[BUG] Security: SQL LIKE Pattern Not Escaped - Allows Query Manipulation

[EnthusiasticTech]

Project

vgrep

Description

The search_similar function in db.rs constructs a SQL LIKE pattern by directly concatenating user-provided path input without escaping special LIKE characters (%, _). This allows attackers to manipulate the query behavior, potentially accessing data from paths they shouldn't see.

Error Message

Debug Logs

System Information

Bounty Version: 0.1.0
OS: Ubuntu 24.04 LTS
CPU: AMD EPYC-Genoa Processor (8 cores)
RAM: 15 GB

Screenshots

No response

Steps to Reproduce

1. Start the vgrep server: vgrep serve
2. Index some files: vgrep index
3. Send a search request with LIKE wildcards in the path:
   curl -X POST http://127.0.0.1:7777/search \ -H "Content-Type: application/json" \ -d '{"query": "password", "path": "/home/%/.ssh", "max_results": 10}'
4. The % character acts as a SQL wildcard, potentially matching unintended paths

Expected Behavior

Special SQL LIKE characters (%, _, [, ]) in the path parameter should be escaped before constructing the LIKE pattern, e.g.:
let escaped = path_prefix_str .replace("%", "\\%") .replace("_", "\\_");let like_pattern = format!("{}%", escaped);

Actual Behavior

The path is directly concatenated without escaping:
let like_pattern = format!("{}%", path_prefix_str);
User-supplied % or _ characters modify the LIKE pattern behavior.

Additional Context

No response

[echobt]

Issue validated. The reported problem has been confirmed in the codebase. A Pull Request with the fix has been submitted: CortexLM/vgrep#15