fixed security issue and minor sonar issues

Author: chernser

clickhouse-jdbc/src/test/java/com/clickhouse/jdbc/ClickHouseDatabaseMetaDataTest.java

@@ -96,9 +96,7 @@ public void testGetTypeInfo() throws SQLException {
         props.setProperty("decompress", "0");
         try (ClickHouseConnection conn = newConnection(props); ResultSet rs = conn.getMetaData().getTypeInfo()) {
             while (rs.next()) {
-                rs.getString(1);
-                System.out.println(rs.getString(1));
-                rs.getInt(2);
+                Assert.assertNotNull(rs.getString(1));
             }
         }
     }

client-v2/src/test/java/com/clickhouse/client/datatypes/DataTypeTests.java

@@ -159,16 +159,15 @@ public void testVariantWithSimpleDataTypes() throws Exception {
                 case BFloat16:
                     // TODO: add support
                     continue dataTypesLoop;
+                    // skipped
                 case String:
                 case FixedString:
                 case Nothing:
                 case Variant:
                 case JSON:
                 case Object:
                 case Dynamic:
-                    // skipped
-                    continue dataTypesLoop;
-
+                    // no tests or tested in other tests
                 case Decimal:
                 case Decimal32:
                 case Decimal64:

jdbc-v2/src/main/java/com/clickhouse/jdbc/internal/JdbcUtils.java

@@ -3,7 +3,6 @@
 import com.clickhouse.client.api.data_formats.internal.BinaryStreamReader;
 import com.clickhouse.data.ClickHouseDataType;
 import com.clickhouse.jdbc.types.Array;
-import org.jspecify.annotations.Nullable;
 
 import java.sql.Date;
 import java.sql.JDBCType;
@@ -20,11 +19,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
 import java.util.TreeMap;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 public class JdbcUtils {
     //Define a map to store the mapping between ClickHouse data types and SQL data types
@@ -259,4 +254,13 @@ public static Object convert(Object value, Class<?> type) throws SQLException {
 
         throw new SQLException("Unsupported conversion from " + value.getClass().getName() + " to " + type.getName(), ExceptionUtils.SQL_STATE_DATA_EXCEPTION);
     }
+
+    public static String escapeQuotes(String str) {
+        if (str == null || str.isEmpty()) {
+            return str;
+        }
+        return str
+                .replace("'", "\\'")
+                .replace("\"", "\\\"");
+    }
 }

jdbc-v2/src/main/java/com/clickhouse/jdbc/internal/MetadataResultSet.java

@@ -11,10 +11,10 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.function.Function;
+import java.util.function.UnaryOperator;
 
 public class MetadataResultSet extends ResultSetImpl {
-    private final Map<String, Function<String, String>> columnTransformers = new HashMap<>();
+    private final Map<String, UnaryOperator<String>> columnTransformers = new HashMap<>();
     private final String[] cachedColumnLabels;
 
     private final OverridingSchemaAdaptor overridingSchemaAdaptor;
@@ -28,17 +28,16 @@ public MetadataResultSet(ResultSetImpl resultSet) throws SQLException {
         for (int i = 1; i <= count; i++) {
             cachedColumnLabels[i - 1] = metaData.getColumnLabel(i).toUpperCase();
         }
-
     }
 
     /**
      * Registers a transformer function for a given column.
      * The transformer takes the original String value and returns a new String.
      *
-     * @param columnLabel The name of the column (case insensitive).
+     * @param columnLabel The name of the column (case-insensitive).
      * @param transformer The function that transforms the value.
      */
-    public MetadataResultSet transform(String columnLabel, ClickHouseColumn column, Function<String, String> transformer) {
+    public MetadataResultSet transform(String columnLabel, ClickHouseColumn column, UnaryOperator<String> transformer) {
         if (columnLabel != null && transformer != null) {
             columnTransformers.put(columnLabel.toUpperCase(), transformer);
         }
@@ -49,7 +48,7 @@ public MetadataResultSet transform(String columnLabel, ClickHouseColumn column,
     @Override
     public String getString(String columnLabel) throws SQLException {
         String value = super.getString(columnLabel);
-        Function<String, String> transformer = columnTransformers.get(columnLabel.toUpperCase());
+        UnaryOperator<String> transformer = columnTransformers.get(columnLabel.toUpperCase());
         if (transformer != null && value != null) {
             return transformer.apply(value);
         }
@@ -97,7 +96,7 @@ public short getShort(int columnIndex) throws SQLException {
 
     @Override
     public long getLong(int columnIndex) throws SQLException {
-        return (long) getInt(columnIndex);
+        return getInt(columnIndex);
     }
 
     @Override

jdbc-v2/src/main/java/com/clickhouse/jdbc/metadata/DatabaseMetaData.java

@@ -8,8 +8,8 @@
 import com.clickhouse.jdbc.ResultSetImpl;
 import com.clickhouse.jdbc.internal.ClientInfoProperties;
 import com.clickhouse.jdbc.internal.DriverProperties;
-import com.clickhouse.jdbc.internal.JdbcUtils;
 import com.clickhouse.jdbc.internal.ExceptionUtils;
+import com.clickhouse.jdbc.internal.JdbcUtils;
 import com.clickhouse.jdbc.internal.MetadataResultSet;
 import com.clickhouse.logging.Logger;
 import com.clickhouse.logging.LoggerFactory;
@@ -826,7 +826,9 @@ public ResultSet getTableTypes() throws SQLException {
         }
     }
 
+    private static final String DATA_TYPE_COL = "DATA_TYPE";
     @Override
+    @SuppressWarnings({"squid:S2077"})
     public ResultSet getColumns(String catalog, String schemaPattern, String tableNamePattern, String columnNamePattern) throws SQLException {
         //TODO: Best way to convert type to JDBC data type
         // TODO: handle useCatalogs == true and return schema catalog name
@@ -856,13 +858,13 @@ public ResultSet getColumns(String catalog, String schemaPattern, String tableNa
                 "'NO' as IS_AUTOINCREMENT, " +
                 "'NO' as IS_GENERATEDCOLUMN " +
                 " FROM system.columns" +
-                " WHERE database LIKE '" + (schemaPattern == null ? "%" : schemaPattern) + "'" +
-                " AND table LIKE '" + (tableNamePattern == null ? "%" : tableNamePattern) + "'" +
-                " AND name LIKE '" + (columnNamePattern == null ? "%" : columnNamePattern) + "'" +
+                " WHERE database LIKE '" + (schemaPattern == null ? "%" : JdbcUtils.escapeQuotes(schemaPattern)) + "'" +
+                " AND table LIKE '" + (tableNamePattern == null ? "%" : JdbcUtils.escapeQuotes(tableNamePattern)) + "'" +
+                " AND name LIKE '" + (columnNamePattern == null ? "%" : JdbcUtils.escapeQuotes(columnNamePattern)) + "'" +
                 " ORDER BY TABLE_SCHEM, TABLE_NAME, ORDINAL_POSITION";
         try {
             return new MetadataResultSet((ResultSetImpl) connection.createStatement().executeQuery(sql))
-                    .transform("DATA_TYPE", ClickHouseColumn.of("DATA_TYPE", "Int32"), DatabaseMetaData::columnDataTypeToSqlType);
+                    .transform(DATA_TYPE_COL, ClickHouseColumn.of(DATA_TYPE_COL, ClickHouseDataType.Int32.name()), DatabaseMetaData::columnDataTypeToSqlType);
         } catch (Exception e) {
             throw ExceptionUtils.toSqlState(e);
         }

jdbc-v2/src/test/java/com/clickhouse/jdbc/internal/JdbcUtilsTest.java

@@ -1,13 +1,12 @@
 package com.clickhouse.jdbc.internal;
 
-import com.clickhouse.jdbc.JdbcIntegrationTest;
 import org.testng.annotations.Test;
 
 import java.util.List;
 
 import static org.testng.Assert.assertEquals;
 
-public class JdbcUtilsTest extends JdbcIntegrationTest {
+public class JdbcUtilsTest {
     @Test(groups = { "integration" })
     public void testTokenizeSQL() {
         String sql1 = "SELECT * FROM table WHERE id = 1";
@@ -48,4 +47,14 @@ public void testTokenizeSQL() {
         assertEquals(tokens3.get(4), "WHERE");
         assertEquals(tokens3.get(5).replace("\"", ""), "id = 1 AND name = 'John' OR age = 30");
     }
+
+    @Test
+    public void testEscapeQuotes() {
+        String[] inStr = new String[]{"%valid_name%", "' OR 1=1 --", "\" OR 1=1 --"};
+        String[] outStr = new String[]{"%valid_name%", "\\' OR 1=1 --", "\\\" OR 1=1 --"};
+
+        for (int i = 0; i < inStr.length; i++) {
+            assertEquals(JdbcUtils.escapeQuotes(inStr[i]), outStr[i]);
+        }
+    }
 }