Skip to content

fix(search): escape FTS5 phrase tokens in buildFtsQuery#373

Open
AbelTomato wants to merge 1 commit into
TencentCloud:mainfrom
AbelTomato:fix/160-sanitize-fts5-operators
Open

fix(search): escape FTS5 phrase tokens in buildFtsQuery#373
AbelTomato wants to merge 1 commit into
TencentCloud:mainfrom
AbelTomato:fix/160-sanitize-fts5-operators

Conversation

@AbelTomato

Copy link
Copy Markdown

Description | 描述

Fixes FTS5 MATCH query construction in buildFtsQuery() by escaping user-provided tokens as quoted FTS5 phrases.

Previously, embedded double quotes were removed from tokens before building the OR-joined FTS5 query. This could silently alter user input and did not explicitly protect the FTS5 query expression boundary. Although SQL parameters are used, the value passed to MATCH ? is still parsed by SQLite FTS5 as a query expression, so user input must not be able to change FTS5 query semantics.

This PR adds quoteFts5Phrase() and escapes embedded double quotes by doubling them. buildFtsQuery() now emits only application-controlled OR operators between quoted phrase terms, while user-provided FTS5 operators such as AND, OR, NOT, NEAR, *, and parentheses are treated as text after tokenization.

Related Issue | 关联 Issue

Fix #160

Change Type | 修改类型

  • Bug fix | Bug 修复
  • New feature | 新功能
  • Documentation update | 文档更新
  • Code optimization | 代码优化

Self-test Checklist | 自测清单

  • Verified locally | 本地验证通过
  • No existing features affected | 无影响现有功能

Additional Notes | 其他说明

Added unit tests for FTS5 phrase quoting and buildFtsQuery() behavior, covering normal token queries, punctuation-only input, boolean operator tokens, and embedded double quote escaping.

Tested with:

npm test -- src/core/store/sqlite.test.ts
npm test
npm run build
``` {data-source-line="550"}

@Maxwell-Code07

Copy link
Copy Markdown
Collaborator

Thank you for submitting this PR and participating in Tencent Rhino-bird Open-source Training Program!
We have successfully received your submission. The program is currently in full swing, and we will complete the Code Review for you as soon as possible. Please keep an eye on the status notifications for this PR so you can follow up promptly once the review feedback is provided.
Thanks again for your contribution and open-source spirit! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(search): buildFtsQuery does not sanitize FTS5 operators — user input alters query semantics

2 participants