[
https://issues.apache.org/jira/browse/TINKERPOP-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072428#comment-18072428
]
ASF GitHub Bot commented on TINKERPOP-3233:
-------------------------------------------
GumpacG commented on code in PR #3381:
URL: https://github.com/apache/tinkerpop/pull/3381#discussion_r3060214514
##########
gremlin-go/driver/gremlinlang_test.go:
##########
@@ -674,6 +674,12 @@ func Test_GremlinLang(t *testing.T) {
},
equals: "g.inject(NaN).is(eq(NaN))",
},
+ {
+ assert: func(g *GraphTraversalSource) *GraphTraversal {
+ return g.V().Has("name", "\"marko\n\r\t\b\f\"")
+ },
+ equals:
"g.V().has(\"name\",\"\\\"marko\\n\\r\\t\\b\\f\\\"\")",
Review Comment:
This will fail because single quotes are not escaped similar to Java since
the string arguments are always wrapped in double quotes. It doesn't need to be
added as it is not an escaped character.
> Standardize argument escaping in GremlinLang
> --------------------------------------------
>
> Key: TINKERPOP-3233
> URL: https://issues.apache.org/jira/browse/TINKERPOP-3233
> Project: TinkerPop
> Issue Type: Improvement
> Components: dotnet, go, javascript, process, python
> Affects Versions: 4.0.0
> Reporter: Cole Greer
> Priority: Major
>
> With the switch from bytecode to GremlinLang in TP4
> (https://lists.apache.org/thread/7m3govzsqtmmj224xs7k5vv1ycnmocjn), it's
> important that certain step arguments are properly escaped before being added
> to a gremlin script to protect against gremlin injection attacks. Currently
> all GLVs which have completed this transition have logic to escape string
> arguments, but they do not follow a consistent set of rules.
> We should develop a set of best practices for escaping gremlin-lang scripts,
> document this for users, and update all drivers to follow these consistent
> rules.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
