Fix SQLite LIKE wildcard escaping in IP filter queries

- Add escape_like() helper to escape % and _ wildcards in LIKE queries - Update fail2ban_db_repo.get_history_page() to use escaping - Update history_archive_repo.get_archived_history() to use escaping - Add ESCAPE clause to all LIKE queries - Add comprehensive unit tests for escape_like function - Add integration tests for LIKE wildcard handling - Document LIKE escaping best practices in Backend-Development.md Fixes TASK-017: Prevent unintended LIKE matches when IP filter contains special characters like underscore or percent sign. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 14:07:49 +02:00
parent 94bdabe622
commit 667ab674ca
7 changed files with 234 additions and 4 deletions
--- a/backend/app/repositories/fail2ban_db_repo.py
+++ b/backend/app/repositories/fail2ban_db_repo.py
@@ -15,6 +15,8 @@ from typing import TYPE_CHECKING

 import aiosqlite

+from app.utils.fail2ban_db_utils import escape_like
+
 if TYPE_CHECKING:
    from collections.abc import Iterable

@@ -321,8 +323,8 @@ async def get_history_page(
        params.append(jail)

    if ip_filter is not None:
-        wheres.append("ip LIKE ?")
-        params.append(f"{ip_filter}%")
+        wheres.append("ip LIKE ? ESCAPE '\\'")
+        params.append(f"{escape_like(ip_filter)}%")

    origin_clause, origin_params = _origin_sql_filter(origin)
    if origin_clause:
--- a/backend/app/repositories/history_archive_repo.py
+++ b/backend/app/repositories/history_archive_repo.py
@@ -10,6 +10,7 @@ import datetime
 from typing import TYPE_CHECKING, Any

 from app.models.ban import BLOCKLIST_JAIL, BanOrigin
+from app.utils.fail2ban_db_utils import escape_like

 if TYPE_CHECKING:
    import aiosqlite
@@ -76,8 +77,8 @@ async def get_archived_history(
            wheres.append(f"ip IN ({placeholder})")
            params.extend(ip_filter)
        else:
-            wheres.append("ip LIKE ?")
-            params.append(f"{ip_filter}%")
+            wheres.append("ip LIKE ? ESCAPE '\\'")
+            params.append(f"{escape_like(ip_filter)}%")

    if origin == "blocklist":
        wheres.append("jail = ?")
--- a/backend/app/utils/fail2ban_db_utils.py
+++ b/backend/app/utils/fail2ban_db_utils.py
@@ -6,6 +6,21 @@ import json
 from datetime import UTC, datetime


+def escape_like(s: str) -> str:
+    """Escape SQLite LIKE wildcard characters in a string.
+
+    SQLite's LIKE operator treats % (any sequence) and _ (any single char) as
+    wildcards. This function escapes them to prevent unintended matches.
+
+    Args:
+        s: The string to escape.
+
+    Returns:
+        The escaped string where backslashes, %, and _ are escaped.
+    """
+    return s.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_")
+
+
 def ts_to_iso(unix_ts: int) -> str:
    """Convert a Unix timestamp to an ISO 8601 UTC string."""
    return datetime.fromtimestamp(unix_ts, tz=UTC).isoformat()