fix(banned): validate the filter for fuzzy query

apps/emqx_management/src/emqx_mgmt_api_banned.erl

@@ -282,16 +282,26 @@ list_banned([{As, '=:=', Who}], [], Params) ->
             data => lists:map(fun format/1, Result)
         }}
     end;
-list_banned([], [_Who], Params) ->
-    {200,
-        emqx_mgmt_api:node_query_with_tabs(
-            node(),
-            emqx_banned:tables(),
-            Params,
-            ?BANNED_QSCHEMA,
-            fun ?MODULE:qs2ms/2,
-            fun ?MODULE:format/1
-        )};
+list_banned([], [{_Type, like, Value}], Params) ->
+    case re:compile(Value) of
+        {ok, _} ->
+            {200,
+                emqx_mgmt_api:node_query_with_tabs(
+                    node(),
+                    emqx_banned:tables(),
+                    Params,
+                    ?BANNED_QSCHEMA,
+                    fun ?MODULE:qs2ms/2,
+                    fun ?MODULE:format/1
+                )};
+        {error, {Reason, Pos}} ->
+            {error, #{
+                message => <<"The filter is not a validation regex expression">>,
+                reason => emqx_utils_conv:bin(Reason),
+                position => Pos,
+                filter => Value
+            }}
+    end;
 list_banned(_QS, _FuzzyQS, _Params) ->
     {error, <<"too_many_filters">>}.
 
@@ -374,6 +384,8 @@ format(Banned) ->
 
 format_error(Error) when is_binary(Error) ->
     Error;
+format_error(Error) when is_map(Error) ->
+    emqx_utils_json:encode(Error);
 format_error(Reason) ->
     ErrorReason = io_lib:format("~p", [Reason]),
     erlang:iolist_to_binary(ErrorReason).

apps/emqx_management/test/emqx_mgmt_api_banned_SUITE.erl

@@ -339,6 +339,10 @@ t_list_with_filters(_) ->
     test_for_list("like_peerhost_net=192.168", [<<"192.168.0.0/16">>]),
     test_for_list("like_peerhost_net=192.166", []),
 
+    %% with control characters
+    test_for_list("like_clientid=" ++ uri_string:quote("c\\d"), [<<"c1">>, <<"c2">>]),
+    ?assertMatch({error, _}, list_banned("like_clientid=???")),
+
     %% list all
     test_for_list([], [
         <<"c1">>,

rel/i18n/emqx_mgmt_api_banned.hocon

@@ -74,15 +74,15 @@ filter_peerhost.desc:
 """Query the banned objects with an exact IP address."""
 
 filter_like_clientid.desc:
-"""Fuzzy query banned objects with a client ID."""
+"""Fuzzy query banned objects with a regex expression for client ID."""
 
 filter_like_username.desc:
-"""Fuzzy query banned objects with an username."""
+"""Fuzzy query banned objects with a regex expression for username."""
 
 filter_like_peerhost.desc:
-"""Fuzzy query banned objects with an IP address."""
+"""Fuzzy query banned objects with a regex expression for IP address."""
 
 filter_like_peerhost_net.desc:
-"""Fuzzy query banned objects with a CIDR."""
+"""Fuzzy query banned objects with a regex expression for CIDR."""
 
 }