From cf76519f25fe0c34c78ad5acaa52d4500f56c976 Mon Sep 17 00:00:00 2001
From: =?utf8?q?S=C3=A9bastien=20Lesaint?=
 <sebastien.lesaint@sonarsource.com>
Date: Tue, 31 Jan 2017 11:17:57 +0100
Subject: [PATCH] SONAR-8650 secure all query-base method of ComponentMapper

---
 .../java/org/sonar/db/component/ComponentDao.java | 15 +++------------
 .../org/sonar/db/component/ComponentMapper.xml    |  6 +++---
 2 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/sonar-db/src/main/java/org/sonar/db/component/ComponentDao.java b/sonar-db/src/main/java/org/sonar/db/component/ComponentDao.java
index dda0e063456..0f824a7bb39 100644
--- a/sonar-db/src/main/java/org/sonar/db/component/ComponentDao.java
+++ b/sonar-db/src/main/java/org/sonar/db/component/ComponentDao.java
@@ -35,7 +35,6 @@ import org.apache.ibatis.session.RowBounds;
 import org.sonar.api.resources.Qualifiers;
 import org.sonar.api.resources.Scopes;
 import org.sonar.db.Dao;
-import org.sonar.db.DatabaseUtils;
 import org.sonar.db.DbSession;
 import org.sonar.db.RowNotFoundException;
 
@@ -258,15 +257,15 @@ public class ComponentDao implements Dao {
     if (isBlank(textQuery)) {
       return null;
     }
-    return DatabaseUtils.buildLikeValue(textQuery.toUpperCase(Locale.ENGLISH), BEFORE_AND_AFTER);
+    return buildLikeValue(textQuery.toUpperCase(Locale.ENGLISH), BEFORE_AND_AFTER);
   }
 
   public List<ComponentDto> selectGhostProjects(DbSession session, String organizationUuid, @Nullable String query, int offset, int limit) {
-    return mapper(session).selectGhostProjects(organizationUuid, queryParameterFrom(query), new RowBounds(offset, limit));
+    return mapper(session).selectGhostProjects(organizationUuid, buildUpperLikeSql(query), new RowBounds(offset, limit));
   }
 
   public long countGhostProjects(DbSession session, String organizationUuid, @Nullable String query) {
-    return mapper(session).countGhostProjects(organizationUuid, queryParameterFrom(query));
+    return mapper(session).countGhostProjects(organizationUuid, buildUpperLikeSql(query));
   }
 
   /**
@@ -304,14 +303,6 @@ public class ComponentDao implements Dao {
     return mapper(dbSession).selectProjectsByNameQuery(nameQueryForSql, includeModules);
   }
 
-  @CheckForNull
-  private static String queryParameterFrom(@Nullable String keyOrNameFilter) {
-    if (keyOrNameFilter != null) {
-      return "%" + keyOrNameFilter.toUpperCase(Locale.ENGLISH) + "%";
-    }
-    return null;
-  }
-
   public void insert(DbSession session, ComponentDto item) {
     mapper(session).insert(item);
   }
diff --git a/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml b/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml
index 79b19813fff..3f3f8bb34f6 100644
--- a/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml
+++ b/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml
@@ -401,8 +401,8 @@
     and p.copy_component_uuid is null
     <if test="query!=null">
       and (
-      UPPER(p.name) like #{query}
-      or UPPER(p.kee) like #{query}
+      UPPER(p.name) like #{query} ESCAPE '/'
+      or UPPER(p.kee) like #{query} ESCAPE '/'
       )
     </if>
   </sql>
@@ -433,7 +433,7 @@
         AND (p.qualifier = 'TRK' OR p.qualifier = 'BRC')
       </if>
       <if test="nameQuery != null">
-        AND UPPER(p.name) like #{nameQuery,jdbcType=VARCHAR}
+        AND UPPER(p.name) like #{nameQuery,jdbcType=VARCHAR} ESCAPE '/'
       </if>
     </where>
     ORDER BY p.name
-- 
2.39.5