Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backend Crash with URL-Encoded '?' in Search Query on regions/search Endpoint #160

Closed
OhmSpectator opened this issue Dec 20, 2023 · 0 comments · Fixed by #178
Closed

Backend Crash with URL-Encoded '?' in Search Query on regions/search Endpoint #160

OhmSpectator opened this issue Dec 20, 2023 · 0 comments · Fixed by #178
Assignees
@OhmSpectator
Labels
back Issues related to the backend bug Something isn't working

Comments

@OhmSpectator
Copy link
Member

Description

The backend crashes when using the character '?' as a search query parameter in the /api/regions/search API endpoint. The issue is triggered by passing %3F (URL-encoded representation of '?') as the value for the query parameter. This leads to a failure in the SQL query execution, causing a SequelizeDatabaseError due to an invalid regular expression.

Steps to Reproduce

  1. Make an API call to /api/regions/search with the query parameter set to %3F (e.g., /api/regions/search?query=%3F).
  2. Observe the backend crash.
  3. The error log indicates a "SequelizeDatabaseError: invalid regular expression: quantifier operand invalid".

Expected Behavior

The API should correctly handle URL-encoded special characters in search queries, including '?'. It should either process the character as part of the search criteria or manage it gracefully to avoid crashing.

Actual Behavior

On receiving the URL-encoded '?' character as a search parameter, the backend crashes. The error message "invalid regular expression: quantifier operand invalid" suggests a failure in processing the special character within the SQL query.

Commit Version

The issue is identified in commit 1ad6540.

Environment

  • Operating System: Not specified (likely cross-platform)
  • Browser: any

Additional Context

  • The error is likely rooted in how the URL-encoded query parameter is decoded and used in the SQL query within regionController.js.
  • This situation indicates a potential vulnerability in handling URL-encoded input, which could be a broader security concern.

Possible Solution

  • Implement proper handling and sanitization of URL-encoded characters in query parameters.
  • Review and modify the SQL query construction in the regionController.js to avoid regular expression errors with special characters.
@OhmSpectator OhmSpectator added bug Something isn't working back Issues related to the backend labels Dec 20, 2023
@OhmSpectator OhmSpectator self-assigned this Dec 22, 2023
OhmSpectator added a commit that referenced this issue Dec 22, 2023
@OhmSpectator
back: Enhance search query handling with special characters.
0d6c58f 
Added lodash to the project dependencies and utilized its escapeRegExp function
to escape special characters in the search query. This update is to ensure that
when special characters are included in search terms, they are treated as
literal characters in the regex used in the searchRegions function. These
changes aim to prevent errors and crashes in the backend when users input
special characters like '?' in the search field.

Issue: #160

Signed-off-by: Nikolay Martyanov <ohmspectator@gmail.com>
@OhmSpectator OhmSpectator mentioned this issue Dec 22, 2023
Merged
5 tasks
@OhmSpectator OhmSpectator linked a pull request Dec 22, 2023 that will close this issue
Enhance Search Query Handling with Special Characters #178
Merged
5 tasks
OhmSpectator added a commit that referenced this issue Dec 22, 2023
@OhmSpectator
back: Enhance search query handling with special characters.
d085124 
Added lodash to the project dependencies and utilized its escapeRegExp function
to escape special characters in the search query. This update is to ensure that
when special characters are included in search terms, they are treated as
literal characters in the regex used in the searchRegions function. These
changes aim to prevent errors and crashes in the backend when users input
special characters like '?' in the search field.

Issue: #160

Signed-off-by: Nikolay Martyanov <ohmspectator@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@OhmSpectator OhmSpectator

Labels
back Issues related to the backend bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enhance Search Query Handling with Special Characters uncovering-world/track-your-regions
1 participant
@OhmSpectator