From 3b04d2f8f58d2ab494ff2ef8b9d468092db4ea2a Mon Sep 17 00:00:00 2001
From: Daniel Jiang <jiangd@vmware.com>
Date: Wed, 16 Dec 2020 14:19:20 +0800
Subject: [PATCH] Escape the values to `contains` operator in dao packages
 (#13774)

fixes #13018

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
---
 src/common/dao/label.go                  | 2 +-
 src/lib/orm/query.go                     | 2 +-
 src/pkg/scan/dao/scanner/registration.go | 3 +++
 src/replication/dao/policy.go            | 2 +-
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/common/dao/label.go b/src/common/dao/label.go
index 6bc71f683..a3bfd18a4 100644
--- a/src/common/dao/label.go
+++ b/src/common/dao/label.go
@@ -71,7 +71,7 @@ func getLabelQuerySetter(query *models.LabelQuery) orm.QuerySeter {
 	qs := GetOrmer().QueryTable(&models.Label{})
 	if len(query.Name) > 0 {
 		if query.FuzzyMatchName {
-			qs = qs.Filter("Name__icontains", query.Name)
+			qs = qs.Filter("Name__icontains", Escape(query.Name))
 		} else {
 			qs = qs.Filter("Name", query.Name)
 		}
diff --git a/src/lib/orm/query.go b/src/lib/orm/query.go
index e7ab62534..cfb706c37 100644
--- a/src/lib/orm/query.go
+++ b/src/lib/orm/query.go
@@ -143,7 +143,7 @@ func snakeCase(str string) string {
 func queryByColumn(qs orm.QuerySeter, key string, value interface{}) orm.QuerySeter {
 	// fuzzy match
 	if f, ok := value.(*q.FuzzyMatchValue); ok {
-		return qs.Filter(key+"__icontains", f.Value)
+		return qs.Filter(key+"__icontains", Escape(f.Value))
 	}
 
 	// range
diff --git a/src/pkg/scan/dao/scanner/registration.go b/src/pkg/scan/dao/scanner/registration.go
index ffbdfe3ba..06000184a 100644
--- a/src/pkg/scan/dao/scanner/registration.go
+++ b/src/pkg/scan/dao/scanner/registration.go
@@ -106,6 +106,9 @@ func ListRegistrations(query *q.Query) ([]*Registration, error) {
 					qt = qt.Filter(kk, v)
 					continue
 				}
+				if s, ok := v.(string); ok {
+					v = liborm.Escape(s)
+				}
 
 				qt = qt.Filter(fmt.Sprintf("%s__icontains", k), v)
 			}
diff --git a/src/replication/dao/policy.go b/src/replication/dao/policy.go
index 00aeeb0ec..995d9298e 100644
--- a/src/replication/dao/policy.go
+++ b/src/replication/dao/policy.go
@@ -41,7 +41,7 @@ func GetPolicies(queries ...*model.PolicyQuery) (int64, []*models.RepPolicy, err
 
 	query := queries[0]
 	if len(query.Name) != 0 {
-		qs = qs.Filter("Name__icontains", query.Name)
+		qs = qs.Filter("Name__icontains", common_dao.Escape(query.Name))
 	}
 	if len(query.Namespace) != 0 {
 		// TODO: Namespace filter not implemented yet