fix(api): refactors the SQL LIKE pattern escaping logic to use a centralized utility function, ensuring consistent and secure handling of special characters across all database queries.#12
fix(api): refactors the SQL LIKE pattern escaping logic to use a centralized utility function, ensuring consistent and secure handling of special characters across all database queries.#12
Conversation
…ralized utility function, ensuring consistent and secure handling of special characters across all database queries. Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com>
…logic Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| case "not contains": | ||
| filters.append(json_field.notlike(f"%{value}%")) | ||
| escaped_value = escape_like_pattern(str(value)) | ||
| filters.append(json_field.notlike(f"%{escaped_value}%")) |
There was a problem hiding this comment.
Missing escape parameter in "not contains" LIKE clause
High Severity
The "not contains" case calls escape_like_pattern() to escape special characters but doesn't specify escape="\\" in the notlike() method. All other LIKE-based conditions ("contains", "start with", "end with") correctly include this parameter. Without specifying the escape character, the database won't know that backslash is the escape character, so escaped patterns like \% will be treated literally rather than as escaped wildcards.
| SELECT TOP {top_k} id, text, meta | ||
| FROM {self.schema}.{self.table_name} | ||
| WHERE text LIKE ? | ||
| WHERE text LIKE ? ESCAPE '|' |
There was a problem hiding this comment.
Mismatched escape character in IRIS vector LIKE query
High Severity
The escape_like_pattern() function escapes special characters using backslash (\), but the SQL query specifies ESCAPE '|'. This mismatch means the escaping doesn't work - the database expects |% for a literal percent but receives \% instead, which will be interpreted as a literal backslash followed by a wildcard.
2 participants
Benchmark PR from agentic-review-benchmarks#12
Note
Improves safety and consistency of text search by standardizing SQL LIKE escaping.
libs.helper.escape_like_patternand uses it acrossconversation,datasets_segments, services (apps, annotations, datasets, tags, workflow logs), and dataset retrieval metadata filtersESCAPEclauses%,_, and\and preventing wildcard-based injectionsRisk/Impact
ESCAPEsyntax.Written by Cursor Bugbot for commit fe99d63. Configure here.