From cc347e389ab4af65abe1559ff7685ea281459cc4 Mon Sep 17 00:00:00 2001
From: wangruidong <940853815@qq.com>
Date: Thu, 26 Feb 2026 17:32:40 +0800
Subject: [PATCH] fix: Loki LogQL Injection

---
 apps/terminal/mixin.py | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/apps/terminal/mixin.py b/apps/terminal/mixin.py
index 6a697527d..c35440bd4 100644
--- a/apps/terminal/mixin.py
+++ b/apps/terminal/mixin.py
@@ -1,4 +1,5 @@
 import os
+import re
 
 from django.utils.translation import get_language
 
@@ -15,11 +16,23 @@ class LokiMixin:
         return get_loki_client()
 
     @staticmethod
-    def create_loki_query(components, search):
+    def _escape_loki_regex(value):
+        # 转义 \ " { } | = ~ ! 等 LogQL stream selector 特殊字符
+        return re.sub(r'([\\"{}\[\]|=~!()])', r"\\\1", str(value))
+
+    @staticmethod
+    def _escape_loki_filter(value):
+        # 转义 line filter 中的 \ 和 " 防止逃逸
+        return str(value).replace("\\", "\\\\").replace('"', '\\"')
+
+    @classmethod
+    def create_loki_query(cls, components, search):
         stream_selector = '{component!=""}'
         if components:
-            stream_selector = '{component=~"%s"}' % components
-        query = f'{stream_selector} |="{search}"'
+            escaped = cls._escape_loki_regex(components)
+            stream_selector = '{component=~"%s"}' % escaped
+        escaped_search = cls._escape_loki_filter(search)
+        query = f'{stream_selector} |="{escaped_search}"'
         return query