From 0d7b979d23c2380c36cb3d1c6f4280def29a18e9 Mon Sep 17 00:00:00 2001
From: Platform Fix Bot <fixes@platform.network>
Date: Mon, 19 Jan 2026 21:53:41 +0400
Subject: [PATCH] fix: escape SQL LIKE special characters in search_similar

The path parameter in search_similar was directly concatenated into
the LIKE pattern without escaping special characters (%, _, \). This
allowed attackers to manipulate query behavior by injecting wildcards.

This fix escapes backslash, percent, and underscore characters before
constructing the LIKE pattern, preventing unintended path matching.

Fixes PlatformNetwork/bounty-challenge#62
---
 src/core/db.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/core/db.rs b/src/core/db.rs
index 080e586..b54484a 100644
--- a/src/core/db.rs
+++ b/src/core/db.rs
@@ -159,7 +159,12 @@ impl Database {
         limit: usize,
     ) -> Result<Vec<SearchResult>> {
         let path_prefix_str = path_prefix.to_string_lossy();
-        let like_pattern = format!("{}%", path_prefix_str);
+        // Escape SQL LIKE special characters to prevent query manipulation
+        let escaped = path_prefix_str
+            .replace('\\', "\\\\")
+            .replace('%', "\\%")
+            .replace('_', "\\_");
+        let like_pattern = format!("{}%", escaped);
 
         let mut stmt = self.conn.prepare(
             r"SELECT c.id, c.file_id, f.path, c.content, c.start_line, c.end_line, c.embedding