Fix issue in SelectTrigger

Author: shulkaolka

src/main/java/io/elastic/jdbc/Utils.java

@@ -31,7 +31,8 @@ public class Utils {
   public static final String CFG_DB_ENGINE = "dbEngine";
   public static final String CFG_HOST = "host";
   public static final String CFG_USER = "user";
-  public static final String VARS_REGEXP = "@([\\w_$][\\d\\w_$]*(:(string|boolean|date|number|bigint|float|real))?)";
+  public static final String VARS_REGEXP = "\\B@([\\w_$][\\d\\w_$]*(:(string|boolean|date|number|bigint|float|real))?)";
+  public static final String TEMPLATE_REGEXP = "\\B@\\S+";
   private static final Logger LOGGER = LoggerFactory.getLogger(Utils.class);
   public static Map<String, String> columnTypes = null;
 
@@ -190,7 +191,7 @@ public static Map<String, String> getColumnTypes(Connection connection, Boolean
       String tableName) {
     DatabaseMetaData md;
     ResultSet rs = null;
-    Map<String, String> columnTypes = new HashMap<String, String>();
+    Map<String, String> columnTypes = new HashMap<>();
     String schemaName = null;
     try {
       md = connection.getMetaData();
@@ -219,7 +220,7 @@ public static Map<String, String> getColumnTypes(Connection connection, Boolean
   }
 
   public static Map<String, String> getVariableTypes(String sqlQuery) {
-    Map<String, String> columnTypes = new HashMap<String, String>();
+    Map<String, String> columnTypes = new HashMap<>();
     Pattern pattern = Pattern.compile(Utils.VARS_REGEXP);
     Matcher matcher = pattern.matcher(sqlQuery);
     Boolean isEmpty;
@@ -299,5 +300,4 @@ public static JsonObjectBuilder getColumnDataByType(ResultSet rs, ResultSetMetaD
     }
     return row;
   }
-
 }

src/main/java/io/elastic/jdbc/triggers/SelectTrigger.java

@@ -7,15 +7,15 @@
 import io.elastic.jdbc.QueryFactory;
 import io.elastic.jdbc.Utils;
 import java.sql.Connection;
-import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Timestamp;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Calendar;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import javax.json.Json;
 import javax.json.JsonObject;
-import javax.json.JsonString;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -34,8 +34,9 @@ public class SelectTrigger implements Module {
   public final void execute(ExecutionParameters parameters) {
     LOGGER.info("About to execute select trigger");
     final JsonObject configuration = parameters.getConfiguration();
-    JsonObject snapshot = parameters.getSnapshot();
     checkConfig(configuration);
+    String sqlQuery = configuration.getString(SQL_QUERY_VALUE);
+    JsonObject snapshot = parameters.getSnapshot();
     Connection connection = Utils.getConnection(configuration);
     Integer skipNumber = 0;
 
@@ -60,12 +61,11 @@ public final void execute(ExecutionParameters parameters) {
       pollingValue = cts;
     }
     LOGGER.info("EIO_LAST_POLL = {}", pollingValue);
-    String sqlQuery = configuration.getString(SQL_QUERY_VALUE);
+
     if (snapshot.get(PROPERTY_SKIP_NUMBER) != null) {
       skipNumber = snapshot.getInt(PROPERTY_SKIP_NUMBER);
     }
     LOGGER.info("SQL QUERY {} : ", sqlQuery);
-    ResultSet rs = null;
     LOGGER.info("Executing select trigger");
     try {
       QueryFactory queryFactory = new QueryFactory();
@@ -97,11 +97,19 @@ public final void execute(ExecutionParameters parameters) {
   }
 
   private void checkConfig(JsonObject config) {
-    final JsonString sqlQuery = config.getJsonString(SQL_QUERY_VALUE);
+    final String sqlQuery = config.getString(SQL_QUERY_VALUE);
 
-    if (sqlQuery == null || sqlQuery.toString().isEmpty()) {
+    if (sqlQuery == null || sqlQuery.isEmpty()) {
       throw new RuntimeException("SQL Query is required field");
     }
+
+    Pattern pattern = Pattern.compile(Utils.TEMPLATE_REGEXP);
+    Matcher matcher = pattern.matcher(sqlQuery);
+    if (matcher.find()) {
+      throw new RuntimeException("Use of prepared statement variables template '"
+          + matcher.group()
+          + "' is forbidden");
+    }
   }
 
 }

src/test/groovy/io/elastic/jdbc/SelectTriggerCheckConfigSpec.groovy

@@ -0,0 +1,56 @@
+package io.elastic.jdbc
+
+import spock.lang.Shared
+import spock.lang.Specification
+
+import javax.json.Json
+import javax.json.JsonObjectBuilder
+import io.elastic.jdbc.triggers.SelectTrigger
+
+class SelectTriggerCheckConfigSpec extends Specification {
+  @Shared
+  SelectTrigger trigger
+
+  JsonObjectBuilder configuration = Json.createObjectBuilder()
+  String sqlQuery
+
+  def setup() {
+    trigger = new SelectTrigger()
+  }
+
+  def "check sqlQuery string with @parameter:type"() {
+    sqlQuery = 'SELECT * from stars WHERE id= @id:number'
+    configuration.add("sqlQuery", sqlQuery)
+
+    when:
+    trigger.checkConfig(configuration.build())
+    then:
+    thrown RuntimeException
+  }
+
+  def "check sqlQuery string with @parameter.name:type"() {
+    sqlQuery = 'SELECT * from stars WHERE id= @id.name:number'
+    configuration.add("sqlQuery", sqlQuery)
+
+    when:
+    trigger.checkConfig(configuration.build())
+    then:
+    thrown RuntimeException
+  }
+
+  def "sqlQuery string is empty"() {
+    configuration.add("sqlQuery", '')
+    when:
+    trigger.checkConfig(configuration.build())
+    then:
+    thrown RuntimeException
+  }
+
+  def "confid isn't contains sqlQuery string"() {
+    when:
+    trigger.checkConfig(configuration.build())
+    then:
+    thrown RuntimeException
+  }
+
+}