From 4d26d4ebf4d6101f12b4bb9135e553c6d06e3733 Mon Sep 17 00:00:00 2001
From: Jacek <jacek.poreda@sonarsource.com>
Date: Tue, 25 Jan 2022 10:28:26 +0100
Subject: [PATCH] SONAR-15825 Escape special characters in like sql query for
 portfolio projects

---
 .../org/sonar/db/component/ComponentDao.java  |  3 ++-
 .../sonar/db/component/ComponentMapper.xml    | 10 ++++++++--
 .../sonar/db/component/ComponentDaoTest.java  | 20 +++++++++++++++++++
 .../sonar/server/view/index/ViewIndexer.java  |  3 +--
 .../server/view/index/ViewIndexerTest.java    |  5 +++++
 5 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java b/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java
index 027eca54878..bbdaab77678 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java
@@ -257,7 +257,8 @@ public class ComponentDao implements Dao {
   }
 
   public List<String> selectProjectsFromView(DbSession session, String viewUuid, String projectViewUuid) {
-    return mapper(session).selectProjectsFromView("%." + viewUuid + ".%", projectViewUuid);
+    var escapedViewUuid = viewUuid.replace("_", "\\_").replace("%", "\\%");
+    return mapper(session).selectProjectsFromView("%." + escapedViewUuid + ".%", projectViewUuid);
   }
 
   /**
diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml
index 97198772fbc..c93b10d9771 100644
--- a/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml
+++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml
@@ -444,14 +444,20 @@
       and p.scope = 'PRJ'
       and p.qualifier in ('VW', 'APP')
   </select>
-
   <select id="selectProjectsFromView" resultType="String">
     select p.copy_component_uuid
     from components p
     where
       p.enabled = ${_true}
       and p.project_uuid = #{projectViewUuid,jdbcType=VARCHAR}
-      and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR}
+    <choose>
+      <when test="_databaseId == 'mssql'">
+        and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} {escape '\'}
+      </when>
+      <otherwise>
+        and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} ESCAPE '\'
+      </otherwise>
+    </choose>
       and p.qualifier = 'TRK'
       and p.copy_component_uuid is not null
   </select>
diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java
index f440ca6af10..b04c2232f7c 100644
--- a/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java
+++ b/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java
@@ -1004,6 +1004,26 @@ public class ComponentDaoTest {
     assertThat(underTest.selectProjectsFromView(dbSession, "Unknown", "Unknown")).isEmpty();
   }
 
+  @Test
+  public void select_projects_from_view_should_escape_like_sensitive_characters() {
+    ComponentDto project1 = db.components().insertPrivateProject();
+    ComponentDto project2 = db.components().insertPrivateProject();
+    ComponentDto project3 = db.components().insertPrivateProject();
+
+    ComponentDto view = db.components().insertPrivatePortfolio();
+
+    //subview with uuid containing special character ( '_' ) for 'like' SQL clause
+    ComponentDto subView1 = db.components().insertComponent(newSubPortfolio(view, "A_C", "A_C-key"));
+    db.components().insertComponent(newProjectCopy(project1, subView1));
+    db.components().insertComponent(newProjectCopy(project2, subView1));
+
+    ComponentDto subView2 = db.components().insertComponent(newSubPortfolio(view, "ABC", "ABC-key"));
+    db.components().insertComponent(newProjectCopy(project3, subView2));
+
+    assertThat(underTest.selectProjectsFromView(dbSession, subView1.uuid(), view.uuid())).containsExactlyInAnyOrder(project1.uuid(), project2.uuid());
+    assertThat(underTest.selectProjectsFromView(dbSession, subView2.uuid(), view.uuid())).containsExactlyInAnyOrder(project3.uuid());
+  }
+
   @Test
   public void select_projects() {
     ComponentDto provisionedProject = db.components().insertPrivateProject();
diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/view/index/ViewIndexer.java b/server/sonar-server-common/src/main/java/org/sonar/server/view/index/ViewIndexer.java
index 2f31c5af4aa..955253c6953 100644
--- a/server/sonar-server-common/src/main/java/org/sonar/server/view/index/ViewIndexer.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/view/index/ViewIndexer.java
@@ -19,7 +19,6 @@
  */
 package org.sonar.server.view.index;
 
-import com.google.common.collect.ImmutableSet;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
@@ -57,7 +56,7 @@ public class ViewIndexer implements ResilientIndexer {
 
   @Override
   public Set<IndexType> getIndexTypes() {
-    return ImmutableSet.of(TYPE_VIEW);
+    return Set.of(TYPE_VIEW);
   }
 
   @Override
diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java
index 291595f179a..fbb5055f3c5 100644
--- a/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java
+++ b/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java
@@ -57,6 +57,11 @@ public class ViewIndexerTest {
   private final DbSession dbSession = db.getSession();
   private final ViewIndexer underTest = new ViewIndexer(dbClient, es.client());
 
+  @Test
+  public void getIndexTypes() {
+    assertThat(underTest.getIndexTypes()).containsExactly(TYPE_VIEW);
+  }
+
   @Test
   public void index_nothing() {
     underTest.indexOnStartup(emptySet());
-- 
2.39.5