Typing spaces, quotes, or other special characters into the Linked Items search box produces an invalid query; potential query injection?

[coderbot16]

Typing something like Test File into the "Linked items" query box produced an Invalid Query error. When I looked into the issue, it seems like the input is getting directly substituted into a database query without any escaping. This means that typing * id: into the Linked Items search will actually cause the following query to be dispatched:

(& !id~=3kQwbmamtfd-bfSVXMUZZyp-KwcFu218jcJ-vnvqk4maXnS (| id:* id: * names:"* id: *" ) )

This seems like a categorical error - I assume that ideally this kind of thing should never be possible and that there should always be a safe abstraction for "prepared queries" where an SQL-injection type issue isn't possible at all.

That being said, I'm assuming that this doesn't actually lead to any security issues (otherwise there would be issues with allowing this REST API at all), but in this case it just leads to a degraded UX.

[eikek]

Yes, this is a bug when creating the search query. But it is not related to sql at all. It is the docspell specific query that is incorrectly constructed by the webui and so the 400 server response is correct in my view.

[coderbot16]

Makes sense - I was just comparing this to SQL since I'm not familiar with this particular query language but the situation seemed similar!