Escape search terms before using them in a Regex (#3755)

Author: rimas-kudelis

src/Bridge/Doctrine/MongoDbOdm/Filter/SearchFilter.php

@@ -166,20 +166,24 @@ private function addEqualityMatchStrategy(string $strategy, string $field, $valu
     {
         $type = $metadata->getTypeOfField($field);
 
+        if (MongoDbType::STRING !== $type) {
+            return MongoDbType::getType($type)->convertToDatabaseValue($value);
+        }
+
+        $quotedValue = preg_quote($value);
+
         switch ($strategy) {
-            case MongoDbType::STRING !== $type:
-                return MongoDbType::getType($type)->convertToDatabaseValue($value);
             case null:
             case self::STRATEGY_EXACT:
-                return $caseSensitive ? $value : new Regex("^$value$", 'i');
+                return $caseSensitive ? $value : new Regex("^$quotedValue$", 'i');
             case self::STRATEGY_PARTIAL:
-                return new Regex($value, $caseSensitive ? '' : 'i');
+                return new Regex($quotedValue, $caseSensitive ? '' : 'i');
             case self::STRATEGY_START:
-                return new Regex("^$value", $caseSensitive ? '' : 'i');
+                return new Regex("^$quotedValue", $caseSensitive ? '' : 'i');
             case self::STRATEGY_END:
-                return new Regex("$value$", $caseSensitive ? '' : 'i');
+                return new Regex("$quotedValue$", $caseSensitive ? '' : 'i');
             case self::STRATEGY_WORD_START:
-                return new Regex("(^$value.*|.*\s$value.*)", $caseSensitive ? '' : 'i');
+                return new Regex("(^$quotedValue.*|.*\s$quotedValue.*)", $caseSensitive ? '' : 'i');
             default:
                 throw new InvalidArgumentException(sprintf('strategy %s does not exist.', $strategy));
         }

tests/Bridge/Doctrine/Common/Filter/SearchFilterTestTrait.php

@@ -200,6 +200,15 @@ private function provideApplyTestArguments(): array
                     'name' => 'exact',
                 ],
             ],
+            'exact (case insensitive, with special characters)' => [
+                [
+                    'id' => null,
+                    'name' => 'iexact',
+                ],
+                [
+                    'name' => 'exact (special)',
+                ],
+            ],
             'exact (multiple values)' => [
                 [
                     'id' => null,

tests/Bridge/Doctrine/MongoDbOdm/Filter/SearchFilterTest.php

@@ -305,6 +305,20 @@ public function provideApplyTestData(): array
                     ],
                     $filterFactory,
                 ],
+                'exact (case insensitive, with special characters)' => [
+                    [
+                        [
+                            '$match' => [
+                                'name' => [
+                                    '$in' => [
+                                        new Regex('^exact \(special\)$', 'i'),
+                                    ],
+                                ],
+                            ],
+                        ],
+                    ],
+                    $filterFactory,
+                ],
                 'exact (multiple values)' => [
                     [
                         [

tests/Bridge/Doctrine/Orm/Filter/SearchFilterTest.php

@@ -384,6 +384,11 @@ public function provideApplyTestData(): array
                     ['name_p1' => 'exact'],
                     $filterFactory,
                 ],
+                'exact (case insensitive, with special characters)' => [
+                    sprintf('SELECT %s FROM %s %1$s WHERE LOWER(%1$s.name) = LOWER(:name_p1)', $this->alias, Dummy::class),
+                    ['name_p1' => 'exact (special)'],
+                    $filterFactory,
+                ],
                 'exact (multiple values)' => [
                     sprintf('SELECT %s FROM %s %1$s WHERE %1$s.name IN (:name_p1)', $this->alias, Dummy::class),
                     [