranslator.cs b/dotnet/src/VectorData/Redis/RedisFilterTranslator.cs
@@ -258,8 +258,8 @@ private void TranslateAny(Expression source, LambdaExpression lambda)
 
     private static string SanitizeStringConstant(string value)
 #if NET
-        => value.Replace("\"", "\\\"", StringComparison.Ordinal);
+        => value.Replace("\\", "\\\\", StringComparison.Ordinal).Replace("\"", "\\\"", StringComparison.Ordinal);
 #else
-        => value.Replace("\"", "\\\"");
+        => value.Replace("\\", "\\\\").Replace("\"", "\\\"");
 #endif
 }
diff --git a/dotnet/test/VectorData/Redis.UnitTests/RedisFilterTranslatorTests.cs b/dotnet/test/VectorData/Redis.UnitTests/RedisFilterTranslatorTests.cs
@@ -108,6 +108,58 @@ public void Equal_with_double_quote_in_value()
         Assert.Equal("""@Name:{"foo\"bar"}""", result);
     }
 
+    [Fact]
+    public void Equal_with_backslash_in_value()
+    {
+        var result = Translate<TestRecord>(r => r.Name == "foo\\bar");
+        Assert.Equal("""@Name:{"foo\\bar"}""", result);
+    }
+
+    [Fact]
+    public void Equal_with_single_backslash()
+    {
+        var result = Translate<TestRecord>(r => r.Name == "\\");
+        Assert.Equal("""@Name:{"\\"}""", result);
+    }
+
+    [Fact]
+    public void Equal_with_backslash_quote_injection_attempt()
+    {
+        // Input: \" which should NOT break out of the quoted string
+        var result = Translate<TestRecord>(r => r.Name == "\\\"");
+        Assert.Equal("""@Name:{"\\\""}""", result);
+    }
+
+    [Fact]
+    public void Equal_with_backslash_quote_wildcard_injection()
+    {
+        // The specific attack payload: \" | * | \"
+        var result = Translate<TestRecord>(r => r.Name == "\\\" | * | \\\"");
+        Assert.Equal("""@Name:{"\\\" | * | \\\""}""", result);
+    }
+
+    [Fact]
+    public void Contains_with_backslash_in_value()
+    {
+        var result = Translate<TestRecord>(r => r.Tags.Contains("foo\\bar"));
+        Assert.Equal("""@Tags:{"foo\\bar"}""", result);
+    }
+
+    [Fact]
+    public void Contains_with_backslash_quote_injection_attempt()
+    {
+        var result = Translate<TestRecord>(r => r.Tags.Contains("\\\""));
+        Assert.Equal("""@Tags:{"\\\""}""", result);
+    }
+
+    [Fact]
+    public void Any_with_backslash_in_values()
+    {
+        var values = new[] { "a\\b", "c\\d" };
+        var result = Translate<TestRecord>(r => r.Tags.Any(t => values.Contains(t)));
+        Assert.Equal("""@Tags:{"a\\b" | "c\\d"}""", result);
+    }
+
     private static string Translate<TRecord>(Expression<Func<TRecord, bool>> filter)
     {
         var model = BuildModel();
