From 75420fce2271ff11c1e0cb633769ac7d42213806 Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Mon, 12 Apr 2021 10:06:27 +0200
Subject: [PATCH] #1946 Escape parameters in indexCountQuery

---
 ScalliGraph                                            |  2 +-
 .../app/org/thp/thehive/controllers/v1/AlertCtrl.scala |  4 +++-
 .../org/thp/thehive/controllers/v1/CaseRenderer.scala  |  2 +-
 .../thp/thehive/controllers/v1/ObservableCtrl.scala    | 10 ++++++----
 .../org/thp/thehive/controllers/v1/TagRenderer.scala   |  9 ++++++---
 .../app/org/thp/thehive/controllers/v1/TaskCtrl.scala  |  2 +-
 thehive/app/org/thp/thehive/services/AlertSrv.scala    |  7 ++++++-
 7 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/ScalliGraph b/ScalliGraph
index b168949a6b..ae7ceb013c 160000
--- a/ScalliGraph
+++ b/ScalliGraph
@@ -1 +1 @@
-Subproject commit b168949a6b3918306a206d554aa154023533ea14
+Subproject commit ae7ceb013c923295f3ac95f7e2514b8e19218355
diff --git a/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala
index 268b515b7e..ecd6ed2077 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala
@@ -77,7 +77,9 @@ class AlertCtrl @Inject() (
       "countRelatedAlert",
       (inCase, graph, authContext) =>
         graph.indexCountQuery(
-          s"""v."_label":Alert AND v.organisationId:${organisationSrv.currentId(graph, authContext).value} AND v.caseId:${inCase.caseId.value}"""
+          s"""v."_label":Alert AND """ +
+            s"v.organisationId:${organisationSrv.currentId(graph, authContext).value} AND " +
+            s"v.caseId:${graph.escapeQueryParameter(inCase.caseId.value)}"
         )
     ),
     Query[Traversal.V[Alert], Traversal.V[Observable]]("observables", (alertSteps, _) => alertSteps.observables),
diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
index 3b4325cccf..f248a3ede7 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
@@ -27,7 +27,7 @@ trait CaseRenderer extends BaseRenderer[Case] {
             .graph
             .indexCountQuery(
               s"""v."_label":Observable AND """ +
-                s"v.relatedId:${caseId.value} AND " +
+                s"v.relatedId:${t.graph.escapeQueryParameter(caseId.value)} AND " +
                 s"v.organisationIds:${organisationSrv.currentId(t.graph, authContext).value}"
             )
         )
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
index fb0d65a4c6..a74733e829 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
@@ -78,16 +78,18 @@ class ObservableCtrl @Inject() (
       "countCaseObservable",
       (inCase, graph, authContext) =>
         graph.indexCountQuery(
-          s"""v."_label":Observable AND relatedId:${inCase.caseId.value} AND organisationIds:${organisationSrv.currentId(graph, authContext).value}"""
+          s"""v."_label":Observable AND """ +
+            s"relatedId:${graph.escapeQueryParameter(inCase.caseId.value)} AND " +
+            s"organisationIds:${organisationSrv.currentId(graph, authContext).value}"
         )
     ),
     Query.initWithParam[InAlert, Long](
       "countAlertObservable",
       (inAlert, graph, authContext) =>
         graph.indexCountQuery(
-          s"""v."_label":Observable AND relatedId:${inAlert
-            .alertId
-            .value} AND organisationIds:${organisationSrv.currentId(graph, authContext).value}"""
+          s"""v."_label":Observable AND """ +
+            s"relatedId:${graph.escapeQueryParameter(inAlert.alertId.value)} AND " +
+            s"organisationIds:${organisationSrv.currentId(graph, authContext).value}"
         )
     ),
     Query[Traversal.V[Observable], Traversal.V[Organisation]](
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala
index 4809deacbd..c6f0d4f88c 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala
@@ -27,19 +27,22 @@ trait TagRenderer extends BaseRenderer[Tag] {
             "case" -> t
               .graph
               .indexCountQuery(
-                s"""v."_label":Case AND v.tags:"${tag.replaceAllLiterally("\"", "\\\"")}" AND """ +
+                s"""v."_label":Case AND """ +
+                  s"v.tags:${t.graph.escapeQueryParameter(tag)} AND " +
                   s"v.organisationIds:${organisationSrv.currentId(t.graph, authContext).value}"
               ),
             "alert" -> t
               .graph
               .indexCountQuery(
-                s"""v."_label":Alert AND v.tags:"${tag.replaceAllLiterally("\"", "\\\"")}" AND """ +
+                s"""v."_label":Alert AND """ +
+                  s"v.tags:${t.graph.escapeQueryParameter(tag)} AND " +
                   s"v.organisationId:${organisationSrv.currentId(t.graph, authContext).value}"
               ),
             "observable" -> t
               .graph
               .indexCountQuery(
-                s"""v."_label":Observable AND v.tags:"${tag.replaceAllLiterally("\"", "\\\"")}" AND """ +
+                s"""v."_label":Observable AND """ +
+                  s"v.tags:${t.graph.escapeQueryParameter(tag)} AND " +
                   s"v.organisationIds:${organisationSrv.currentId(t.graph, authContext).value}"
               ),
             "caseTemplate" -> caseTemplateCount
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
index 7aeb37e41c..8acb8fcfb6 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
@@ -58,7 +58,7 @@ class TaskCtrl @Inject() (
       (inCase, graph, authContext) =>
         graph.indexCountQuery(
           s"""v."_label":Task AND """ +
-            s"v.relatedId:${inCase.caseId.value} AND " +
+            s"v.relatedId:${graph.escapeQueryParameter(inCase.caseId.value)} AND " +
             s"v.organisationIds:${organisationSrv.currentId(graph, authContext).value} AND " +
             "NOT v.status:Cancel"
         )
diff --git a/thehive/app/org/thp/thehive/services/AlertSrv.scala b/thehive/app/org/thp/thehive/services/AlertSrv.scala
index 5eccade0b3..9783100087 100644
--- a/thehive/app/org/thp/thehive/services/AlertSrv.scala
+++ b/thehive/app/org/thp/thehive/services/AlertSrv.scala
@@ -555,7 +555,12 @@ object AlertOps {
         )
         .domainMap {
           case (alert, customFields, caseId, caseTemplate, renderedEntity) =>
-            val observableCount = traversal.graph.indexCountQuery(s"""v."_label":Observable AND v.relatedId:${alert._id.value}""")
+            val observableCount = traversal
+              .graph
+              .indexCountQuery(
+                s"""v."_label":Observable AND """ +
+                  s"v.relatedId:${traversal.graph.escapeQueryParameter(alert._id.value)}"
+              )
             RichAlert(
               alert,
               customFields,