fix(query): escape wildcards in text search (#7131) (#7135)

* fix(query): escape like wildcards * test: search query wildcards * add do nothing
2025-08-11 21:17:32 +00:00 · 2024-01-02 16:27:36 +01:00
parent 9892fd92b6
commit 8bc56f6fe7
6 changed files with 736 additions and 51 deletions
--- a/internal/query/search_query.go
+++ b/internal/query/search_query.go
@@ -8,6 +8,7 @@ import (

 	sq "github.com/Masterminds/squirrel"

+	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 )

@@ -255,7 +256,7 @@ func NewInTextQuery(col Column, values []string) (*InTextQuery, error) {
 	}, nil
 }

-type TextQuery struct {
+type textQuery struct {
 	Column  Column
 	Text    string
 	Compare TextComparison
@@ -269,21 +270,38 @@ var (
 	ErrEmptyValues     = errors.New("values array must not be empty")
 )

-func NewTextQuery(col Column, value string, compare TextComparison) (*TextQuery, error) {
+func NewTextQuery(col Column, value string, compare TextComparison) (*textQuery, error) {
 	if compare < 0 || compare >= textCompareMax {
 		return nil, ErrInvalidCompare
 	}
 	if col.isZero() {
 		return nil, ErrMissingColumn
 	}
-	return &TextQuery{
+	// handle the comparisons which use (i)like and therefore need to escape potential wildcards in the value
+	switch compare {
+	case TextEqualsIgnoreCase,
+		TextStartsWith,
+		TextStartsWithIgnoreCase,
+		TextEndsWith,
+		TextEndsWithIgnoreCase,
+		TextContains,
+		TextContainsIgnoreCase:
+		value = database.EscapeLikeWildcards(value)
+	case TextEquals,
+		TextListContains,
+		TextNotEquals,
+		textCompareMax:
+		// do nothing
+	}
+
+	return &textQuery{
 		Column:  col,
 		Text:    value,
 		Compare: compare,
 	}, nil
 }

-func (q *TextQuery) Col() Column {
+func (q *textQuery) Col() Column {
 	return q.Column
 }

@@ -296,11 +314,11 @@ func (q *InTextQuery) comp() sq.Sqlizer {
 	return sq.Eq{q.Column.identifier(): q.Values}
 }

-func (q *TextQuery) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
+func (q *textQuery) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
 	return query.Where(q.comp())
 }

-func (q *TextQuery) comp() sq.Sqlizer {
+func (q *textQuery) comp() sq.Sqlizer {
 	switch q.Compare {
 	case TextEquals:
 		return sq.Eq{q.Column.identifier(): q.Text}
@@ -346,32 +364,6 @@ const (
 	textCompareMax
 )

-// Deprecated: Use TextComparison, will be removed as soon as all calls are changed to query
-func TextComparisonFromMethod(m domain.SearchMethod) TextComparison {
-	switch m {
-	case domain.SearchMethodEquals:
-		return TextEquals
-	case domain.SearchMethodEqualsIgnoreCase:
-		return TextEqualsIgnoreCase
-	case domain.SearchMethodStartsWith:
-		return TextStartsWith
-	case domain.SearchMethodStartsWithIgnoreCase:
-		return TextStartsWithIgnoreCase
-	case domain.SearchMethodContains:
-		return TextContains
-	case domain.SearchMethodContainsIgnoreCase:
-		return TextContainsIgnoreCase
-	case domain.SearchMethodEndsWith:
-		return TextEndsWith
-	case domain.SearchMethodEndsWithIgnoreCase:
-		return TextEndsWithIgnoreCase
-	case domain.SearchMethodListContains:
-		return TextListContains
-	default:
-		return textCompareMax
-	}
-}
-
 type NumberQuery struct {
 	Column  Column
 	Number  interface{}