Skip to content

Escape agents search filters#403

Open
jsdavid278-cyber wants to merge 2 commits into
profullstack:masterfrom
jsdavid278-cyber:codex/agents-search-escape
Open

Escape agents search filters#403
jsdavid278-cyber wants to merge 2 commits into
profullstack:masterfrom
jsdavid278-cyber:codex/agents-search-escape

Conversation

@jsdavid278-cyber
Copy link
Copy Markdown
Contributor

@jsdavid278-cyber jsdavid278-cyber commented Jun 4, 2026

Fixes agent search filters that interpolate raw q and tag URL values into PostgREST .or(...) strings. Search terms now use the shared PostgREST search escaper, and tag filters escape array-literal syntax before being embedded in skills/ai_tools containment filters.

Validation:

  • vitest run src/lib/queries/agents.test.ts
  • tsc --noEmit

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Jun 4, 2026
edited
Loading

Greptile Summary

This PR fixes PostgREST filter injection in the agent search by escaping raw q and tags URL values before they are interpolated into .or() filter strings passed to Supabase.

  • escapePostgrestSearchValue gains * in its escape set, closing the PostgREST wildcard alias (*%) bypass that was present before.
  • escapePostgrestArrayLiteralValue is a new helper that composes the search-value escaper with additional escaping of \", {, and }, preventing array-literal breakout in the skills.cs.{...} / ai_tools.cs.{...} containment filters.
  • Four new unit tests were added, directly addressing the previously flagged coverage gaps for %, \\, *, and { edge cases.

Confidence Score: 5/5

Safe to merge — the escaping logic is correct, the chaining order avoids double-escaping, and tests now cover all previously-flagged edge cases.

The two escape functions are implemented correctly: backslashes are handled first in escapePostgrestSearchValue, so the subsequent replacement in escapePostgrestArrayLiteralValue cannot double-escape them. No injection paths remain in the changed code, and the new tests confirm the expected output for each class of special character.

No files require special attention.

Important Files Changed

Filename Overview
src/lib/security/sanitize.ts Adds * to the LIKE-wildcard escape set and introduces escapePostgrestArrayLiteralValue by composing the search-value escaper with additional escaping for ", {, and }; logic is sound and ordering is correct.
src/lib/queries/agents.ts Wires up both new escape helpers — escapePostgrestSearchValue for q and escapePostgrestArrayLiteralValue for each tag — preventing injection into the .or() filter strings.
src/lib/queries/agents.test.ts Adds four new unit tests covering PostgREST syntax escaping for search terms (including %, \, *) and array literal escaping for tags (including ", }, and {), addressing previously flagged coverage gaps.

Reviews (2): Last reviewed commit: "Cover agents search escape edge cases" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 4, 2026
View reviewed changes
Comment thread src/lib/queries/agents.test.ts
Comment thread src/lib/queries/agents.test.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jsdavid278-cyber