Summary
The search_entries function in backend/app/services/database.py executes an FTS5 query using MATCH ? and directly substitutes the raw user-supplied query q. SQLite's FTS5 engine implements a custom syntax for queries. If an unescaped special character (like an unclosed quote " or *) is provided, SQLite throws an OperationalError: fts5: syntax error, which bubbles up as a 500 Internal Server Error.
Impact
Users or attackers can intentionally crash the search endpoint simply by searching for a string like "unclosed, causing application errors.
Proposed Fix
Sanitize the search input q by stripping or escaping FTS5 specific special characters (e.g., ", *, ^, OR, AND) before supplying it to the MATCH query.
Summary
The
search_entriesfunction inbackend/app/services/database.pyexecutes an FTS5 query usingMATCH ?and directly substitutes the raw user-supplied queryq. SQLite's FTS5 engine implements a custom syntax for queries. If an unescaped special character (like an unclosed quote"or*) is provided, SQLite throws anOperationalError: fts5: syntax error, which bubbles up as a 500 Internal Server Error.Impact
Users or attackers can intentionally crash the search endpoint simply by searching for a string like
"unclosed, causing application errors.Proposed Fix
Sanitize the search input
qby stripping or escaping FTS5 specific special characters (e.g.,",*,^,OR,AND) before supplying it to theMATCHquery.