Can java dsl `Expression.s()` be considered as safe for passing user inputs?

anton.36ve · July 30, 2020, 10:32am

Hi,

I’m writing a simple search endpoint that relies on N1QL pattern matching features.

As I didn’t found the REGEXP_LIKE instruction in the DSL (did I miss it ?), I had to go with a Expression.x which I assume to be unsafe.

What I did is wrapping user inputs in a Expression.s in order to protect from injections.

Can I be confident enough with this approach or should I be concerned ?

Example

private static Expression userLastNameMatches(RegexpSearchQueryTerm term) {
        return Expression.x(
            "REGEXP_LIKE(" +
                "lastname, " +
                Expression.s(term.toString())
                + ")"
        );
    }

david.nault · August 6, 2020, 6:37pm

Hi Anton,

You are right to be concerned; Expression.s does not protect from injection.

The safe way would be to use a parameterized query with the user input as a parameter.

Thanks,
David

anton.36ve · August 7, 2020, 9:56am

Alright, fixed, thanks David!