From: Julien Lancelot Date: Thu, 30 Jan 2014 15:30:37 +0000 (+0100) Subject: SONAR-4796 '%' and '_' should be escaped in Name/Key field of the Measures page X-Git-Tag: 4.2~351 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=9bba8b928d84ac3eab8a0ae4172d1bd77bade3ea;p=sonarqube.git SONAR-4796 '%' and '_' should be escaped in Name/Key field of the Measures page --- diff --git a/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java b/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java index 23906534131..3033275c5fe 100644 --- a/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java +++ b/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java @@ -27,9 +27,12 @@ import org.apache.commons.dbutils.DbUtils; import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import org.sonar.core.persistence.Database; +import org.sonar.core.persistence.dialect.MsSql; +import org.sonar.core.persistence.dialect.Oracle; import org.sonar.core.resource.SnapshotDto; import javax.annotation.Nullable; + import java.sql.*; import java.util.Comparator; import java.util.List; @@ -163,16 +166,18 @@ class MeasureFilterSql { private void appendResourceKeyCondition(StringBuilder sb) { if (StringUtils.isNotBlank(filter.getResourceKey())) { sb.append(" AND UPPER(p.kee) LIKE '%"); - sb.append(StringEscapeUtils.escapeSql(StringUtils.upperCase(filter.getResourceKey()))); + sb.append(escapePercentAndUnderscrore(StringEscapeUtils.escapeSql(StringUtils.upperCase(filter.getResourceKey())))); sb.append("%'"); + appendEscapeForSomeDb(sb); } } private void appendResourceNameCondition(StringBuilder sb) { if (StringUtils.isNotBlank(filter.getResourceName())) { sb.append(" AND s.project_id IN (SELECT rindex.resource_id FROM resource_index rindex WHERE rindex.kee LIKE '"); - sb.append(StringEscapeUtils.escapeSql(StringUtils.lowerCase(filter.getResourceName()))); + sb.append(escapePercentAndUnderscrore(StringEscapeUtils.escapeSql(StringUtils.lowerCase(filter.getResourceName())))); sb.append("%'"); + appendEscapeForSomeDb(sb); if (!filter.getResourceQualifiers().isEmpty()) { sb.append(" AND rindex.qualifier IN "); appendInStatement(filter.getResourceQualifiers(), sb); @@ -214,6 +219,19 @@ class MeasureFilterSql { to.append(") "); } + /** + * Replace escape percent and underscore by adding a slash just before + */ + private String escapePercentAndUnderscrore(String value){ + return value.replaceAll("%", "\\\\%").replaceAll("_", "\\\\_"); + } + + private void appendEscapeForSomeDb(StringBuilder sb){ + if (database.getDialect().getId().equals(Oracle.ID) || database.getDialect().getId().equals(MsSql.ID)) { + sb.append(" ESCAPE '\\'"); + } + } + abstract static class RowProcessor { abstract Function sortFieldFunction(); diff --git a/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java b/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java index 26e1a3c1e5f..99947e58009 100644 --- a/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java +++ b/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java @@ -33,6 +33,7 @@ import java.sql.SQLException; import java.util.Arrays; import java.util.List; +import static com.google.common.collect.Lists.newArrayList; import static org.fest.assertions.Assertions.assertThat; public class MeasureFilterExecutorTest { @@ -462,7 +463,7 @@ public class MeasureFilterExecutorTest { } @Test - public void filter_by_resource_name() throws SQLException { + public void filter_by_component_name() throws SQLException { db.prepareDbUnit(getClass(), "shared.xml"); MeasureFilter filter = new MeasureFilter().setResourceQualifiers(Arrays.asList("TRK")).setResourceName("PHP Proj"); List rows = executor.execute(filter, new MeasureFilterContext()); @@ -472,7 +473,7 @@ public class MeasureFilterExecutorTest { } @Test - public void filter_by_resource_key() throws SQLException { + public void filter_by_component_key() throws SQLException { db.prepareDbUnit(getClass(), "shared.xml"); MeasureFilter filter = new MeasureFilter().setResourceQualifiers(Arrays.asList("TRK")).setResourceKey("Va_proje"); List rows = executor.execute(filter, new MeasureFilterContext()); @@ -494,6 +495,22 @@ public class MeasureFilterExecutorTest { verifyJavaBigFile(rows.get(0)); } + /** + * see SONAR-4796 + */ + @Test + public void escape_percent_and_underscore_when_filter_by_component_name_or_key() throws SQLException { + db.prepareDbUnit(getClass(), "escape_percent_and_underscore_when_filter_by_component_name_or_key.xml"); + + assertThat(executor.execute( + new MeasureFilter().setResourceQualifiers(newArrayList("CLA")).setResourceKey("java_"), + new MeasureFilterContext())).hasSize(2); + + assertThat(executor.execute( + new MeasureFilter().setResourceQualifiers(newArrayList("CLA")).setResourceName("java%"), + new MeasureFilterContext())).hasSize(2); + } + @Test public void filter_by_base_resource() throws SQLException { db.prepareDbUnit(getClass(), "shared.xml"); diff --git a/sonar-core/src/test/resources/org/sonar/core/measure/MeasureFilterExecutorTest/escape_percent_and_underscore_when_filter_by_component_name_or_key.xml b/sonar-core/src/test/resources/org/sonar/core/measure/MeasureFilterExecutorTest/escape_percent_and_underscore_when_filter_by_component_name_or_key.xml new file mode 100644 index 00000000000..9b8d393278e --- /dev/null +++ b/sonar-core/src/test/resources/org/sonar/core/measure/MeasureFilterExecutorTest/escape_percent_and_underscore_when_filter_by_component_name_or_key.xml @@ -0,0 +1,67 @@ + + + + + + + + + + + + + + + + + + + + + + + + + +