Escape SQL LIKE wildcards in queries (CPS-1760 #1)

If '%' and '_' are used in the contains-condition of a CpsPath query,
incorrect results will be returned. For example:
  /bookstore/categories[contains(@code, "%")]
Special characters in the contains-condition value must be escaped.

Issue-ID: CPS-1762
Signed-off-by: danielhanrahan <daniel.hanrahan@est.tech>
Change-Id: I2fdd5a26433d510cd7d6af5b734a6779b537d63d

5 files changed, 86 insertions, 5 deletions

diff --git a/cps-ri/src/main/java/org/onap/cps/spi/repository/FragmentQueryBuilder.java b/cps-ri/src/main/java/org/onap/cps/spi/repository/FragmentQueryBuilder.java
index ba94d56b1..34dea9bc1 100644
--- a/cps-ri/src/main/java/org/onap/cps/spi/repository/FragmentQueryBuilder.java
+++ b/cps-ri/src/main/java/org/onap/cps/spi/repository/FragmentQueryBuilder.java
@@ -36,6 +36,7 @@ import org.onap.cps.spi.entities.AnchorEntity;
 import org.onap.cps.spi.entities.DataspaceEntity;
 import org.onap.cps.spi.entities.FragmentEntity;
 import org.onap.cps.spi.exceptions.CpsPathException;
+import org.onap.cps.spi.utils.EscapeUtils;
 import org.onap.cps.utils.JsonObjectMapper;
 import org.springframework.stereotype.Component;
 
@@ -202,7 +203,8 @@ public class FragmentQueryBuilder {
         if (cpsPathQuery.hasContainsFunctionCondition()) {
             sqlStringBuilder.append(" AND attributes ->> :containsLeafName LIKE CONCAT('%',:containsValue,'%') ");
             queryParameters.put("containsLeafName", cpsPathQuery.getContainsFunctionConditionLeafName());
-            queryParameters.put("containsValue", cpsPathQuery.getContainsFunctionConditionValue());
+            queryParameters.put("containsValue",
+                    EscapeUtils.escapeForSqlLike(cpsPathQuery.getContainsFunctionConditionValue()));
         }
     }
 
diff --git a/cps-ri/src/main/java/org/onap/cps/spi/repository/FragmentRepository.java b/cps-ri/src/main/java/org/onap/cps/spi/repository/FragmentRepository.java
index 03de95eb8..303af5bc4 100755
--- a/cps-ri/src/main/java/org/onap/cps/spi/repository/FragmentRepository.java
+++ b/cps-ri/src/main/java/org/onap/cps/spi/repository/FragmentRepository.java
@@ -30,6 +30,7 @@ import org.onap.cps.spi.entities.AnchorEntity;
 import org.onap.cps.spi.entities.DataspaceEntity;

 import org.onap.cps.spi.entities.FragmentEntity;

 import org.onap.cps.spi.exceptions.DataNodeNotFoundException;

+import org.onap.cps.spi.utils.EscapeUtils;

 import org.springframework.data.jpa.repository.JpaRepository;

 import org.springframework.data.jpa.repository.Modifying;

 import org.springframework.data.jpa.repository.Query;

@@ -67,8 +68,6 @@ public interface FragmentRepository extends JpaRepository<FragmentEntity, Long>,
         return findByDataspaceIdAndXpathIn(dataspaceEntity.getId(), xpaths.toArray(new String[0]));

     }

 

-    boolean existsByAnchorId(long anchorId);

-

     @Query(value = "SELECT * FROM fragment WHERE anchor_id = :anchorId LIMIT 1", nativeQuery = true)

     Optional<FragmentEntity> findOneByAnchorId(@Param("anchorId") long anchorId);

 

@@ -95,8 +94,8 @@ public interface FragmentRepository extends JpaRepository<FragmentEntity, Long>,
                                          @Param("xpathPatterns") String[] xpathPatterns);

 

     default void deleteListsByAnchorIdAndXpaths(long anchorId, Collection<String> xpaths) {

-        final String[] listXpathPatterns = xpaths.stream().map(xpath -> xpath + "[%").toArray(String[]::new);

-        deleteByAnchorIdAndXpathLikeAny(anchorId, listXpathPatterns);

+        deleteByAnchorIdAndXpathLikeAny(anchorId,

+                xpaths.stream().map(xpath -> EscapeUtils.escapeForSqlLike(xpath) + "[@%").toArray(String[]::new));

     }

 

     @Query(value = "SELECT xpath FROM fragment WHERE anchor_id = :anchorId AND xpath = ANY (:xpaths)",

diff --git a/cps-ri/src/main/java/org/onap/cps/spi/utils/EscapeUtils.java b/cps-ri/src/main/java/org/onap/cps/spi/utils/EscapeUtils.java
new file mode 100644
index 000000000..3092b7905
--- /dev/null
+++ b/cps-ri/src/main/java/org/onap/cps/spi/utils/EscapeUtils.java
@@ -0,0 +1,33 @@
+/*
+ *  ============LICENSE_START=======================================================
+ *  Copyright (C) 2023 Nordix Foundation
+ *  ================================================================================
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *  ============LICENSE_END=========================================================
+ */
+
+package org.onap.cps.spi.utils;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class EscapeUtils {
+
+    public static String escapeForSqlLike(final String text) {
+        return text.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
+    }
+
+}
diff --git a/cps-ri/src/test/groovy/org/onap/cps/spi/utils/EscapeUtilsSpec.groovy b/cps-ri/src/test/groovy/org/onap/cps/spi/utils/EscapeUtilsSpec.groovy
new file mode 100644
index 000000000..17eb8846a
--- /dev/null
+++ b/cps-ri/src/test/groovy/org/onap/cps/spi/utils/EscapeUtilsSpec.groovy
@@ -0,0 +1,36 @@
+/*
+ *  ============LICENSE_START=======================================================
+ *  Copyright (C) 2023 Nordix Foundation
+ *  ================================================================================
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *  ============LICENSE_END=========================================================
+ */
+
+package org.onap.cps.spi.utils
+
+import spock.lang.Specification
+
+class EscapeUtilsSpec extends Specification {
+
+    def 'Escape text for using in SQL LIKE operation'() {
+        expect:
+            EscapeUtils.escapeForSqlLike(unescapedText) == escapedText
+        where:
+            unescapedText                   || escapedText
+            'Only %, _, and \\ are special' || 'Only \\%, \\_, and \\\\ are special'
+            'Others (./?$) are not special' || 'Others (./?$) are not special'
+    }
+
+}
diff --git a/integration-test/src/test/groovy/org/onap/cps/integration/functional/CpsQueryServiceIntegrationSpec.groovy b/integration-test/src/test/groovy/org/onap/cps/integration/functional/CpsQueryServiceIntegrationSpec.groovy
index fa0b82045..0cb3200f8 100644
--- a/integration-test/src/test/groovy/org/onap/cps/integration/functional/CpsQueryServiceIntegrationSpec.groovy
+++ b/integration-test/src/test/groovy/org/onap/cps/integration/functional/CpsQueryServiceIntegrationSpec.groovy
@@ -339,4 +339,15 @@ class CpsQueryServiceIntegrationSpec extends FunctionalSpecBase {
             'incomplete absolute 1 list entry'    | '/categories[@code="3"]'                || 0
     }
 
+    def 'Cps Path query should ignore special characters: #scenario.'() {
+        when: 'a query is executed to get data nodes by the given cps path'
+            def result = objectUnderTest.queryDataNodes(FUNCTIONAL_TEST_DATASPACE_1, BOOKSTORE_ANCHOR_1, cpsPath, INCLUDE_ALL_DESCENDANTS)
+        then: 'no data nodes are returned'
+            assert result.isEmpty()
+        where:
+            scenario                                   | cpsPath
+            '  sql wildcard in contains-condition'     | '/bookstore/categories[@code="1"]/books[contains(@title, "%")]'
+            'regex wildcard in contains-condition'     | '/bookstore/categories[@code="1"]/books[contains(@title, ".*")]'
+    }
+
 }