Project
vgrep
Description
The search_similar() function in src/core/db.rs constructs a SQL LIKE pattern without escaping special characters (% and _). If a user searches in a directory path containing these characters, the search will match unintended files.
Error Message
No error - incorrect results are returned silently.
Debug Logs
System Information
- Bounty Version: 0.1.0
- OS: Ubuntu 24.04 LTS
- Rust: 1.75+
Screenshots
No response
Steps to Reproduce
- Create a directory structure:
/project/100%_complete/file.rs
/project/100_percent/other.rs
/project/data_files/data.rs
- Index all files:
vgrep index /project
- Search in
/project/100%_complete/:
vgrep search "function" --path "/project/100%_complete/"
- Observe that results include files from other directories
Expected Behavior
- Searching in
/project/100%_complete/ should only match files in that exact directory
- The
% character should be treated as a literal, not a wildcard
- The
_ character should be treated as a literal, not a single-char wildcard
Actual Behavior
% in path acts as wildcard: /project/100%_complete/ matches any path starting with /project/100 followed by anything ending with _complete/_ in path acts as single-character wildcard- Users in directories with these characters get incorrect results
Additional Context
While paths containing % are rare on most systems, they're valid on all major operating systems:
- Linux/macOS: All characters except
/ and NULL are valid
- Windows:
% is common in environment variable expansion
The _ character is much more common in directory names (e.g., node_modules, __pycache__, build_output) and could cause subtle matching issues.
Example of unexpected behavior:
- Path:
/project/data_test/
- LIKE pattern:
/project/data_test/%
- Also matches:
/project/data0test/, /project/dataXtest/ (anything with single char between data and test)
Project
vgrep
Description
The
search_similar()function insrc/core/db.rsconstructs a SQL LIKE pattern without escaping special characters (%and_). If a user searches in a directory path containing these characters, the search will match unintended files.Error Message
Debug Logs
System Information
Screenshots
No response
Steps to Reproduce
vgrep index /project/project/100%_complete/:Expected Behavior
/project/100%_complete/should only match files in that exact directory%character should be treated as a literal, not a wildcard_character should be treated as a literal, not a single-char wildcardActual Behavior
%in path acts as wildcard:/project/100%_complete/matches any path starting with/project/100followed by anything ending with_complete/_in path acts as single-character wildcardAdditional Context
While paths containing
%are rare on most systems, they're valid on all major operating systems:/and NULL are valid%is common in environment variable expansionThe
_character is much more common in directory names (e.g.,node_modules,__pycache__,build_output) and could cause subtle matching issues.Example of unexpected behavior:
/project/data_test//project/data_test/%/project/data0test/,/project/dataXtest/(anything with single char betweendataandtest)