Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
admin/api
Describe the bug
The implementation of SearchQueryUtils.getFields(searchQuery) changed in 5d6c91f to mitigate Denial of Service issue. But the new implementation changed in the behavior which leads to unexpected results.
For example a string containing a "" (without the quotes) just removes the backslash. Even escaping the string does not help.
It can be argued if a backslash should be part of group (for example) or not, but at the moment it is allowed.
How should the query be escaped to make it work?
Version
26.1.0
Regression
- The issue is a regression
Expected behavior
It is possible to define a search term including backslashes.
Actual behavior
The current implementation filters out the backslashes. They are not part of the query any more.
How to Reproduce?
Add
testParseQuery("k:va\\\\l1", "k", "va\\l1");
to https://github.com/keycloak/keycloak/blob/main/services/src/test/java/org/keycloak/utils/SearchQueryUtilsTest.java
I would expect that the escaped backslash remains in the parsed string of the value. But it is completely removed.
java.lang.AssertionError:
Expected :{k=va\l1}
Actual :{k=val1}
Anything else?
Thanks for this great project. Please get back to me in case you need further information or can advise if I can help finding a solution here.