From 4a825bc76b668951923c57aaff1020c3892f8de2 Mon Sep 17 00:00:00 2001
From: Jan <59206115+Threated@users.noreply.github.com>
Date: Wed, 11 Jan 2023 10:19:29 +0100
Subject: [PATCH] String cleanse (#2548)

* Fixed string escape and added tests

* Add Change

* Name change
---
 CHANGES                   | 1 +
 redis/commands/helpers.py | 1 +
 tests/test_graph.py       | 2 +-
 tests/test_helpers.py     | 6 ++++++
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index fca8d3168e..02daf5ee4c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,4 @@
+    * Fix string cleanse in Redis Graph
     * Make PythonParser resumable in case of error (#2510)
     * Add `timeout=None` in `SentinelConnectionManager.read_response`
     * Documentation fix: password protected socket connection (#2374)
diff --git a/redis/commands/helpers.py b/redis/commands/helpers.py
index 6989ab59fa..b65cd1a933 100644
--- a/redis/commands/helpers.py
+++ b/redis/commands/helpers.py
@@ -115,6 +115,7 @@ def quote_string(v):
     if len(v) == 0:
         return '""'
 
+    v = v.replace("\\", "\\\\")
     v = v.replace('"', '\\"')
 
     return f'"{v}"'
diff --git a/tests/test_graph.py b/tests/test_graph.py
index d71df48688..4721b2f4e2 100644
--- a/tests/test_graph.py
+++ b/tests/test_graph.py
@@ -124,7 +124,7 @@ def test_path(client):
 
 @pytest.mark.redismod
 def test_param(client):
-    params = [1, 2.3, "str", True, False, None, [0, 1, 2]]
+    params = [1, 2.3, "str", True, False, None, [0, 1, 2], r"\" RETURN 1337 //"]
     query = "RETURN $param"
     for param in params:
         result = client.graph().query(query, {"param": param})
diff --git a/tests/test_helpers.py b/tests/test_helpers.py
index 359582909f..57a94d2f45 100644
--- a/tests/test_helpers.py
+++ b/tests/test_helpers.py
@@ -80,3 +80,9 @@ def test_quote_string():
     assert quote_string("hello world!") == '"hello world!"'
     assert quote_string("") == '""'
     assert quote_string("hello world!") == '"hello world!"'
+    assert quote_string("abc") == '"abc"'
+    assert quote_string("") == '""'
+    assert quote_string('"') == r'"\""'
+    assert quote_string(r"foo \ bar") == r'"foo \\ bar"'
+    assert quote_string(r"foo \" bar") == r'"foo \\\" bar"'
+    assert quote_string('a"a') == r'"a\"a"'