Simple-Search does not find products with a dash e.g. "foo-bar"

[xthk]

Simple-Search does not find products with a dash e.g. "foo-bar"

Issue Type

• Bug
• Enhancement

Description

If a search term includes a dash "-" simple search does not show a matching product.

Example: /simple_search?query=foo-bar

If there is a finding with that name, it is found.

If the issue is a bug, please also include the following:

Operating System

Ubuntu 16.04

Install

• setup.bash
• docker
• custom

DefectDojo Version

1.5.2

Steps to Reproduce

• Create a product named "foo-bar"
• Insert "foo-bar" into "simple search": /simple_search?query=foo-bar

[propersam]

I wanted to fix this issue, and then I saw the line that cleans the input before sending query to database.

This is not an error. It happens for security sake. if '-' is allowed in simple_search, It's going to be vulnerable to sql Injection

[propersam]

But I think hypen('-') should have never been allowed as a valid string for product name in the first place. This still posses some potential (less-likely) second order injection vulnerability

[propersam]

@aaronweaver can I implement stripping off '-' (or replacing '-' with '_' )before storing product name for the sake of avoiding this issue with simple_search.

'_' works just fine with product name

[aaronweaver]

Hi @propersam, I'd rather figure out how to do it in the search. I'd look up Watson for python and figure out how to escape that. I'm pretty we can't be the only ones.

 products = watson.search(clean_query, models=(
                        Product.objects.filter(authorized_users__in=[
                            request.user]),))

[madchap]

Could it be related to etianen/django-watson#223 ?

[devEricA-zz]

I think this is indeed related to etianen/django-watson#223. When I was investigating this issue, I created two products: dash-product and foo-bar, giving each one the description “For use with search”. Using the simple search to pull up these two products resulted in unexpected results; Typing foo-bar in the search bar failed to pull up the product foo-bar, but typing dash-product in the search bar successfully pulled the product dash-product. To further complicate things, typing in search in the search bar successfully pulled up both products (intended since both products had search in their description)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[valentijnscholten]

In #2861 I am working on some search improvements and am trying to make this work, but MySQL is really weird regarding hyphens, also see etianen/django-watson#237
However, in the current WIP version of my PR I can finding products called eindhoven-airport for example. Basically foo-bar is the only example I can find that is not working 🤔