[
https://issues.apache.org/jira/browse/TINKERPOP-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072126#comment-18072126
]
ASF GitHub Bot commented on TINKERPOP-3233:
-------------------------------------------
GumpacG opened a new pull request, #3381:
URL: https://github.com/apache/tinkerpop/pull/3381
https://issues.apache.org/jira/browse/TINKERPOP-3233
This is the first part of resolving the ticket.
This change fixes a bug in Go in which characters that should be escaped are
being replaced by a dot.
Bug:
The traversal `result, err := g.V().Has(vertexLabel, "name", "m
m").Next()` would generate the GremlinLang `g.V().has(vertexLabel, "name",
"m.m").next()`.
New behaviour:
The traversal `result, err := g.V().Has(vertexLabel, "name", "m
m").Next()` would generate the GremlinLang `g.V().has(vertexLabel, "name",
"m\tm").next()`.
A test has been added to `gremlinlang_test.go` for testing all cases that
should be escaped.
> Standardize argument escaping in GremlinLang
> --------------------------------------------
>
> Key: TINKERPOP-3233
> URL: https://issues.apache.org/jira/browse/TINKERPOP-3233
> Project: TinkerPop
> Issue Type: Improvement
> Components: dotnet, go, javascript, process, python
> Affects Versions: 4.0.0
> Reporter: Cole Greer
> Priority: Major
>
> With the switch from bytecode to GremlinLang in TP4
> (https://lists.apache.org/thread/7m3govzsqtmmj224xs7k5vv1ycnmocjn), it's
> important that certain step arguments are properly escaped before being added
> to a gremlin script to protect against gremlin injection attacks. Currently
> all GLVs which have completed this transition have logic to escape string
> arguments, but they do not follow a consistent set of rules.
> We should develop a set of best practices for escaping gremlin-lang scripts,
> document this for users, and update all drivers to follow these consistent
> rules.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
