search

Aidbox / Issues

Issue tracker for Aidbox FHIR backend by Health Samurai
7 stars 0 forks source link

[BUG] SQL engine interpolation failing on parameter with arary index in path #478

Closed gravesee closed 2 years ago

gravesee commented 2 years ago

Describe the bug Trying to use a ..partOf.0.id parameter in a request. The access policy does not interpolate the parameter value when using the sql engine -- it returns null.

Severity Major

Steps to reproduce the behavior:

  1. Create simple sql access policy
test-sql-policy:
  engine: sql
  sql:
    query: |
      select {{params.\.partOf.0.id}}
  1. Send request with .partOf.0.id parameter and __debug=policy:

curl "http://localhost:8080/?.partOf.0.id=whatever&__debug=policy"

  1. Receive the following response '....'

From the request property in debug response:

       "params": {
            ".partOf.0.id": "whatever",
            "__debug": "policy"
        },

From the evaluated policy in debug response:

        {
            "eval-result": null,
            "query": [
                "select ?\n",
                null
            ],
            "id": "test-sql-policy",
            "policy-id": "test-sql-policy"
        },

Expected behavior Policy should correctly interpolate the value from the params property of the request.

Versions:

KGOH commented 2 years ago

Hello. You need to escape other . as well:

yaml example:

sql:
  query: select {{params.\.partOf\.0\.id}}
engine: sql

json example:

 "sql": {
  "query": "select {{params.\\.partOf\\.0\\.id}}"
 },
 "engine": "sql",

If escaping is done properly, this works as expected on :edge