SONAR-4323 escape special characters % and _

diff --git a/sonar-core/src/main/resources/org/sonar/core/user/UserMapper.xml b/sonar-core/src/main/resources/org/sonar/core/user/UserMapper.xml
index adfeea60245a24de5c281eaf073ab83ff11edf1d..c662b2e03a96c97a933065cecf2035f01372bfee 100644 (file)
--- a/sonar-core/src/main/resources/org/sonar/core/user/UserMapper.xml
+++ b/sonar-core/src/main/resources/org/sonar/core/user/UserMapper.xml
@@ -43,7 +43,7 @@
         and u.active=${_true}
       </if>
       <if test="searchText != null">
-        and (u.login like #{searchTextSql} or u.name like #{searchTextSql})
+        and (u.login like #{searchTextSql} escape '/' or u.name like #{searchTextSql} escape '/')
       </if>
     </where>
     order by u.name

diff --git a/sonar-core/src/test/java/org/sonar/core/user/UserDaoTest.java b/sonar-core/src/test/java/org/sonar/core/user/UserDaoTest.java
index a91acd2bd66d80fa95ed91cdd8189ff05ce6f293..186b20eaf56c0e28c2320a619bd640c34c9a433a 100644 (file)
--- a/sonar-core/src/test/java/org/sonar/core/user/UserDaoTest.java
+++ b/sonar-core/src/test/java/org/sonar/core/user/UserDaoTest.java
@@ -121,6 +121,17 @@ public class UserDaoTest extends AbstractDaoTestCase {
     assertThat(users.get(0).getLogin()).isEqualTo("sbrandhof");
   }
 
+  @Test
+  public void selectUsersByQuery_escape_special_characters_in_like() throws Exception {
+    setupData("selectUsersByText");
+
+    UserQuery query = UserQuery.builder().searchText("%s%").build();
+    // we expect really a login or name containing the 3 characters "%s%"
+
+    List<UserDto> users = dao.selectUsers(query);
+    assertThat(users).isEmpty();
+  }
+
   @Test
   public void selectGroupByName() {
     setupData("selectGroupByName");

diff --git a/sonar-plugin-api/src/main/java/org/sonar/api/user/UserQuery.java b/sonar-plugin-api/src/main/java/org/sonar/api/user/UserQuery.java
index 027be9f5e60c40e3c11347fc55d2fd3466e2afcb..ddeb58bf01b89a8ed69a6bb1969f88e2762a8206 100644 (file)
--- a/sonar-plugin-api/src/main/java/org/sonar/api/user/UserQuery.java
+++ b/sonar-plugin-api/src/main/java/org/sonar/api/user/UserQuery.java
@@ -44,7 +44,18 @@ public class UserQuery {
     this.logins = builder.logins;
     this.includeDeactivated = builder.includeDeactivated;
     this.searchText = builder.searchText;
-    this.searchTextSql = (searchText !=null ? "%" + searchText + "%" : null);
+
+    this.searchTextSql = searchTextToSql(searchText);
+  }
+
+  private String searchTextToSql(@Nullable String s) {
+    String sql = null;
+    if (s != null) {
+      sql = StringUtils.replace(s, "%", "/%");
+      sql = StringUtils.replace(sql, "_", "/_");
+      sql = "%" + sql + "%";
+    }
+    return sql;
   }
 
   @CheckForNull

diff --git a/sonar-plugin-api/src/test/java/org/sonar/api/user/UserQueryTest.java b/sonar-plugin-api/src/test/java/org/sonar/api/user/UserQueryTest.java
index 3cbc5822f1c09661534597d964041704f93c7d6b..d20beb80a87701e396e8dc372a801d674b01f6b2 100644 (file)
--- a/sonar-plugin-api/src/test/java/org/sonar/api/user/UserQueryTest.java
+++ b/sonar-plugin-api/src/test/java/org/sonar/api/user/UserQueryTest.java
@@ -69,9 +69,16 @@ public class UserQueryTest {
   }
 
   @Test
-  public void test_searchText() throws Exception {
+  public void searchText() throws Exception {
     UserQuery query = UserQuery.builder().searchText("sim").build();
     assertThat(query.searchText()).isEqualTo("sim");
     assertThat(query.searchTextSql).isEqualTo("%sim%");
   }
+
+  @Test
+  public void searchText_escape_special_characters_in_like() throws Exception {
+    UserQuery query = UserQuery.builder().searchText("%sim_").build();
+    assertThat(query.searchText()).isEqualTo("%sim_");
+    assertThat(query.searchTextSql).isEqualTo("%/%sim/_%");
+  }
 }