Skip to content

adding allowlist regex validator before interpolation + tests#3512

Open
davidsbatista wants to merge 1 commit into
mainfrom
fix/falkordb-doc-store-Cypher-injection
Open

adding allowlist regex validator before interpolation + tests#3512
davidsbatista wants to merge 1 commit into
mainfrom
fix/falkordb-doc-store-Cypher-injection

Conversation

@davidsbatista

@davidsbatista davidsbatista commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Related Issues

  • fixes deepset-ai/haystack-private#428

Proposed Changes:

  • adds an allowlist regex ^[A-Za-z_][A-Za-z0-9_]*$ validated against the field identifier before it is interpolated into the query.
  • any field name that does not match raises a FilterError, closing the injection surface

How did you test it?

Added unit tests to test_convert_filters_errors covering:

  • The exact PoC payload from the issue report (tenant = $p0, false) OR true RETURN d //)
  • Semicolon injection (x; DROP DATABASE)
  • Dot-separated identifiers (x.y, meta.x.y)
  • Empty identifier after meta. stripping (meta.)
  • Digit-leading identifiers (2fast)
  • Hyphen-containing identifiers (created-by, meta.created-by)

Checklist

@github-actions

Copy link
Copy Markdown
Contributor

Coverage report (falkordb)

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)
Lines missing
  integrations/falkordb/src/haystack_integrations/document_stores/falkordb
  document_store.py
Project Total  

This report was generated by python-coverage-comment-action

@davidsbatista davidsbatista marked this pull request as ready for review June 30, 2026 16:02
@davidsbatista davidsbatista requested a review from a team as a code owner June 30, 2026 16:02
@davidsbatista davidsbatista requested review from sjrl and removed request for a team June 30, 2026 16:02

@sjrl sjrl left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants