Revert "code QL issues fix in progressdbclient.cs file inside kernal memory floder"

Akhileswara-Microsoft · Akhileswara-Microsoft · commit 9eb021c1a7a1 · 2025-12-17T08:29:09.000+05:30
This reverts commit 4230c30.
diff --git a/App/kernel-memory/extensions/Postgres/Postgres/Internals/PostgresDbClient.cs b/App/kernel-memory/extensions/Postgres/Postgres/Internals/PostgresDbClient.cs
@@ -315,8 +315,7 @@ public async Task DeleteTableAsync(
                 await using (cmd.ConfigureAwait(false))
                 {
 #pragma warning disable CA2100 // SQL reviewed
-                    // Escape and quote the table name to prevent SQL injection. This expects previous normalization/validation.
-                    cmd.CommandText = $"DROP TABLE IF EXISTS {EscapeIdentifierForPostgres(tableName)}";
+                    cmd.CommandText = $"DROP TABLE IF EXISTS {tableName}";
 #pragma warning restore CA2100
 
                     this._log.LogTrace("Deleting table. SQL: {0}", cmd.CommandText);
@@ -779,13 +778,4 @@ private static long GenLockId(string resourceId)
         return BitConverter.ToUInt32(SHA256.HashData(Encoding.UTF8.GetBytes(resourceId)), 0)
                % short.MaxValue;
     }
-    /// <summary>
-    /// Escape a SQL identifier (such as table or schema name) for use in Postgres queries.
-    /// Assumes the identifier is already validated.
-    /// </summary>
-    private static string EscapeIdentifierForPostgres(string identifier)
-    {
-        // Double quotes in identifiers are escaped by doubling them in PostgreSQL
-        return $"\"{identifier.Replace("\"", "\"\"")}\"";
-    }
 }
diff --git a/App/kernel-memory/extensions/Postgres/Postgres/PostgresMemory.cs b/App/kernel-memory/extensions/Postgres/Postgres/PostgresMemory.cs
@@ -232,11 +232,18 @@ private void Dispose(bool disposing)
     // Note: "_" is allowed in Postgres, but we normalize it to "-" for consistency with other DBs
     private static readonly Regex s_replaceIndexNameCharsRegex = new(@"[\s|\\|/|.|_|:]");
     private const string ValidSeparator = "-";
-    
+    // Only allow 1-63 chars, start with a lowercase letter, then letters, digits, dashes, or underscores.
+    private static readonly Regex s_validIndexNameRegex = new(@"^[a-z][a-z0-9\-_]{0,62}$", RegexOptions.Compiled);
+
     private static string NormalizeIndexName(string index)
     {
         ArgumentNullExceptionEx.ThrowIfNullOrWhiteSpace(index, nameof(index), "The index name is empty");
-        index = s_replaceIndexNameCharsRegex.Replace(index.Trim().ToLowerInvariant(), ValidSeparator);   
+        index = s_replaceIndexNameCharsRegex.Replace(index.Trim().ToLowerInvariant(), ValidSeparator);
+        // Enforce positive validation for safe Postgres identifier.
+        if (!s_validIndexNameRegex.IsMatch(index))
+        {
+            throw new ArgumentException($"Index name '{index}' is invalid. Must match regex: ^[a-z][a-z0-9\\-_]{{0,62}}$");
+        }
 
         PostgresSchema.ValidateTableName(index);
 
