#1946 Escape parameters in indexCountQuery

TheHive-Project · Apr 12, 2021 · 75420fc · 75420fc
1 parent d4cae87
commit 75420fc
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 12 deletions.
diff --git a/ScalliGraph b/ScalliGraph
diff --git a/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala
@@ -77,7 +77,9 @@ class AlertCtrl @Inject() (
       "countRelatedAlert",
       (inCase, graph, authContext) =>
         graph.indexCountQuery(
-          s"""v."_label":Alert AND v.organisationId:${organisationSrv.currentId(graph, authContext).value} AND v.caseId:${inCase.caseId.value}"""
+          s"""v."_label":Alert AND """ +
+            s"v.organisationId:${organisationSrv.currentId(graph, authContext).value} AND " +
+            s"v.caseId:${graph.escapeQueryParameter(inCase.caseId.value)}"
         )
     ),
     Query[Traversal.V[Alert], Traversal.V[Observable]]("observables", (alertSteps, _) => alertSteps.observables),

diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
@@ -27,7 +27,7 @@ trait CaseRenderer extends BaseRenderer[Case] {
             .graph
             .indexCountQuery(
               s"""v."_label":Observable AND """ +
-                s"v.relatedId:${caseId.value} AND " +
+                s"v.relatedId:${t.graph.escapeQueryParameter(caseId.value)} AND " +
                 s"v.organisationIds:${organisationSrv.currentId(t.graph, authContext).value}"
             )
         )

diff --git a/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
@@ -78,16 +78,18 @@ class ObservableCtrl @Inject() (
       "countCaseObservable",
       (inCase, graph, authContext) =>
         graph.indexCountQuery(
-          s"""v."_label":Observable AND relatedId:${inCase.caseId.value} AND organisationIds:${organisationSrv.currentId(graph, authContext).value}"""
+          s"""v."_label":Observable AND """ +
+            s"relatedId:${graph.escapeQueryParameter(inCase.caseId.value)} AND " +
+            s"organisationIds:${organisationSrv.currentId(graph, authContext).value}"
         )
     ),
     Query.initWithParam[InAlert, Long](
       "countAlertObservable",
       (inAlert, graph, authContext) =>
         graph.indexCountQuery(
-          s"""v."_label":Observable AND relatedId:${inAlert
-            .alertId
-            .value} AND organisationIds:${organisationSrv.currentId(graph, authContext).value}"""
+          s"""v."_label":Observable AND """ +
+            s"relatedId:${graph.escapeQueryParameter(inAlert.alertId.value)} AND " +
+            s"organisationIds:${organisationSrv.currentId(graph, authContext).value}"
         )
     ),
     Query[Traversal.V[Observable], Traversal.V[Organisation]](

diff --git a/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala
@@ -27,19 +27,22 @@ trait TagRenderer extends BaseRenderer[Tag] {
             "case" -> t
               .graph
               .indexCountQuery(
-                s"""v."_label":Case AND v.tags:"${tag.replaceAllLiterally("\"", "\\\"")}" AND """ +
+                s"""v."_label":Case AND """ +
+                  s"v.tags:${t.graph.escapeQueryParameter(tag)} AND " +
                   s"v.organisationIds:${organisationSrv.currentId(t.graph, authContext).value}"
               ),
             "alert" -> t
               .graph
               .indexCountQuery(
-                s"""v."_label":Alert AND v.tags:"${tag.replaceAllLiterally("\"", "\\\"")}" AND """ +
+                s"""v."_label":Alert AND """ +
+                  s"v.tags:${t.graph.escapeQueryParameter(tag)} AND " +
                   s"v.organisationId:${organisationSrv.currentId(t.graph, authContext).value}"
               ),
             "observable" -> t
               .graph
               .indexCountQuery(
-                s"""v."_label":Observable AND v.tags:"${tag.replaceAllLiterally("\"", "\\\"")}" AND """ +
+                s"""v."_label":Observable AND """ +
+                  s"v.tags:${t.graph.escapeQueryParameter(tag)} AND " +
                   s"v.organisationIds:${organisationSrv.currentId(t.graph, authContext).value}"
               ),
             "caseTemplate" -> caseTemplateCount

diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
@@ -58,7 +58,7 @@ class TaskCtrl @Inject() (
       (inCase, graph, authContext) =>
         graph.indexCountQuery(
           s"""v."_label":Task AND """ +
-            s"v.relatedId:${inCase.caseId.value} AND " +
+            s"v.relatedId:${graph.escapeQueryParameter(inCase.caseId.value)} AND " +
             s"v.organisationIds:${organisationSrv.currentId(graph, authContext).value} AND " +
             "NOT v.status:Cancel"
         )

diff --git a/thehive/app/org/thp/thehive/services/AlertSrv.scala b/thehive/app/org/thp/thehive/services/AlertSrv.scala
@@ -555,7 +555,12 @@ object AlertOps {
         )
         .domainMap {
           case (alert, customFields, caseId, caseTemplate, renderedEntity) =>
-            val observableCount = traversal.graph.indexCountQuery(s"""v."_label":Observable AND v.relatedId:${alert._id.value}""")
+            val observableCount = traversal
+              .graph
+              .indexCountQuery(
+                s"""v."_label":Observable AND """ +
+                  s"v.relatedId:${traversal.graph.escapeQueryParameter(alert._id.value)}"
+              )
             RichAlert(
               alert,
               customFields,