SONAR-15825 Escape special characters in like sql query for portfolio…

… projects (cherry picked from commit 52785af21a65810243bdf6e7512406cf0d80d714)
SonarSource · Jan 27, 2022 · b10960d · b10960d
1 parent 9fbd244
commit b10960d
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java b/server/sonar-db-dao/src/main/java/org/sonar/db/component/ComponentDao.java
@@ -249,7 +249,8 @@ public Set<String> selectViewKeysWithEnabledCopyOfProject(DbSession session, Set
   }
 
   public List<String> selectProjectsFromView(DbSession session, String viewUuid, String projectViewUuid) {
-    return mapper(session).selectProjectsFromView("%." + viewUuid + ".%", projectViewUuid);
+    String escapedViewUuid = viewUuid.replace("_", "\\_").replace("%", "\\%");
+    return mapper(session).selectProjectsFromView("%." + escapedViewUuid + ".%", projectViewUuid);
   }
 
   /**

diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/component/ComponentMapper.xml
@@ -424,14 +424,20 @@
       and p.scope = 'PRJ'
       and p.qualifier in ('VW', 'APP')
   </select>
-
   <select id="selectProjectsFromView" resultType="String">
     select p.copy_component_uuid
     from components p
     where
       p.enabled = ${_true}
       and p.project_uuid = #{projectViewUuid,jdbcType=VARCHAR}
-      and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR}
+    <choose>
+      <when test="_databaseId == 'mssql'">
+        and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} {escape '\'}
+      </when>
+      <otherwise>
+        and p.module_uuid_path like #{viewUuidLikeQuery,jdbcType=VARCHAR} ESCAPE '\'
+      </otherwise>
+    </choose>
       and p.qualifier = 'TRK'
       and p.copy_component_uuid is not null
   </select>

diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/component/ComponentDaoTest.java
@@ -994,6 +994,26 @@ public void select_projects_from_view() {
     assertThat(underTest.selectProjectsFromView(dbSession, "Unknown", "Unknown")).isEmpty();
   }
 
+  @Test
+  public void select_projects_from_view_should_escape_like_sensitive_characters() {
+    ComponentDto project1 = db.components().insertPrivateProject();
+    ComponentDto project2 = db.components().insertPrivateProject();
+    ComponentDto project3 = db.components().insertPrivateProject();
+
+    ComponentDto view = db.components().insertPrivatePortfolio();
+
+    //subview with uuid containing special character ( '_' ) for 'like' SQL clause
+    ComponentDto subView1 = db.components().insertComponent(newSubView(view, "A_C", "A_C-key"));
+    db.components().insertComponent(newProjectCopy(project1, subView1));
+    db.components().insertComponent(newProjectCopy(project2, subView1));
+
+    ComponentDto subView2 = db.components().insertComponent(newSubView(view, "ABC", "ABC-key"));
+    db.components().insertComponent(newProjectCopy(project3, subView2));
+
+    assertThat(underTest.selectProjectsFromView(dbSession, subView1.uuid(), view.uuid())).containsExactlyInAnyOrder(project1.uuid(), project2.uuid());
+    assertThat(underTest.selectProjectsFromView(dbSession, subView2.uuid(), view.uuid())).containsExactlyInAnyOrder(project3.uuid());
+  }
+
   @Test
   public void select_projects() {
     ComponentDto provisionedProject = db.components().insertPrivateProject();

diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java
@@ -57,6 +57,11 @@ public class ViewIndexerTest {
   private final DbSession dbSession = db.getSession();
   private final ViewIndexer underTest = new ViewIndexer(dbClient, es.client());
 
+  @Test
+  public void getIndexTypes() {
+    assertThat(underTest.getIndexTypes()).containsExactly(TYPE_VIEW);
+  }
+
   @Test
   public void index_nothing() {
     underTest.indexOnStartup(emptySet());