Closed
Description
Besides being a nuisance, I assume this allows injection attacks.
import redis
from redisgraph import Node, Edge, Graph
r = redis.Redis(host='localhost')
redis_graph = Graph('bug', r)
node = Node(label='test', properties={'foo': '"'})
redis_graph.add_node(node)
redis_graph.commit()
$ ./bug.py
Traceback (most recent call last):
File "./bug.py", line 11, in <module>
redis_graph.commit()
File "/home/sliedes/.virtualenvs/torch/lib/python3.7/site-packages/redisgraph/graph.py", line 96, in commit
return self.query(query)
File "/home/sliedes/.virtualenvs/torch/lib/python3.7/site-packages/redisgraph/graph.py", line 130, in query
response = self.redis_con.execute_command("GRAPH.QUERY", self.name, q, "--compact")
File "/home/sliedes/.virtualenvs/torch/lib/python3.7/site-packages/redis/client.py", line 901, in execute_command
return self.parse_response(conn, command_name, **options)
File "/home/sliedes/.virtualenvs/torch/lib/python3.7/site-packages/redis/client.py", line 915, in parse_response
response = connection.read_response()
File "/home/sliedes/.virtualenvs/torch/lib/python3.7/site-packages/redis/connection.py", line 756, in read_response
raise response
redis.exceptions.ResponseError: errMsg: Invalid input at end of input: expected " line: 1, column: 32, offset: 31 errCtx: CREATE (rffqaxqlml:test{foo:"}) errCtxOffset: 31