[
https://issues.apache.org/jira/browse/TINKERPOP-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072138#comment-18072138
]
ASF GitHub Bot commented on TINKERPOP-3233:
-------------------------------------------
Cole-Greer commented on code in PR #3381:
URL: https://github.com/apache/tinkerpop/pull/3381#discussion_r3055079267
##########
gremlin-go/driver/gremlinlang_test.go:
##########
@@ -674,6 +674,12 @@ func Test_GremlinLang(t *testing.T) {
},
equals: "g.inject(NaN).is(eq(NaN))",
},
+ {
+ assert: func(g *GraphTraversalSource) *GraphTraversal {
+ return g.V().Has("name", "\"marko\n\r\t\b\f\"")
+ },
+ equals:
"g.V().has(\"name\",\"\\\"marko\\n\\r\\t\\b\\f\\\"\")",
Review Comment:
Nit:
```suggestion
return g.V().Has("name", "\"marko\n\r\t\b\f\'")
},
equals:
"g.V().has(\"name\",\"\\\"marko\\n\\r\\t\\b\\f\\\'\")",
```
> Standardize argument escaping in GremlinLang
> --------------------------------------------
>
> Key: TINKERPOP-3233
> URL: https://issues.apache.org/jira/browse/TINKERPOP-3233
> Project: TinkerPop
> Issue Type: Improvement
> Components: dotnet, go, javascript, process, python
> Affects Versions: 4.0.0
> Reporter: Cole Greer
> Priority: Major
>
> With the switch from bytecode to GremlinLang in TP4
> (https://lists.apache.org/thread/7m3govzsqtmmj224xs7k5vv1ycnmocjn), it's
> important that certain step arguments are properly escaped before being added
> to a gremlin script to protect against gremlin injection attacks. Currently
> all GLVs which have completed this transition have logic to escape string
> arguments, but they do not follow a consistent set of rules.
> We should develop a set of best practices for escaping gremlin-lang scripts,
> document this for users, and update all drivers to follow these consistent
> rules.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
