Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: simple quotes escape in queries #1227

Merged
merged 3 commits into from
Aug 30, 2024
Merged

fix: simple quotes escape in queries #1227

merged 3 commits into from
Aug 30, 2024

Conversation

ranim-n
Copy link
Contributor

@ranim-n ranim-n commented Aug 23, 2024

I based my branch on the refactoring branch

@ranim-n ranim-n added fix Something isn't working core Relates to core API labels Aug 23, 2024
@ranim-n ranim-n self-assigned this Aug 23, 2024
@ranim-n ranim-n changed the base branch from develop to refactor/prepare-handlers-for-csr August 23, 2024 15:44
@ranim-n ranim-n linked an issue Aug 23, 2024 that may be closed by this pull request
Simple quotes are not properly escaped when doing a regex query #1201
Closed
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 23, 2024
edited
Loading

Test Results

   62 files  ±0     62 suites  ±0   1m 29s ⏱️ +3s
1 010 tests +6  1 010 ✅ +6  0 💤 ±0  0 ❌ ±0 
1 049 runs  +6  1 049 ✅ +6  0 💤 ±0  0 ❌ ±0 

Results for commit 549e591. ± Comparison against base commit 7d9c62f.

This pull request removes 217 and adds 67 tests. Note that renamed tests count towards both. 
                                    { "id":…, withTemporalValues=true, withAudit=false, expectation={
                      "@id": "https://uri…
                      "@type": "@json",
                      …
                    "@value": "/A/B"
                    "@value": "/C/D"
                    "@value": 20
                    "…
                    {
                  "@type": "https://uri.etsi.org/ngsi-ld/DateTime",
…

com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [10] q=simpleQuoteString~="(?i).*It's a name.*", expectedCount=1, expectedListOfEntities=urn:ngsi-ld:BeeHive:01
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [11] q=simpleQuoteString~="(?i)^it's.*", expectedCount=2, expectedListOfEntities=urn:ngsi-ld:BeeHive:01,urn:ngsi-ld:BeeHive:02
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [12] q=simpleQuoteString=="It's a name", expectedCount=1, expectedListOfEntities=urn:ngsi-ld:BeeHive:01
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [13] q=dateTime==2023-02-16T00:00:00Z, expectedCount=1, expectedListOfEntities=urn:ngsi-ld:BeeHive:01
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [14] q=dateTime~=2023-02-16T00:00:00Z, expectedCount=1, expectedListOfEntities=urn:ngsi-ld:BeeHive:01
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [15] q=dateTime>2023-02-16T00:00:00Z, expectedCount=1, expectedListOfEntities=urn:ngsi-ld:BeeHive:02
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [16] q=boolean==true, expectedCount=1, expectedListOfEntities=urn:ngsi-ld:BeeHive:01
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [17] q=observedProperty.observedAt>2023-02-25T00:00:00Z, expectedCount=1, expectedListOfEntities=urn:ngsi-ld:BeeHive:02
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [18] q=observedProperty.observedAt>2023-02-01T00:00:00Z, expectedCount=2, expectedListOfEntities=urn:ngsi-ld:BeeHive:01,urn:ngsi-ld:BeeHive:02
com.egm.stellio.search.entity.service.EntityServiceQueriesTests ‑ [19] q=observedProperty.observedAt<2023-01-01T00:00:00Z, expectedCount=0, expectedListOfEntities=null
…

♻️ This comment has been updated with latest results.

@bobeal
Copy link
Member

bobeal commented Aug 25, 2024

@ranim-n
Copy link
Contributor Author

ranim-n commented Aug 26, 2024

I tried using quote_literal but it's not working. It could be because it's used with json path

@bobeal
Copy link
Member

bobeal commented Aug 26, 2024

  • out of curiosity, did a test with the == operator and the same error occurs

I tried using quote_literal but it's not working. It could be because it's used with json path

Please give some details

@ranim-n
Copy link
Contributor Author

ranim-n commented Aug 26, 2024
edited
Loading

  • out of curiosity, did a test with the == operator and the same error occurs

I tried using quote_literal but it's not working. It could be because it's used with json path

Please give some details

I used the method like this :

""" jsonb_path_exists(#{TARGET}#, '$."${mainAttributePath[0]}"."$NGSILD_PROPERTY_VALUE"."$JSONLD_VALUE" ? (@ like_regex quote_literal($value))') """

and still got the same error :
java.lang.IllegalArgumentException: Sql cannot be parsed: unclosed quoted identifier .. SELECT ... (@ like_regex quote_literal("(?i).*It's a name.*"))')

@bobeal
Copy link
Member

bobeal commented Aug 26, 2024

  • out of curiosity, did a test with the == operator and the same error occurs

I tried using quote_literal but it's not working. It could be because it's used with json path

Please give some details

I used the method like this :

` """

    jsonb_path_exists(#{TARGET}#,

        '$."${mainAttributePath[0]}"."$NGSILD_PROPERTY_VALUE"."$JSONLD_VALUE" ? (@ like_regex quote_literal($value))')

    """`

and still got the same error :

    `java.lang.IllegalArgumentException: Sql cannot be parsed: unclosed quoted identifier .. SELECT ... (@ like_regex quote_literal("(?i).*It's a name.*"))')`

Did you try passing the value as a named parameter in the jsonb path function? (Like is done for some other queries)

@ranim-n
Copy link
Contributor Author

ranim-n commented Aug 26, 2024

  • out of curiosity, did a test with the == operator and the same error occurs

I tried using quote_literal but it's not working. It could be because it's used with json path

Please give some details

I used the method like this :
` """

    jsonb_path_exists(#{TARGET}#,

        '$."${mainAttributePath[0]}"."$NGSILD_PROPERTY_VALUE"."$JSONLD_VALUE" ? (@ like_regex quote_literal($value))')

    """`

and still got the same error :

    `java.lang.IllegalArgumentException: Sql cannot be parsed: unclosed quoted identifier .. SELECT ... (@ like_regex quote_literal("(?i).*It's a name.*"))')`

Did you try passing the value as a named parameter in the jsonb path function? (Like is done for some other queries)

I didn't understand your suggestion well

@bobeal
Copy link
Member

bobeal commented Aug 26, 2024

  • out of curiosity, did a test with the == operator and the same error occurs

I tried using quote_literal but it's not working. It could be because it's used with json path

Please give some details

I used the method like this :
` """

    jsonb_path_exists(#{TARGET}#,

        '$."${mainAttributePath[0]}"."$NGSILD_PROPERTY_VALUE"."$JSONLD_VALUE" ? (@ like_regex quote_literal($value))')

    """`

and still got the same error :

    `java.lang.IllegalArgumentException: Sql cannot be parsed: unclosed quoted identifier .. SELECT ... (@ like_regex quote_literal("(?i).*It's a name.*"))')`

Did you try passing the value as a named parameter in the jsonb path function? (Like is done for some other queries)

I didn't understand your suggestion well

instead of doing:

jsonb_path_exists(#{TARGET}#,
            '$."${mainAttributePath[0]}"."$NGSILD_PROPERTY_VALUE"."$JSONLD_VALUE" ? (@ like_regex $value)')

doing something like this (wondering if in this case the PG query parser will process the quote_literal before calling the jsonb function):

        jsonb_path_exists(#{TARGET}#,
            '$."${mainAttributePath[0]}"."$NGSILD_PROPERTY_VALUE"."$JSONLD_VALUE" ? (@ like_regex ${'$'}value)',
            '{ "value": quote_literal($value) }')

@ranim-n
Copy link
Contributor Author

ranim-n commented Aug 26, 2024

${'$'}value)',
'{ "value": quote_literal($value) }')

I got the same error :

java.lang.IllegalArgumentException: Sql cannot be parsed: unclosed quoted identifier (identifier opened at index 423) in statement: SELECT ... (@ like_regex $value)', '{ "value": quote_literal("(?i).*It's a name.*") }')

@bobeal
Copy link
Member

bobeal commented Aug 26, 2024

${'$'}value)',
'{ "value": quote_literal($value) }')

I got the same error :

java.lang.IllegalArgumentException: Sql cannot be parsed: unclosed quoted identifier (identifier opened at index 423) in statement: SELECT ... (@ like_regex $value)', '{ "value": quote_literal("(?i).*It's a name.*") }')

too bad.

bobeal
bobeal reviewed Aug 26, 2024
View reviewed changes
shared/src/main/kotlin/com/egm/stellio/shared/util/QueryUtils.kt Outdated
Comment on lines 158 to 161
'{ "value": ${value.replace(
"'",
"''"
)}}')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • the indentation is weird
  • there are already some extension functions used here (like String.quote()), cleaner to add a new one for this escaping

@bobeal
Copy link
Member

bobeal commented Aug 26, 2024

@thomasBousselin your review is missing

thomasBousselin
thomasBousselin reviewed Aug 27, 2024
View reviewed changes
shared/src/main/kotlin/com/egm/stellio/shared/util/QueryUtils.kt Outdated
@@ -176,18 +179,27 @@ private fun transformQQueryToSqlJsonPath(
jsonb_path_exists(#{TARGET}#,
'$."${mainAttributePath[0]}"."$NGSILD_PROPERTY_VALUE".$jsonTrailingPath.**{0 to 1}."$JSONLD_VALUE" ?
(@ $operator ${'$'}value)',
'{ "value": $value }')
'{ "value": ${value.replace(
Copy link
Contributor

@thomasBousselin thomasBousselin Aug 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You use this in multiple places you may want to create an escapeQuote() function.

Base automatically changed from refactor/prepare-handlers-for-csr to develop August 30, 2024 13:33
@bobeal bobeal changed the title Fix/simple quotes escape in regex query fix: simple quotes escape in queries Aug 30, 2024
@bobeal bobeal force-pushed the fix/simple-quotes-escape-in-regex-query branch from 4e4a2ad to 549e591 Compare August 30, 2024 13:36
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@bobeal bobeal merged commit 526711d into develop Aug 30, 2024
9 of 10 checks passed
@bobeal bobeal deleted the fix/simple-quotes-escape-in-regex-query branch August 30, 2024 14:15
@github-actions github-actions bot locked and limited conversation to collaborators Aug 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bobeal bobeal bobeal left review comments

@thomasBousselin thomasBousselin thomasBousselin approved these changes

Assignees

@ranim-n ranim-n

Labels
core Relates to core API fix Something isn't working
Projects
Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Simple quotes are not properly escaped when doing a regex query
3 participants
@ranim-n @bobeal @thomasBousselin