Browse Source
SONAR-15825 Escape special characters in like sql query for portfolio projects
(cherry picked from commit 52785af21a)
tags/8.9.7.52159
Jacek
2 years ago
4 changed files with 35 additions and 3 deletions
+ 2
- 1
server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java
View File
| @@ -249,7 +249,8 @@ public class ComponentDao implements Dao { | |||
| } | |||
| public List<String> selectProjectsFromView(DbSession session, String viewUuid, String projectViewUuid) { | |||
| return mapper(session).selectProjectsFromView("%." + viewUuid + ".%", projectViewUuid); | |||
| String escapedViewUuid = viewUuid.replace("_", "\\_").replace("%", "\\%"); | |||
| return mapper(session).selectProjectsFromView("%." + escapedViewUuid + ".%", projectViewUuid); | |||
| } | |||
| /** | |||
+ 8
- 2
server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml
View File
| @@ -424,14 +424,20 @@ | |||
| and p.scope = 'PRJ' | |||
| and p.qualifier in ('VW', 'APP') | |||
| </select> | |||
| <select id="selectProjectsFromView" resultType="String"> | |||
| select p.copy_component_uuid | |||
| from components p | |||
| where | |||
| p.enabled = ${_true} | |||
| and p.project_uuid = #{projectViewUuid,jdbcType=VARCHAR} | |||
| and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} | |||
| <choose> | |||
| <when test="_databaseId == 'mssql'"> | |||
| and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} {escape '\'} | |||
| </when> | |||
| <otherwise> | |||
| and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} ESCAPE '\' | |||
| </otherwise> | |||
| </choose> | |||
| and p.qualifier = 'TRK' | |||
| and p.copy_component_uuid is not null | |||
| </select> | |||
+ 20
- 0
server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java
View File
| @@ -994,6 +994,26 @@ public class ComponentDaoTest { | |||
| assertThat(underTest.selectProjectsFromView(dbSession, "Unknown", "Unknown")).isEmpty(); | |||
| } | |||
| @Test | |||
| public void select_projects_from_view_should_escape_like_sensitive_characters() { | |||
| ComponentDto project1 = db.components().insertPrivateProject(); | |||
| ComponentDto project2 = db.components().insertPrivateProject(); | |||
| ComponentDto project3 = db.components().insertPrivateProject(); | |||
| ComponentDto view = db.components().insertPrivatePortfolio(); | |||
| //subview with uuid containing special character ( '_' ) for 'like' SQL clause | |||
| ComponentDto subView1 = db.components().insertComponent(newSubView(view, "A_C", "A_C-key")); | |||
| db.components().insertComponent(newProjectCopy(project1, subView1)); | |||
| db.components().insertComponent(newProjectCopy(project2, subView1)); | |||
| ComponentDto subView2 = db.components().insertComponent(newSubView(view, "ABC", "ABC-key")); | |||
| db.components().insertComponent(newProjectCopy(project3, subView2)); | |||
| assertThat(underTest.selectProjectsFromView(dbSession, subView1.uuid(), view.uuid())).containsExactlyInAnyOrder(project1.uuid(), project2.uuid()); | |||
| assertThat(underTest.selectProjectsFromView(dbSession, subView2.uuid(), view.uuid())).containsExactlyInAnyOrder(project3.uuid()); | |||
| } | |||
| @Test | |||
| public void select_projects() { | |||
| ComponentDto provisionedProject = db.components().insertPrivateProject(); | |||
+ 5
- 0
server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java
View File
| @@ -57,6 +57,11 @@ public class ViewIndexerTest { | |||
| private final DbSession dbSession = db.getSession(); | |||
| private final ViewIndexer underTest = new ViewIndexer(dbClient, es.client()); | |||
| @Test | |||
| public void getIndexTypes() { | |||
| assertThat(underTest.getIndexTypes()).containsExactly(TYPE_VIEW); | |||
| } | |||
| @Test | |||
| public void index_nothing() { | |||
| underTest.indexOnStartup(emptySet()); | |||
Loading…