Escape the values to contains operator in dao packages (#13774)

fixes #13018 Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2024-12-29 12:07:56 +01:00 · 2020-12-16 14:19:20 +08:00 · 2020-12-16 14:19:20 +08:00 · 3b04d2f8f5
commit 3b04d2f8f5
parent 488d802a2b
4 changed files with 6 additions and 3 deletions
--- a/src/common/dao/label.go
+++ b/src/common/dao/label.go
@ -71,7 +71,7 @@ func getLabelQuerySetter(query *models.LabelQuery) orm.QuerySeter {
 	qs := GetOrmer().QueryTable(&models.Label{})
 	if len(query.Name) > 0 {
 		if query.FuzzyMatchName {
-			qs = qs.Filter("Name__icontains", query.Name)
+			qs = qs.Filter("Name__icontains", Escape(query.Name))
 		} else {
 			qs = qs.Filter("Name", query.Name)
 		}
--- a/src/lib/orm/query.go
+++ b/src/lib/orm/query.go
@ -143,7 +143,7 @@ func snakeCase(str string) string {
 func queryByColumn(qs orm.QuerySeter, key string, value interface{}) orm.QuerySeter {
 	// fuzzy match
 	if f, ok := value.(*q.FuzzyMatchValue); ok {
-		return qs.Filter(key+"__icontains", f.Value)
+		return qs.Filter(key+"__icontains", Escape(f.Value))
 	}

 	// range
--- a/src/pkg/scan/dao/scanner/registration.go
+++ b/src/pkg/scan/dao/scanner/registration.go
@ -106,6 +106,9 @@ func ListRegistrations(query *q.Query) ([]*Registration, error) {
 					qt = qt.Filter(kk, v)
 					continue
 				}
+				if s, ok := v.(string); ok {
+					v = liborm.Escape(s)
+				}

 				qt = qt.Filter(fmt.Sprintf("%s__icontains", k), v)
 			}
--- a/src/replication/dao/policy.go
+++ b/src/replication/dao/policy.go
@ -41,7 +41,7 @@ func GetPolicies(queries ...*model.PolicyQuery) (int64, []*models.RepPolicy, err

 	query := queries[0]
 	if len(query.Name) != 0 {
-		qs = qs.Filter("Name__icontains", query.Name)
+		qs = qs.Filter("Name__icontains", common_dao.Escape(query.Name))
 	}
 	if len(query.Namespace) != 0 {
 		// TODO: Namespace filter not implemented yet