You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The v3 client uses the _sanitize_str function in util.py to sanitize quotation marks and newlines in input to the server's GraphQL endpoint. Quotation marks that are already escaped are left untouched, but _sanitize_str mishandles strings where the quotation mark is preceded by an even number of backslashes greater than one. This bug can be triggered with input to a Where filter, resulting in potential injection against the GraphQL server through user input.
Here's an example script showing the results, run using weaviate-client 3.99.0a4.
This new regex passes through any even number of consecutive backslashes, adding the final odd one to escape the quotation mark when necessary. If the number of consecutive backslashes is odd, there will be no match, and the escaped quotation mark will stay intact.
An alternative would be to update the filter interface so that input is treated as representing the intention of the client (i.e., if the caller specifies a filter containing the string \", we assume the client wants the server to receive the two-character string \" in the filter). To achieve that effect, instead of using a regex, _sanitize_str could instead leverage the escaping in another module, like json:
value=json.dumps([value])[1:-1]
The text was updated successfully, but these errors were encountered:
The v3 client uses the
_sanitize_str
function in util.py to sanitize quotation marks and newlines in input to the server's GraphQL endpoint. Quotation marks that are already escaped are left untouched, but_sanitize_str
mishandles strings where the quotation mark is preceded by an even number of backslashes greater than one. This bug can be triggered with input to aWhere
filter, resulting in potential injection against the GraphQL server through user input.Here's an example script showing the results, run using weaviate-client 3.99.0a4.
The issue appears fixable by replacing the regular expression in
_sanitize_str
with the following:This new regex passes through any even number of consecutive backslashes, adding the final odd one to escape the quotation mark when necessary. If the number of consecutive backslashes is odd, there will be no match, and the escaped quotation mark will stay intact.
An alternative would be to update the filter interface so that input is treated as representing the intention of the client (i.e., if the caller specifies a filter containing the string
\"
, we assume the client wants the server to receive the two-character string\"
in the filter). To achieve that effect, instead of using a regex,_sanitize_str
could instead leverage the escaping in another module, likejson
:The text was updated successfully, but these errors were encountered: