paulononato/backstage
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Fix: 29961: Do not propogate SQL query to API response

Browse Source 
Signed-off-by: abinavsridhar-wk <abinav.sridhar@workiva.com>
This commit is contained in:
abinavsridhar-wk
2025-05-19 13:09:56 +02:00
parent 33eacde752
commit 69fb975e21
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.changeset/wicked-socks-share.md
+5
View File
@@ -0,0 +1,5 @@
---
'@backstage/plugin-search-backend': patch
---
Error messages should not contain backend SQL query strings in the API response, this change will ensure that messages are logged and empty response is returned to the user
plugins/search-backend/src/service/router.ts
+11
View File
@@ -201,6 +201,17 @@ export async function createRouter(
// re-throw and let the default error handler middleware captures it and serializes it with the right response code on the standard form
throw error;
}
if (query.term.indexOf('<') !== -1) {
// Search queries that contain '<' are likely to be a SQL injection attack, log the error and return an empty response
const message = (error as any)?.message || '';
if (
typeof message === 'string' &&
message.indexOf('syntax error in tsquery') !== -1
) {
logger.info('Search query skipped due to tsquery syntax error.');
return; // Do not throw an error and just skip the search
}
}
throw new Error(
`There was a problem performing the search query: ${error.message}`,