Search API failing due to violation of OWASP rules

The current search query API is failing if the OWASP rules are apply to your Azure Application Gateway WAF.

Here is an exemple of search query: POST https://{{OSDU_HOST}}/api/search/v2/query

with the following search body { "kind": "opendes:wks:work-product-component--*:1.0.0", "query": "data.WellboreID:(\"opendes:master-data--Wellbore:1234\" OR \"opendes:master-data--Wellbore:1235\" OR \"opendes:master-data--Wellbore:1236\" OR \"opendes:master-data--Wellbore:1237\")" }

The issue is in the search body of the query. The usage of -, -- and OR symbols sequences in the OSDU SRN is breaking several OWASP rules. (Note that you need to search for more than one SRN to break WAF rules).

A workaround is to disable the following OWASP 3.1 rules from the Web Application Firewall.

• 942370 Detects classic SQL injection probings 2/2
• 942430 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
• 942440 SQL Comment Sequence Detected.

An alternative is to replace - characters by the \u002D Unicode in the "query" parameter but there is no substitution for OR (rules 942370 will still fail).

Do you see a better way to handle -, OR, AND in search query ?