fledge-iot · gnandan · Jan 3, 2025 · Jul 29, 2024 · Aug 13, 2024 · Sep 13, 2024
diff --git a/C/common/asset_tracking.cpp b/C/common/asset_tracking.cpp
@@ -11,6 +11,7 @@
 #include <logger.h>
 #include <asset_tracking.h>
 #include <config_category.h>
+#include "string_utils.h"
 
 using namespace std;
 
@@ -228,6 +229,7 @@ void AssetTracker::addAssetTrackingTuple(string plugin, string asset, string eve
 
 	}
 
+	asset = escape(asset);
 	AssetTrackingTuple tuple(m_service, plugin, asset, event);
 	addAssetTrackingTuple(tuple);
 }

diff --git a/C/common/datapoint.cpp b/C/common/datapoint.cpp
@@ -331,6 +331,14 @@ int bscount = 0;
 	{
 		if (str[i] == '\\')
 		{
+			if (i + 1 < str.length() && (str[i + 1] == '"' || str[i + 1] == '\\' || str[i + 1] == '/'|| str[i-1] == '\\'))
+			{
+				rval += '\\';
+			}
+			else
+			{
+				rval += "\\\\";
+			}
 			bscount++;
 		}
 		else if (str[i] == '\"')
@@ -339,13 +347,14 @@ int bscount = 0;
 			{
 				rval += "\\";	// Add escape of "
 			}
+			rval += str[i];
 			bscount = 0;
 		}
 		else
 		{
+			rval += str[i];
 			bscount = 0;
 		}
-		rval += str[i];
 	}
 	return rval;
 }

diff --git a/C/common/include/datapoint.h b/C/common/include/datapoint.h
@@ -18,6 +18,7 @@
 #include <dpimage.h>
 #include <databuffer.h>
 #include <rapidjson/document.h>
+#include "string_utils.h"
 
 class Datapoint;
 /**
@@ -325,7 +326,7 @@ class Datapoint {
 		 */
 		std::string	toJSONProperty()
 		{
-			std::string rval = "\"" + m_name + "\":";
+			std::string rval = "\"" + escape(m_name) + "\":";
 			rval += m_value.toString();
 
 			return rval;

diff --git a/C/common/include/string_utils.h b/C/common/include/string_utils.h
@@ -46,5 +46,10 @@ bool IsRegex(const std::string &str);
 std::string StringAround(const std::string& str, unsigned int pos,
 		unsigned int after = 30, unsigned int before = 10);
 
+void replicate(std::string& StringToManage,
+					  const std::string& StringToSearch,
+					  const std::string& StringReplicate);
+
+std::string	escape(const std::string& str);
 
 #endif
diff --git a/C/common/reading.cpp b/C/common/reading.cpp
@@ -548,6 +548,14 @@ int bscount = 0;
 	{
 		if (str[i] == '\\')
 		{
+			if (i + 1 < str.length() && (str[i + 1] == '"' || str[i + 1] == '\\' || str[i + 1] == '/' || str[i-1] == '\\'))
+			{
+				rval += '\\';
+			}
+			else
+			{
+				rval += "\\\\";
+			}
 			bscount++;
 		}
 		else if (str[i] == '\"')
@@ -556,13 +564,14 @@ int bscount = 0;
 			{
 				rval += "\\";	// Add escape of "
 			}
+			rval += str[i];
 			bscount = 0;
 		}
 		else
 		{
+			rval += str[i];
 			bscount = 0;
 		}
-		rval += str[i];
 	}
 	return rval;
 }

diff --git a/C/common/string_utils.cpp b/C/common/string_utils.cpp
@@ -462,3 +462,71 @@ std::string StringAround(const std::string& str, unsigned int pos,
 	size_t	len = before + after;
 	return str.substr(start, len);
 }
+
+/**
+ * Replicate a character/substring within an string
+ *
+ * @param out StringToManage    string in which apply the search and replicate
+ * @param     StringToSearch    string to search and replicate
+ * @param     StringReplicate  substitution string
+ *
+ */
+void replicate(std::string& StringToManage,
+					  const std::string& StringToSearch,
+					  const std::string& StringReplicate)
+{
+	size_t pos = 0;
+	while ((pos = StringToManage.find(StringToSearch, pos)) != std::string::npos)
+	{
+		StringToManage.replace(pos, StringToSearch.length(), StringReplicate);
+		pos += StringReplicate.length(); // Move past the last replaced substring
+	}
+
+}
+
+/**
+ * Escape double quotes, forward and backword slash
+ *
+ * @param str	The string to escape
+ * @return The escaped string
+ */
+std::string	escape(const std::string& str)
+{
+	size_t pos = 0;
+	if (str.find("\"", pos) == std::string::npos && str.find("\\", pos) == std::string::npos && str.find("/", pos) == std::string::npos)
+		return str; //return if none of the following character exists '"' , "\" , "/"
+
+	std::string rval;
+	int bscount = 0;
+	for (size_t i = 0; i < str.length(); i++)
+	{
+		if (str[i] == '\\')
+		{
+			if (i + 1 < str.length() && (str[i + 1] == '"' || str[i + 1] == '\\' || str[i + 1] == '/' || str[i-1] == '\\'))
+			{
+				rval += '\\';
+			}
+			else
+			{
+				rval += "\\\\";
+			}
+			bscount++;
+		}
+		else if (str[i] == '\"')
+		{
+			if ((bscount & 1) == 0) // not already escaped
+			{
+				rval += "\\"; // Add escape of "
+			}
+			rval += str[i];
+			bscount = 0;
+		}
+		else
+		{
+			rval += str[i];
+			bscount = 0;
+		}
+	}
+	return rval;
+}
+
diff --git a/C/plugins/storage/postgres/connection.cpp b/C/plugins/storage/postgres/connection.cpp
@@ -29,6 +29,7 @@
 #include <sys/time.h>
 
 #include "json_utils.h"
+#include "string_utils.h"
 
 #include <iostream>
 #include <chrono>
@@ -1336,7 +1337,7 @@ SQLBuffer	sql;
 						value.Accept(writer);
 
 						std::string buffer_escaped = "\"";
-						buffer_escaped.append(escape_double_quotes(buffer.GetString()));
+						buffer_escaped.append(escape_double_quotes(escape(buffer.GetString())));
 						buffer_escaped.append( "\"");
 
 						sql.append('\'');
@@ -1691,7 +1692,11 @@ bool 		add_row = false;
 
 			// Handles - asset_code
 			sql.append(",\'");
-			sql.append(asset_code);
+			std::string escaped_asset(asset_code);
+			std::string target ="'";
+			std::string replacement ="''";
+			replicate(escaped_asset, target, replacement);
+			sql.append(escaped_asset);
 			sql.append("', '");
 
 			// Handles - reading

diff --git a/C/plugins/storage/sqlite/common/connection.cpp b/C/plugins/storage/sqlite/common/connection.cpp
@@ -1338,7 +1338,7 @@ std::size_t arr = data.find("inserts");
 					}
 					else
 					{	
-						sqlite3_bind_text(stmt, columID, escape(str).c_str(), -1, SQLITE_TRANSIENT);
+						sqlite3_bind_text(stmt, columID, str, -1, SQLITE_TRANSIENT);
 					}
 				}
 				else if (itr->value.IsDouble()) {
@@ -1742,7 +1742,7 @@ bool		allowZero = false;
 						Writer<StringBuffer> writer(buffer);
 						value.Accept(writer);
 						sql.append('\'');
-						sql.append(buffer.GetString());
+						sql.append(escape(buffer.GetString()));
 						sql.append('\'');
 					}
 					sql.append(")");

diff --git a/C/plugins/storage/sqlite/common/readings_catalogue.cpp b/C/plugins/storage/sqlite/common/readings_catalogue.cpp
@@ -20,6 +20,7 @@
 #include <sqlite_common.h>
 #include "readings_catalogue.h"
 #include <purge_configuration.h>
+#include "json_utils.h"
 
 using namespace std;
 using namespace rapidjson;
@@ -2025,7 +2026,10 @@ ReadingsCatalogue::tyReadingReference  ReadingsCatalogue::getReadingReference(Co
 
 	string msg;
 	bool success;
-
+	std::string escaped_asset = std::string(asset_code);
+	std::string target ="\"";
+	std::string replacement ="\"\"";
+	replicate(escaped_asset, target, replacement);
 	int startReadingsId;
 	tyReadingsAvailable readingsAvailable;
 
@@ -2153,14 +2157,14 @@ ReadingsCatalogue::tyReadingReference  ReadingsCatalogue::getReadingReference(Co
 						"INSERT INTO  " READINGS_DB ".asset_reading_catalogue (table_id, db_id, asset_code) VALUES  ("
 						+ to_string(ref.tableId) + ","
 						+ to_string(ref.dbId) + ","
-						+ "\"" + asset_code + "\")";
+						+ "\"" + escaped_asset + "\")";
 
 						Logger::getLogger()->debug("getReadingReference - allocate a new reading table for the asset '%s' db Id %d readings Id %d ", asset_code, ref.dbId, ref.tableId);
 
 				}
 				else
 				{
-					sql_cmd = 	" UPDATE " READINGS_DB ".asset_reading_catalogue SET asset_code ='" + string(asset_code) + "'" +
+					sql_cmd = 	" UPDATE " READINGS_DB ".asset_reading_catalogue SET asset_code ='" + string(escaped_asset) + "'" +
 									" WHERE db_id = " + to_string(ref.dbId) + " AND table_id = " + to_string(ref.tableId) + ";";
 
 					Logger::getLogger()->debug("getReadingReference - Use empty table %readings_%d_%d: ",ref.dbId,ref.tableId);
@@ -2539,6 +2543,9 @@ string  ReadingsCatalogue::sqlConstructMultiDb(string &sqlCmdBase, vector<string
 
 				dbName = generateDbName(item.second.getDatabase());
 				dbReadingsName = generateReadingsName(item.second.getDatabase(), item.second.getTable());
+				std::string target ="\"";
+				std::string replacement ="\"\"";
+				replicate(assetCode, target, replacement);
 
 				StringReplaceAll(sqlCmdTmp, "_assetcode_", assetCode);
 				StringReplaceAll (sqlCmdTmp, ".assetcode.", "asset_code");

diff --git a/C/plugins/storage/sqlitelb/common/connection.cpp b/C/plugins/storage/sqlitelb/common/connection.cpp
@@ -1453,7 +1453,7 @@ std::size_t arr = data.find("inserts");
 					}
 					else
 					{	
-						sqlite3_bind_text(stmt, columID, escape(str).c_str(), -1, SQLITE_TRANSIENT);
+						sqlite3_bind_text(stmt, columID, str, -1, SQLITE_TRANSIENT);
 					}
 				}
 				else if (itr->value.IsDouble()) {
@@ -1854,7 +1854,7 @@ vector<string>  asset_codes;
 						Writer<StringBuffer> writer(buffer);
 						value.Accept(writer);
 						sql.append('\'');
-						sql.append(buffer.GetString());
+						sql.append(escape(buffer.GetString()));
 						sql.append('\'');
 					}
 					sql.append(")");

diff --git a/C/services/south/ingest.cpp b/C/services/south/ingest.cpp
@@ -13,6 +13,7 @@
 #include <thread>
 #include <logger.h>
 #include <set>
+#include "string_utils.h"
 #include <ingest_rate.h>
 
 using namespace std;
@@ -622,6 +623,7 @@ void Ingest::processQueue()
 				{
 					Reading *reading = *it;
 					string assetName = reading->getAssetName();
+					assetName = escape(assetName);
                                         const std::vector<Datapoint *> dpVec = reading->getReadingData();
 					std::string temp;
 					std::set<std::string> tempSet;
@@ -870,6 +872,7 @@ void Ingest::processQueue()
 				{
 		               	        Reading *reading = *it;
 					string	assetName = reading->getAssetName();
+					assetName = escape(assetName);
 					const std::vector<Datapoint *> dpVec = reading->getReadingData();
 					std::string temp;
                                         std::set<std::string> tempSet;

diff --git a/C/tasks/statistics_history/stats_history.cpp b/C/tasks/statistics_history/stats_history.cpp
@@ -12,6 +12,7 @@
 #include <csignal>
 #include <time.h>
 #include <sys/time.h>
+#include "string_utils.h"
 
 #define DATETIME_MAX_LEN 52
 #define MICROSECONDS_FORMAT_LEN	10
@@ -137,7 +138,8 @@ void StatsHistory::processKey(const std::string& key, std::vector<InsertValues>
 	// Insert the row into the statistics history
 	// create an object of InsertValues and push in historyValues vector
 	// for batch insertion
-	iValue.push_back(InsertValue("key", key.c_str()));
+	string escaped_key = escape(key);
+	iValue.push_back(InsertValue("key", escaped_key));
 	iValue.push_back(InsertValue("value", val - prev));
 	iValue.push_back(InsertValue("history_ts", dateTimeStr));
 
@@ -147,7 +149,7 @@ void StatsHistory::processKey(const std::string& key, std::vector<InsertValues>
 	// create an object of InsertValue and push in updateValues vector
 	// for batch updation
 	InsertValue *updateValue = new InsertValue("previous_value", val);
-	Where *wKey = new Where("key", Equals, key);
+	Where *wKey = new Where("key", Equals, escaped_key);
 	updateValues.emplace_back(updateValue, wKey);
 }