fix(490): Add question mark to escaped chars in TokenEscaper#519
fix(490): Add question mark to escaped chars in TokenEscaper#519shchepinova wants to merge 1 commit intoredis:mainfrom
Conversation
|
Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset. In case there are security findings, they will be communicated to you as a comment inside the PR. Hope you’ll enjoy using Jit. Questions? Comments? Want to learn more? Get in touch with us. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| # Same as above but excludes * to allow wildcard patterns | ||
| ESCAPED_CHARS_NO_WILDCARD = r"[,.<>{}\[\]\\\"\':;!@#$%^&()\-+=~\/ ]" | ||
| ESCAPED_CHARS_NO_WILDCARD = r"[,.<>{}\[\]\\\"\':;!@#$%^&()\-+=~\/ \?]" |
There was a problem hiding this comment.
Question mark escaped even when preserving wildcards
Medium Severity
The ? character is a single-character wildcard in Redis (like * is a multi-character wildcard), but it was added to ESCAPED_CHARS_NO_WILDCARD which is the pattern used when preserve_wildcards=True. This pattern intentionally excludes * to preserve wildcard functionality, so ? needs to be excluded from it as well. Currently, LIKE operator queries using ? as a single-character wildcard (e.g., Tag("field") % "patter?") will have the ? escaped, breaking wildcard matching.
1 participant
This PR adds question mark
?to the escape characters inTokenEscaper.The "Expand TokenEscaper to escape ? and | characters" issue also mentions adding the pipe character
|, but this will causeTestMultiPrefixTextQuery.test_text_query_returns_both_prefixes, which uses the pipe character as a logical OR in its text search, to fail.Note
Low Risk
Low risk: small regex change to query token escaping plus updated unit tests; potential impact is limited to queries containing
?now matching literally instead of acting as an unescaped special character.Overview
TokenEscapernow escapes question marks by including?in bothDEFAULT_ESCAPED_CHARSandESCAPED_CHARS_NO_WILDCARD, and updates the reference link for the escaping rules.Unit tests are updated to assert
?is escaped in both general text inputs and tag-like values, removing prior TODO expectations.Written by Cursor Bugbot for commit d931c2e. This will update automatically on new commits. Configure here.