Workflow ID prefix query condition is not properly escaped

[nate-getea]

The startswith condition added to the get workflows query when a workflow_id_prefix is set does not escape underscores (_) in the provided ID prefix. This leads to dangerously unexpected behaviour (e.g. workflow_id_prefix='user:1_' matching a workflow with ID user:12_34232).

dbos-transact-py/dbos/_sys_db.py

Line 1067 in 85b8073

query = query.where(

The correct way to build a startswith query with an unsanitised input is:

query = query.where(
      SystemSchema.workflow_status.c.workflow_uuid.startswith(
          input.workflow_id_prefix, autoescape=True
      )
  )

[kraftp]

Addressed in #536