Skip to content

Fix string injection vulnerability in FilterExpressionConverter imple… #4658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix string injection vulnerability in FilterExpressionConverter imple… #4658

wants to merge 1 commit into from

Conversation

@huidongyin
Copy link
Contributor

@huidongyin huidongyin commented Oct 17, 2025
edited
Loading

This PR fixes several AbstractFilterExpressionConverter implementations that handled String values incorrectly by directly embedding them into the filter expression without proper escaping.

Previously, many converters contained code like:

else if (value instanceof String s) {
    context.append(String.format(“valueText:"%s" “, s));
}

This approach is unsafe because it assumes that s does not contain special characters such as quotes (") or backslashes (\), which can lead to malformed expressions or potential injection issues.

Changes Introduced

  • Added proper escaping of String values in all affected converters.
  • Ensured that backslashes, quotes, and other special characters are safely encoded before being appended.
  • Replaced unsafe string concatenation with safer formatting or helper methods where applicable.

Motivation

This change prevents potential filter expression injection issues and ensures consistent and safe encoding of string literals across all filter expression converters.

Testing

  • Added/updated unit tests covering strings with special characters (", \, unicode sequences, etc.).
  • Verified that generated filter expressions are syntactically correct and properly escaped.

Related Issue

Fixes #4545

Checklist

  • Code builds and all existing tests pass
  • Added new test cases for special character handling
  • Verified compatibility and no breaking API changes

Example Before / After

Input Before After
"abc" valueText:"abc" valueText:"abc"
"a\"b" valueText:"a"b" valueText:"a\\\"b"
"C:\\path" valueText:"C:\path" valueText:"C:\\\\path"

@huidongyin
Fix string injection vulnerability in FilterExpressionConverter imple…
e09ed50 
…mentations

Fixes string injection security vulnerability where malicious strings containing quotes and escape sequences could be used to manipulate filter expressions.

* Add FilterStringEscapeUtils utility class for safe string escaping
* Fix AbstractFilterExpressionConverter to escape double quotes in string values
* Fix SimpleVectorStoreFilterExpressionConverter to escape single quotes in string values
* Fix WeaviateFilterExpressionConverter to escape GraphQL strings properly
* Fix AzureAiSearchFilterExpressionConverter to escape SQL strings properly
* Fix MariaDBFilterExpressionConverter to escape SQL strings properly
* Add comprehensive test coverage for security scenarios
* Update checkstyle suppressions for new test files

Signed-off-by: huidongyin <[email protected]>
@huidongyin huidongyin closed this Oct 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Many AbstractFilterExpressionConverters incorrectly handle String values

1 participant

@huidongyin