From 3ed7b155d30b9f7e6c1938e3f8e8517e68eb753a Mon Sep 17 00:00:00 2001
From: Alessio Gallitano <25105748+galales@users.noreply.github.com>
Date: Tue, 13 Feb 2024 16:29:04 +0100
Subject: [PATCH] PIN-4557: Safer mongodb regex filters (#256)

---
 .../common/readmodel/ReadModelAgreementQueries.scala       | 4 ++--
 .../agreementprocess/common/readmodel/ReadModelQuery.scala | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/main/scala/it/pagopa/interop/agreementprocess/common/readmodel/ReadModelAgreementQueries.scala b/src/main/scala/it/pagopa/interop/agreementprocess/common/readmodel/ReadModelAgreementQueries.scala
index 4f559ec2..3c530d32 100644
--- a/src/main/scala/it/pagopa/interop/agreementprocess/common/readmodel/ReadModelAgreementQueries.scala
+++ b/src/main/scala/it/pagopa/interop/agreementprocess/common/readmodel/ReadModelAgreementQueries.scala
@@ -200,7 +200,7 @@ object ReadModelAgreementQueries extends ReadModelQuery {
     )(Filters.or)
 
   private def listTenantFilters(name: Option[String]): Bson = {
-    val nameFilter = name.map(Filters.regex("tenants.data.name", _, "i"))
+    val nameFilter = name.map(safeRegex("tenants.data.name", _, "i"))
 
     mapToVarArgs(nameFilter.toList)(Filters.and).getOrElse(Filters.empty())
   }
@@ -303,7 +303,7 @@ object ReadModelAgreementQueries extends ReadModelQuery {
     consumersIds: List[String],
     producersIds: List[String]
   ): Bson = {
-    val nameFilter         = name.map(Filters.regex("eservices.data.name", _, "i"))
+    val nameFilter         = name.map(safeRegex("eservices.data.name", _, "i"))
     val consumersIdsFilter = mapToVarArgs(consumersIds.map(Filters.eq("data.consumerId", _)))(Filters.or)
     val producersIdsFilter = mapToVarArgs(producersIds.map(Filters.eq("data.producerId", _)))(Filters.or)
 
diff --git a/src/main/scala/it/pagopa/interop/agreementprocess/common/readmodel/ReadModelQuery.scala b/src/main/scala/it/pagopa/interop/agreementprocess/common/readmodel/ReadModelQuery.scala
index 857e7b1c..632a5681 100644
--- a/src/main/scala/it/pagopa/interop/agreementprocess/common/readmodel/ReadModelQuery.scala
+++ b/src/main/scala/it/pagopa/interop/agreementprocess/common/readmodel/ReadModelQuery.scala
@@ -1,5 +1,12 @@
 package it.pagopa.interop.agreementprocess.common.readmodel
 
+import org.mongodb.scala.bson.conversions.Bson
+import org.mongodb.scala.model.Filters
+
 trait ReadModelQuery {
   def mapToVarArgs[A, B](l: Seq[A])(f: Seq[A] => B): Option[B] = Option.when(l.nonEmpty)(f(l))
+
+  def escape(str: String): String = str.replaceAll("([.*+?^${}()|\\[\\]\\\\])", "\\\\$1")
+  def safeRegex(fieldName: String, pattern: String, options: String): Bson =
+    Filters.regex(fieldName, escape(pattern), options)
 }