Skip to content

fix(api): refactors the SQL LIKE pattern escaping logic to use a centralized utility function, ensuring consistent and secure handling of special characters across all database queries.#12

Open
tomerqodo wants to merge 4 commits into
augment_full_base_fixapi_refactors_the_sql_like_pattern_escaping_logic_to_use_a_centralized__utility_function_ensuring_consistent_and_secure_handling_of_special_characters_across_all_database_queries_from
augment_full_head_fixapi_refactors_the_sql_like_pattern_escaping_logic_to_use_a_centralized__utility_function_ensuring_consistent_and_secure_handling_of_special_characters_across_all_database_queries_
Open

fix(api): refactors the SQL LIKE pattern escaping logic to use a centralized utility function, ensuring consistent and secure handling of special characters across all database queries.#12
tomerqodo wants to merge 4 commits into
augment_full_base_fixapi_refactors_the_sql_like_pattern_escaping_logic_to_use_a_centralized__utility_function_ensuring_consistent_and_secure_handling_of_special_characters_across_all_database_queries_from
augment_full_head_fixapi_refactors_the_sql_like_pattern_escaping_logic_to_use_a_centralized__utility_function_ensuring_consistent_and_secure_handling_of_special_characters_across_all_database_queries_

Conversation

@tomerqodo

Copy link
Copy Markdown

Benchmark PR from agentic-review-benchmarks#12

NeatGuyCoding and others added 4 commits January 25, 2026 12:05
…ralized

utility function, ensuring consistent and secure handling of special characters
across all database queries.

Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com>
…logic

Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com>
@augmentcode

augmentcode Bot commented Jan 26, 2026

Copy link
Copy Markdown
🤖 Augment PR Summary

Summary: Centralizes SQL LIKE/ILIKE wildcard escaping into a shared helper to make keyword search behavior consistent and safer across the API.



Changes:

  • Added escape_like_pattern() in api/libs/helper.py to escape \, %, and _ for LIKE patterns.
  • Updated multiple query paths (apps, tags, conversations, datasets, annotations, workflow logs) to use the helper and pass an explicit escape character to SQLAlchemy ilike/like.
  • Updated vector DB LIKE fallbacks (ClickZetta, IRIS) to use the new escaping approach.
  • Refactored some tests to import AppService lazily to avoid circular imports.
Tests: Added unit tests for the helper and new integration tests covering searches containing %, _, and \.

🤖 Was this summary useful? React with 👍 or 👎

@augmentcode augmentcode Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 3 suggestions posted.

Fix All in Augment

Comment augment review to trigger a new review at any time.

SELECT TOP {top_k} id, text, meta
FROM {self.schema}.{self.table_name}
WHERE text LIKE ?
WHERE text LIKE ? ESCAPE '|'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

escape_like_pattern() escapes %/_ using backslashes, but this query uses ESCAPE '|', so \%/\_ won’t be treated as escaped literals and matching/injection-hardening may not work as intended. Consider aligning the ESCAPE character with the escaping strategy used to build query_pattern.

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎

case "not contains":
filters.append(json_field.notlike(f"%{value}%"))
escaped_value = escape_like_pattern(str(value))
filters.append(json_field.notlike(f"%{escaped_value}%"))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This not contains branch escapes the value but doesn’t pass an escape character to notlike, unlike the other LIKE branches here. On databases where backslash isn’t the default LIKE escape, this can change behavior for inputs containing %, _, or \.

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎

# Escape special characters in keyword to prevent SQL injection via LIKE wildcards
keyword_trimmed = keyword[:30]
escaped_keyword = escape_like_pattern(keyword_trimmed)
keyword_like_val = f"%{escaped_keyword}%"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This used to unicode-escape the keyword (to match JSON strings containing \uXXXX sequences from json.dumps); switching to only escape_like_pattern may regress searches for non-ASCII keywords in WorkflowRun.inputs/outputs. If those columns store escaped Unicode, the raw keyword may no longer match.

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants