validate journaldb name when building SQL (#376)

* validate journaldb name when building SQL * clear test input * apply spotless
teragrep · Oct 10, 2024 · f8b6cba · f8b6cba
1 parent e04a54a
commit f8b6cba
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 12 deletions.
diff --git a/src/main/java/com/teragrep/pth10/steps/teragrep/bloomfilter/TableSQL.java b/src/main/java/com/teragrep/pth10/steps/teragrep/bloomfilter/TableSQL.java
@@ -57,17 +57,17 @@ public final class TableSQL {
     private final String journalDBName;
     private final boolean ignoreConstraints;
 
-    private void nameIsValid() {
+    private void validSQLName(final String sql) {
         if (ignoreConstraints && LOGGER.isDebugEnabled()) {
             LOGGER.debug("Ignore database constraints active this should be only used in testing");
         }
         final Pattern pattern = Pattern.compile("^[A-Za-z0-9_]+$");
-        if (!pattern.matcher(name).find()) {
-            throw new RuntimeException("dpl.pth_06.bloom.table.name malformed name, only use alphabets, numbers and _");
+        if (!pattern.matcher(sql).find()) {
+            throw new RuntimeException("malformed SQL input <[" + sql + "]>, only use alphabets, numbers and _");
         }
-        if (name.length() > 100) {
+        if (sql.length() > 100) {
             throw new RuntimeException(
-                    "dpl.pth_06.bloom.table.name was too long, allowed maximum length is 100 characters"
+                    "SQL input <[" + sql + "]> was too long, allowed maximum length is 100 characters"
             );
         }
     }
@@ -93,7 +93,7 @@ public TableSQL(String name, String journalDBName, boolean ignoreConstraints) {
     }
 
     public String createTableSQL() {
-        nameIsValid();
+        validSQLName(name);
         final String sql;
         if (ignoreConstraints) {
             sql = "CREATE TABLE IF NOT EXISTS `" + name + "`("
@@ -102,6 +102,7 @@ public String createTableSQL() {
                     + "`filter` LONGBLOB NOT NULL);";
         }
         else {
+            validSQLName(journalDBName);
             sql = "CREATE TABLE IF NOT EXISTS `" + name + "`("
                     + "`id` BIGINT UNSIGNED NOT NULL auto_increment PRIMARY KEY,"
                     + "`partition_id` BIGINT UNSIGNED NOT NULL UNIQUE," + "`filter_type_id` BIGINT UNSIGNED NOT NULL,"

diff --git a/src/test/java/com/teragrep/pth10/steps/teragrep/bloomfilter/BloomFilterTableTest.java b/src/test/java/com/teragrep/pth10/steps/teragrep/bloomfilter/BloomFilterTableTest.java
@@ -93,7 +93,8 @@ void testInvalidInputCharacters() {
         RuntimeException e = Assertions.assertThrows(RuntimeException.class, injectionTable::create);
         Assertions
                 .assertEquals(
-                        "dpl.pth_06.bloom.table.name malformed name, only use alphabets, numbers and _", e.getMessage()
+                        "malformed SQL input <[test;%00SELECT%00CONCAT('DROP%00TABLE%00IF%00EXISTS`',table_name,'`;')]>, only use alphabets, numbers and _",
+                        e.getMessage()
                 );
     }
 
@@ -107,7 +108,7 @@ void testInputOverMaxLimit() {
         RuntimeException e = Assertions.assertThrows(RuntimeException.class, table::create);
         Assertions
                 .assertEquals(
-                        "dpl.pth_06.bloom.table.name was too long, allowed maximum length is 100 characters",
+                        "SQL input <[testname_thatistoolongtestname_thatistoolongtestname_thatistoolongtestname_thatistoolongtestnamethati]> was too long, allowed maximum length is 100 characters",
                         e.getMessage()
                 );
     }

diff --git a/src/test/java/com/teragrep/pth10/steps/teragrep/bloomfilter/TableSQLTest.java b/src/test/java/com/teragrep/pth10/steps/teragrep/bloomfilter/TableSQLTest.java
@@ -66,6 +66,28 @@ public void testCreateTableSQLJournalDBOption() {
         Assertions.assertEquals(e, table.createTableSQL());
     }
 
+    @Test
+    public void testCreateTableSQLInvalidJournalDBOption() {
+        String name = "test_table";
+        TableSQL table = new TableSQL(name, "test;%00SELECT%00CONCAT('DROP%00TABLE%00IF%00EXISTS`',table_name,'`;')");
+        RuntimeException e = Assertions.assertThrows(RuntimeException.class, table::createTableSQL);
+        Assertions
+                .assertEquals(
+                        "malformed SQL input <[test;%00SELECT%00CONCAT('DROP%00TABLE%00IF%00EXISTS`',table_name,'`;')]>, only use alphabets, numbers and _",
+                        e.getMessage()
+                );
+    }
+
+    @Test
+    public void testCreateTableSQLInvalidJournalDBOptionIgnoreConstraints() {
+        String name = "test_table";
+        // not validated when ignoreConstraint set to true
+        String ignoredInput = "test;%00SELECT%00CONCAT('DROP%00TABLE%00IF%00EXISTS`',table_name,'`;')";
+        TableSQL table = new TableSQL(name, ignoredInput, true);
+        String e = "CREATE TABLE IF NOT EXISTS `test_table`(`id` BIGINT UNSIGNED NOT NULL auto_increment PRIMARY KEY,`partition_id` BIGINT UNSIGNED NOT NULL UNIQUE,`filter_type_id` BIGINT UNSIGNED NOT NULL,`filter` LONGBLOB NOT NULL);";
+        Assertions.assertEquals(e, table.createTableSQL());
+    }
+
     @Test
     public void testIgnoreConstraintsCreateTableSQL() {
         String name = "test_table";
@@ -81,7 +103,8 @@ public void testInvalidInputCharacters() {
         RuntimeException e = Assertions.assertThrows(RuntimeException.class, table::createTableSQL);
         Assertions
                 .assertEquals(
-                        "dpl.pth_06.bloom.table.name malformed name, only use alphabets, numbers and _", e.getMessage()
+                        "malformed SQL input <[test;%00SELECT%00CONCAT('DROP%00TABLE%00IF%00EXISTS`',table_name,'`;')]>, only use alphabets, numbers and _",
+                        e.getMessage()
                 );
     }
 
@@ -92,7 +115,8 @@ public void testInvalidInputCharactersIgnoreConstraintsCreateTableSQL() {
         RuntimeException e = Assertions.assertThrows(RuntimeException.class, table::createTableSQL);
         Assertions
                 .assertEquals(
-                        "dpl.pth_06.bloom.table.name malformed name, only use alphabets, numbers and _", e.getMessage()
+                        "malformed SQL input <[test;%00SELECT%00CONCAT('DROP%00TABLE%00IF%00EXISTS`',table_name,'`;')]>, only use alphabets, numbers and _",
+                        e.getMessage()
                 );
     }
 
@@ -103,7 +127,7 @@ public void testInputOverMaxLimit() {
         RuntimeException e = Assertions.assertThrows(RuntimeException.class, table::createTableSQL);
         Assertions
                 .assertEquals(
-                        "dpl.pth_06.bloom.table.name was too long, allowed maximum length is 100 characters",
+                        "SQL input <[testname_thatistoolongtestname_thatistoolongtestname_thatistoolongtestname_thatistoolongtestnamethati]> was too long, allowed maximum length is 100 characters",
                         e.getMessage()
                 );
     }
@@ -115,7 +139,7 @@ public void testInputOverMaxLimitIgnoreConstraintsCreateTableSQL() {
         RuntimeException e = Assertions.assertThrows(RuntimeException.class, table::createTableSQL);
         Assertions
                 .assertEquals(
-                        "dpl.pth_06.bloom.table.name was too long, allowed maximum length is 100 characters",
+                        "SQL input <[testname_thatistoolongtestname_thatistoolongtestname_thatistoolongtestname_thatistoolongtestnamethati]> was too long, allowed maximum length is 100 characters",
                         e.getMessage()
                 );
     }