From bf5164b3ff05b98478c6dc46f08ac9c63a633318 Mon Sep 17 00:00:00 2001 From: Guillaume Le Floch Date: Fri, 20 Mar 2020 14:48:20 +0100 Subject: [PATCH 1/2] validate column names of sort properties --- .../orm/panache/test/JpaOperationsSortTest.java | 10 ++++++++-- .../src/main/java/io/quarkus/panache/common/Sort.java | 6 ++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/extensions/panache/hibernate-orm-panache/deployment/src/test/java/io/quarkus/hibernate/orm/panache/test/JpaOperationsSortTest.java b/extensions/panache/hibernate-orm-panache/deployment/src/test/java/io/quarkus/hibernate/orm/panache/test/JpaOperationsSortTest.java index fcfbfe19da71b..4a79d0adaf743 100644 --- a/extensions/panache/hibernate-orm-panache/deployment/src/test/java/io/quarkus/hibernate/orm/panache/test/JpaOperationsSortTest.java +++ b/extensions/panache/hibernate-orm-panache/deployment/src/test/java/io/quarkus/hibernate/orm/panache/test/JpaOperationsSortTest.java @@ -1,6 +1,7 @@ package io.quarkus.hibernate.orm.panache.test; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; import org.junit.jupiter.api.Test; @@ -11,8 +12,13 @@ public class JpaOperationsSortTest { @Test public void testSortBy() { - Sort sort = Sort.by("foo", "bar"); - assertEquals(" ORDER BY foo , bar", JpaOperations.toOrderBy(sort)); + Sort sort = Sort.by("foo", "_bar"); + assertEquals(" ORDER BY foo , _bar", JpaOperations.toOrderBy(sort)); + } + + @Test + public void testInvalidSortBy() { + assertThrows(IllegalArgumentException.class, () -> Sort.by("foo;", "bar")); } @Test diff --git a/extensions/panache/panache-common/runtime/src/main/java/io/quarkus/panache/common/Sort.java b/extensions/panache/panache-common/runtime/src/main/java/io/quarkus/panache/common/Sort.java index 42f8432437800..51ef6c8694f76 100644 --- a/extensions/panache/panache-common/runtime/src/main/java/io/quarkus/panache/common/Sort.java +++ b/extensions/panache/panache-common/runtime/src/main/java/io/quarkus/panache/common/Sort.java @@ -2,6 +2,7 @@ import java.util.ArrayList; import java.util.List; +import java.util.regex.Pattern; /** *

@@ -41,6 +42,8 @@ public enum Direction { } public class Column { + + private final Pattern COLUMN_PATTERN = Pattern.compile("^[a-zA-Z_][a-zA-Z0-9_]*$"); private String name; private Direction direction; @@ -49,6 +52,9 @@ public Column(String name) { } public Column(String name, Direction direction) { + if (COLUMN_PATTERN.asPredicate().negate().test(name)) { + throw new IllegalArgumentException("Column name must match pattern: " + COLUMN_PATTERN.pattern()); + } this.name = name; this.direction = direction; } From d886311db0e3e8596c8cc287e14e290389357e34 Mon Sep 17 00:00:00 2001 From: Guillaume Le Floch Date: Mon, 6 Apr 2020 10:14:19 +0200 Subject: [PATCH 2/2] escape quota instead of throwing exception --- .../orm/panache/test/JpaOperationsSortTest.java | 14 ++++++++++---- .../main/java/io/quarkus/panache/common/Sort.java | 11 +++++------ 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/extensions/panache/hibernate-orm-panache/deployment/src/test/java/io/quarkus/hibernate/orm/panache/test/JpaOperationsSortTest.java b/extensions/panache/hibernate-orm-panache/deployment/src/test/java/io/quarkus/hibernate/orm/panache/test/JpaOperationsSortTest.java index 4a79d0adaf743..9ae7225bd13ae 100644 --- a/extensions/panache/hibernate-orm-panache/deployment/src/test/java/io/quarkus/hibernate/orm/panache/test/JpaOperationsSortTest.java +++ b/extensions/panache/hibernate-orm-panache/deployment/src/test/java/io/quarkus/hibernate/orm/panache/test/JpaOperationsSortTest.java @@ -1,7 +1,6 @@ package io.quarkus.hibernate.orm.panache.test; import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; import org.junit.jupiter.api.Test; @@ -13,12 +12,19 @@ public class JpaOperationsSortTest { @Test public void testSortBy() { Sort sort = Sort.by("foo", "_bar"); - assertEquals(" ORDER BY foo , _bar", JpaOperations.toOrderBy(sort)); + assertEquals(" ORDER BY 'foo' , '_bar'", JpaOperations.toOrderBy(sort)); } @Test - public void testInvalidSortBy() { - assertThrows(IllegalArgumentException.class, () -> Sort.by("foo;", "bar")); + public void testInvalidSortByWithQuote() { + final Sort sort = Sort.by("foo'", "bar"); + assertEquals(" ORDER BY 'foo\\'' , 'bar'", JpaOperations.toOrderBy(sort)); + } + + @Test + public void testInvalidSortByWithEscapeCharacters() { + final Sort sort = Sort.by("foo", "bar\\"); + assertEquals(" ORDER BY 'foo' , 'bar\\\\'", JpaOperations.toOrderBy(sort)); } @Test diff --git a/extensions/panache/panache-common/runtime/src/main/java/io/quarkus/panache/common/Sort.java b/extensions/panache/panache-common/runtime/src/main/java/io/quarkus/panache/common/Sort.java index 51ef6c8694f76..b96e90f3868db 100644 --- a/extensions/panache/panache-common/runtime/src/main/java/io/quarkus/panache/common/Sort.java +++ b/extensions/panache/panache-common/runtime/src/main/java/io/quarkus/panache/common/Sort.java @@ -2,7 +2,6 @@ import java.util.ArrayList; import java.util.List; -import java.util.regex.Pattern; /** *

@@ -43,7 +42,6 @@ public enum Direction { public class Column { - private final Pattern COLUMN_PATTERN = Pattern.compile("^[a-zA-Z_][a-zA-Z0-9_]*$"); private String name; private Direction direction; @@ -52,10 +50,7 @@ public Column(String name) { } public Column(String name, Direction direction) { - if (COLUMN_PATTERN.asPredicate().negate().test(name)) { - throw new IllegalArgumentException("Column name must match pattern: " + COLUMN_PATTERN.pattern()); - } - this.name = name; + this.name = escape(name); this.direction = direction; } @@ -74,6 +69,10 @@ public Direction getDirection() { public void setDirection(Direction direction) { this.direction = direction; } + + private String escape(String column) { + return "'" + column.replace("\\", "\\\\").replace("'", "\\'") + "'"; + } } private List columns = new ArrayList<>();