Escape special characters in search by recipient

SQLAlchemy handles escaping anything that could allow a SQL injection attack. But it doesn’t escape the characters used for wildcard searching. This is the reason we’re able to do `.like('%example%')` at all. But we shouldn’t be letting our users search with wildcard characters, so we need to escape them. Which is what this commit does.
2026-01-19 09:01:54 -05:00 · 2018-03-14 10:34:45 +00:00
parent 2219dbf80b
commit bdd77f9150
2 changed files with 45 additions and 0 deletions
--- a/app/dao/notifications_dao.py
+++ b/app/dao/notifications_dao.py
@@ -455,6 +455,12 @@ def dao_get_notifications_by_to_field(service_id, search_term, notification_type
    else:
        raise InvalidRequest("Only email and SMS can use search by recipient", 400)

+    for special_character in {'_', '%', '/'}:
+        normalised = normalised.replace(
+            special_character,
+            '\\{}'.format(special_character)
+        )
+
    filters = [
        Notification.service_id == service_id,
        Notification.normalised_to.like("%{}%".format(normalised)),