diff options
author | Jacek <jacek.poreda@sonarsource.com> | 2022-01-25 10:28:26 +0100 |
---|---|---|
committer | sonartech <sonartech@sonarsource.com> | 2022-01-26 20:02:44 +0000 |
commit | 4d26d4ebf4d6101f12b4bb9135e553c6d06e3733 (patch) | |
tree | 2b26bd9edfc053796b4c6fd6523d713fe4bb7d5a | |
parent | b011476a0b167dc3cd5252c3428be01956dee5b2 (diff) | |
download | sonarqube-4d26d4ebf4d6101f12b4bb9135e553c6d06e3733.tar.gz sonarqube-4d26d4ebf4d6101f12b4bb9135e553c6d06e3733.zip |
SONAR-15825 Escape special characters in like sql query for portfolio projects
5 files changed, 36 insertions, 5 deletions
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java b/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java index 027eca54878..bbdaab77678 100644 --- a/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java +++ b/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java @@ -257,7 +257,8 @@ public class ComponentDao implements Dao { } public List<String> selectProjectsFromView(DbSession session, String viewUuid, String projectViewUuid) { - return mapper(session).selectProjectsFromView("%." + viewUuid + ".%", projectViewUuid); + var escapedViewUuid = viewUuid.replace("_", "\\_").replace("%", "\\%"); + return mapper(session).selectProjectsFromView("%." + escapedViewUuid + ".%", projectViewUuid); } /** diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml index 97198772fbc..c93b10d9771 100644 --- a/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml +++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml @@ -444,14 +444,20 @@ and p.scope = 'PRJ' and p.qualifier in ('VW', 'APP') </select> - <select id="selectProjectsFromView" resultType="String"> select p.copy_component_uuid from components p where p.enabled = ${_true} and p.project_uuid = #{projectViewUuid,jdbcType=VARCHAR} - and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} + <choose> + <when test="_databaseId == 'mssql'"> + and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} {escape '\'} + </when> + <otherwise> + and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} ESCAPE '\' + </otherwise> + </choose> and p.qualifier = 'TRK' and p.copy_component_uuid is not null </select> diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java index f440ca6af10..b04c2232f7c 100644 --- a/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java +++ b/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java @@ -1005,6 +1005,26 @@ public class ComponentDaoTest { } @Test + public void select_projects_from_view_should_escape_like_sensitive_characters() { + ComponentDto project1 = db.components().insertPrivateProject(); + ComponentDto project2 = db.components().insertPrivateProject(); + ComponentDto project3 = db.components().insertPrivateProject(); + + ComponentDto view = db.components().insertPrivatePortfolio(); + + //subview with uuid containing special character ( '_' ) for 'like' SQL clause + ComponentDto subView1 = db.components().insertComponent(newSubPortfolio(view, "A_C", "A_C-key")); + db.components().insertComponent(newProjectCopy(project1, subView1)); + db.components().insertComponent(newProjectCopy(project2, subView1)); + + ComponentDto subView2 = db.components().insertComponent(newSubPortfolio(view, "ABC", "ABC-key")); + db.components().insertComponent(newProjectCopy(project3, subView2)); + + assertThat(underTest.selectProjectsFromView(dbSession, subView1.uuid(), view.uuid())).containsExactlyInAnyOrder(project1.uuid(), project2.uuid()); + assertThat(underTest.selectProjectsFromView(dbSession, subView2.uuid(), view.uuid())).containsExactlyInAnyOrder(project3.uuid()); + } + + @Test public void select_projects() { ComponentDto provisionedProject = db.components().insertPrivateProject(); ComponentDto provisionedView = db.components().insertPrivatePortfolio(); diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/view/index/ViewIndexer.java b/server/sonar-server-common/src/main/java/org/sonar/server/view/index/ViewIndexer.java index 2f31c5af4aa..955253c6953 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/view/index/ViewIndexer.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/view/index/ViewIndexer.java @@ -19,7 +19,6 @@ */ package org.sonar.server.view.index; -import com.google.common.collect.ImmutableSet; import java.util.Collection; import java.util.HashMap; import java.util.List; @@ -57,7 +56,7 @@ public class ViewIndexer implements ResilientIndexer { @Override public Set<IndexType> getIndexTypes() { - return ImmutableSet.of(TYPE_VIEW); + return Set.of(TYPE_VIEW); } @Override diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java index 291595f179a..fbb5055f3c5 100644 --- a/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java +++ b/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java @@ -58,6 +58,11 @@ public class ViewIndexerTest { private final ViewIndexer underTest = new ViewIndexer(dbClient, es.client()); @Test + public void getIndexTypes() { + assertThat(underTest.getIndexTypes()).containsExactly(TYPE_VIEW); + } + + @Test public void index_nothing() { underTest.indexOnStartup(emptySet()); assertThat(es.countDocuments(TYPE_VIEW)).isZero(); |