From 55dd99eca42e9c6d6085961c60a0704373919a54 Mon Sep 17 00:00:00 2001 From: Shay Rojansky Date: Thu, 26 Sep 2024 22:00:51 +0200 Subject: [PATCH] Properly escape constant regex patterns (#3299) Fixes #3292 (cherry picked from commit d316b35b6cf33279f23a0cb87edff2ca5e549a52) --- .../Query/Internal/NpgsqlQuerySqlGenerator.cs | 2 +- .../Query/NorthwindFunctionsQueryNpgsqlTest.cs | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/EFCore.PG/Query/Internal/NpgsqlQuerySqlGenerator.cs b/src/EFCore.PG/Query/Internal/NpgsqlQuerySqlGenerator.cs index bcbc9dd08..87aab70b8 100644 --- a/src/EFCore.PG/Query/Internal/NpgsqlQuerySqlGenerator.cs +++ b/src/EFCore.PG/Query/Internal/NpgsqlQuerySqlGenerator.cs @@ -962,7 +962,7 @@ protected virtual Expression VisitRegexMatch(PgRegexMatchExpression expression) } else { - Sql.Append(constantPattern); + Sql.Append(constantPattern.Replace("'", "''")); Sql.Append("'"); } diff --git a/test/EFCore.PG.FunctionalTests/Query/NorthwindFunctionsQueryNpgsqlTest.cs b/test/EFCore.PG.FunctionalTests/Query/NorthwindFunctionsQueryNpgsqlTest.cs index f74474e82..0c9198a67 100644 --- a/test/EFCore.PG.FunctionalTests/Query/NorthwindFunctionsQueryNpgsqlTest.cs +++ b/test/EFCore.PG.FunctionalTests/Query/NorthwindFunctionsQueryNpgsqlTest.cs @@ -118,6 +118,23 @@ await AssertQuery( """); } + [Theory] + [MemberData(nameof(IsAsyncData))] + public async Task Regex_IsMatch_with_constant_pattern_properly_escaped(bool async) + { + await AssertQuery( + async, + cs => cs.Set().Where(c => Regex.IsMatch(c.CompanyName, "^A';foo")), + assertEmpty: true); + + AssertSql( + """ +SELECT c."CustomerID", c."Address", c."City", c."CompanyName", c."ContactName", c."ContactTitle", c."Country", c."Fax", c."Phone", c."PostalCode", c."Region" +FROM "Customers" AS c +WHERE c."CompanyName" ~ '(?p)^A'';foo' +"""); + } + [Theory] [MemberData(nameof(IsAsyncData))] public async Task Regex_IsMatch_with_parameter_pattern(bool async)