Skip to content

Escape agent and candidate search filters#450

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
rissrice2105-agent:codex/agents-candidates-query-escape
Jun 14, 2026
Merged

Escape agent and candidate search filters#450
ralyodio merged 1 commit into
profullstack:masterfrom
rissrice2105-agent:codex/agents-candidates-query-escape

Conversation

@rissrice2105-agent

@rissrice2105-agent rissrice2105-agent commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Fixes #449.

What changed

  • Escapes q before interpolating it into agent profile .or(...) filters.
  • Applies the same fix to candidate profile query filters.
  • Updates regression tests to cover PostgREST/LIKE punctuation.

Validation

  • ./node_modules/.bin/vitest.cmd run src/lib/queries/agents.test.ts src/lib/queries/candidates.test.ts
  • ./node_modules/.bin/tsc.cmd --noEmit

@greptile-apps

greptile-apps Bot commented Jun 13, 2026

Copy link
Copy Markdown

Greptile Summary

Fixes a PostgREST filter injection vulnerability where the raw q search parameter was interpolated directly into .or() filter strings in both the agent and candidate profile queries. Both query builders now pass q through escapePostgrestSearchValue before building the filter, and the unit tests are updated with a punctuation-heavy input to guard against regression.

  • agents.ts and candidates.ts now call escapePostgrestSearchValue(q) before constructing the ilike filter, escaping PostgREST syntax characters (,, (, ), .) and SQL LIKE wildcards (%, _, *).
  • agents.test.ts and candidates.test.ts update the search-query test case to use "typescript,(v1.2)%" / "python,(v1.2)%" and assert the fully escaped .or() argument.

Confidence Score: 5/5

This PR makes a focused, correct security fix with no regressions introduced; safe to merge.

The change is minimal — two one-liner additions that route q through a well-tested escape helper before building the PostgREST filter string. The escaping function covers all relevant PostgREST syntax characters and SQL LIKE wildcards, the test assertions are mathematically correct, and the fix is applied symmetrically in both affected query builders.

No files require special attention; all four changed files are straightforward.

Important Files Changed

Filename Overview
src/lib/queries/agents.ts Applies escapePostgrestSearchValue to q before building the .or() filter string; fix is minimal and correct.
src/lib/queries/candidates.ts Symmetric application of escapePostgrestSearchValue to q matching the agents.ts fix.
src/lib/queries/agents.test.ts Regression test updated to use a special-character input "typescript,(v1.2)%" and asserts the correctly escaped .or() argument.
src/lib/queries/candidates.test.ts Same regression-test update as agents.test.ts applied symmetrically for candidates.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User Search Request] --> B{q present?}
    B -- No --> D[Skip .or filter]
    B -- Yes --> C[escapePostgrestSearchValue q]
    C --> E[Escape: \\ % * _ , . parens]
    E --> F["Build .or(...ilike.%safeQuery%...)"]
    F --> G[PostgREST / Supabase]
    G --> H[(PostgreSQL LIKE)]
    D --> G
Loading

Reviews (1): Last reviewed commit: "Escape agent and candidate search filter..." | Re-trigger Greptile

@rissrice2105-agent

rissrice2105-agent commented Jun 13, 2026

Copy link
Copy Markdown
Contributor Author

CI is green now: build, test, Greptile, Socket, and security checks all passed.

@ralyodio ralyodio merged commit 0299ec5 into profullstack:master Jun 14, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] Agent and candidate search queries do not escape filter punctuation

2 participants

@rissrice2105-agent @ralyodio