Pull request #84: EDELIVERY-12927 Resources Search Filter Treats % Character as Placeholder

Merge in EDELIVERY/smp from bugfix/EDELIVERY-12927-resources-search-filter-treats-character-as-placeholder to development * commit 'cc91db9a': EDELIVERY-12927 Resources Search Filter Treats % Character as Placeholder

Pull request #84: EDELIVERY-12927 Resources Search Filter Treats % Character as Placeholder
Merge in EDELIVERY/smp from bugfix/EDELIVERY-12927-resources-search-filter-treats-character-as-placeholder to development * commit 'cc91db9a': EDELIVERY-12927 Resources Search Filter Treats % Character as Placeholder
a6c817c1 · Sebastian-Ion TINCU · 2fd42c60 · cc91db9a · a6c817c1 · a6c817c1
Commit a6c817c1 authored 11 months ago by Sebastian-Ion TINCU
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/model/doc/DBResourceFilter.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/model/doc/DBResourceFilter.java
@@ -29,7 +29,7 @@ import java.util.Arrays;
 import java.util.List;

 import static org.apache.commons.lang3.StringUtils.trim;
-import static org.apache.commons.lang3.StringUtils.wrapIfMissing;
+import static org.apache.commons.lang3.StringUtils.wrap;

 public class DBResourceFilter {
    private static final List<MembershipRoleType> ALL_ROLES = Arrays.asList(MembershipRoleType.values());
@@ -145,7 +145,7 @@ public class DBResourceFilter {
        }

        public Builder identifierFilter(String identifierFilter) {
-            this.identifierFilter = wrapIfMissing(trim(identifierFilter), "%");
+            this.identifierFilter = wrap(trim(identifierFilter), "%");
            return this;
        }


--- a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/data/model/doc/DBResourceFilterTest.java
+++ b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/data/model/doc/DBResourceFilterTest.java
+/*-
+ * #START_LICENSE#
+ * smp-webapp
+ * %%
+ * Copyright (C) 2017 - 2023 European Commission | eDelivery | DomiSMP
+ * %%
+ * Licensed under the EUPL, Version 1.2 or – as soon they will be approved by the European Commission - subsequent
+ * versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ *
+ * [PROJECT_HOME]\license\eupl-1.2\license.txt or https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence is
+ * distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and limitations under the Licence.
+ * #END_LICENSE#
+ */
+package eu.europa.ec.edelivery.smp.data.model.doc;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * @author Sebastian-Ion TINCU
+ * @since 5.1
+ */
+public class DBResourceFilterTest {
+
+    @Test
+    public void wrapsFilterValueHavingPercentageCharacters() {
+        // GIVEN
+        DBResourceFilter filter = DBResourceFilter
+                .createBuilder()
+                .identifierFilter("\\%")
+                .build();
+
+        // WHEN
+        String result = filter.getIdentifierFilter();
+
+        // THEN
+        Assertions.assertEquals("%\\%%", result, "Should have wrapped the escaped '%' character around with two extra '%' characters");
+    }
+}
\ No newline at end of file
--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/filter/FilterHandler.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/filter/FilterHandler.java
@@ -18,6 +18,7 @@
 */
 package eu.europa.ec.edelivery.smp.filter;

+import org.apache.commons.lang3.RegExUtils;
 import org.springframework.format.AnnotationFormatterFactory;
 import org.springframework.format.Formatter;
 import org.springframework.format.Parser;
@@ -50,15 +51,15 @@ public class FilterHandler implements AnnotationFormatterFactory<Filter> {

    @Override
    public Printer<?> getPrinter(Filter annotation, Class<?> fieldType) {
-        return getFormatter(annotation);
+        return getFormatter();
    }

    @Override
    public Parser<?> getParser(Filter annotation, Class<?> fieldType) {
-        return getFormatter(annotation);
+        return getFormatter();
    }

-    private Formatter<String> getFormatter(Filter annotation) {
+    private Formatter<String> getFormatter() {
        return new Formatter<String>() {
            @Override
            public String print(String object, Locale locale) {
@@ -67,7 +68,10 @@ public class FilterHandler implements AnnotationFormatterFactory<Filter> {

            @Override
            public String parse(String encoded, Locale locale) throws ParseException {
-                return URLDecoder.decode(encoded);
+                String decoded = URLDecoder.decode(encoded);
+                // We need to escape the following characters that have special meaning when used in a LIKE statement
+                // inside an SQL query: '%', '\', '_', ''', '"', '[' and ']'
+                return RegExUtils.replaceAll(decoded, "([%\\\\_'\"\\[\\]])", "\\\\$1");
            }
        };
    }

--- a/smp-webapp/src/test/java/eu/europa/ec/edelivery/smp/filter/FilterHandlerTest.java
+++ b/smp-webapp/src/test/java/eu/europa/ec/edelivery/smp/filter/FilterHandlerTest.java
+/*-
+ * #START_LICENSE#
+ * smp-webapp
+ * %%
+ * Copyright (C) 2017 - 2023 European Commission | eDelivery | DomiSMP
+ * %%
+ * Licensed under the EUPL, Version 1.2 or – as soon they will be approved by the European Commission - subsequent
+ * versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ *
+ * [PROJECT_HOME]\license\eupl-1.2\license.txt or https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence is
+ * distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and limitations under the Licence.
+ * #END_LICENSE#
+ */
+package eu.europa.ec.edelivery.smp.filter;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.format.Parser;
+
+import java.net.URLEncoder;
+
+/**
+ * @author Sebastian-Ion TINCU
+ * @since 5.1
+ */
+public class FilterHandlerTest {
+
+    private static final Logger LOG = LoggerFactory.getLogger(FilterHandlerTest.class);
+
+    private Parser<?> filterHandlerParser;
+
+    @BeforeEach
+    public void setup() {
+        filterHandlerParser = new FilterHandler().getParser(null, null);
+
+    }
+
+    @ParameterizedTest
+    @CsvSource({
+            "'%','\\%'",        // %
+            "'\\','\\\\'",      // \
+            "'_','\\_'",        // _
+            "'''','\\'''",      // '
+            "'\"','\\\"'",      // "
+            "'[','\\['",        // [
+            "']','\\]'",        // ]
+    })
+    public void getEscapedDecodedFilterValue(String unencodedFilterValue, String expectedParsedFilterValue) throws Exception {
+        // GIVEN
+        String encodedFilterValue = URLEncoder.encode(unencodedFilterValue);
+        LOG.info("Testing if the original filter value [{}], encoded as [{}] can be decoded successfully to [{}] " +
+                "having its SQL query parameters escaped", unencodedFilterValue, encodedFilterValue, expectedParsedFilterValue);
+
+        // WHEN
+        Object result = filterHandlerParser.parse(encodedFilterValue, null);
+
+        // THEN
+        Assertions.assertEquals(expectedParsedFilterValue, result,
+                "Should have parsed the [" + encodedFilterValue + "] correctly to [" + expectedParsedFilterValue
+                        + "], decoding the original filter value and escaping any special SQL query characters that are to be used in a LIKE statement" );
+    }
+}
\ No newline at end of file