From 13fd49a79e10b21b25fe89c590169cf99332f63c Mon Sep 17 00:00:00 2001
From: "yd.2" <yd.2@navercorp.com>
Date: Wed, 15 Mar 2023 17:11:13 +0900
Subject: [PATCH] SqlIdentifierParameterSource now sanitizes identifier names

---
 .../jdbc/plus/sql/convert/SqlGenerator.java   | 14 ++++++-------
 .../BindParameterNameSanitizer.java           | 21 +++++++++++++++++++
 .../SqlIdentifierParameterSource.java         |  2 +-
 3 files changed, 28 insertions(+), 9 deletions(-)
 create mode 100644 spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/BindParameterNameSanitizer.java

diff --git a/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/convert/SqlGenerator.java b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/convert/SqlGenerator.java
index 4101cb92..42eb148a 100644
--- a/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/convert/SqlGenerator.java
+++ b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/convert/SqlGenerator.java
@@ -29,7 +29,6 @@
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.function.Function;
-import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -88,6 +87,7 @@
 import org.springframework.util.Assert;
 
 import com.navercorp.spring.data.jdbc.plus.sql.annotation.SqlFunction;
+import com.navercorp.spring.data.jdbc.plus.sql.parametersource.BindParameterNameSanitizer;
 
 /**
  * Generates SQL statements to be used by {@link org.springframework.data.jdbc.repository.support.SimpleJdbcRepository}
@@ -113,8 +113,6 @@ class SqlGenerator {
 	static final SqlIdentifier IDS_SQL_PARAMETER = SqlIdentifier.unquoted("ids");
 	static final SqlIdentifier ROOT_ID_PARAMETER = SqlIdentifier.unquoted("rootId");
 
-	private static final Pattern parameterPattern = Pattern.compile("\\W");
-
 	private final RelationalPersistentEntity<?> entity;
 	private final MappingContext<RelationalPersistentEntity<?>, RelationalPersistentProperty> mappingContext;
 	private final RenderContext renderContext;
@@ -236,7 +234,7 @@ private Condition getSubselectCondition(PersistentPropertyPathExtension path,
 	}
 
 	private BindMarker getBindMarker(SqlIdentifier columnName) {
-		return SQL.bindMarker(":" + parameterPattern.matcher(renderReference(columnName)).replaceAll(""));
+		return SQL.bindMarker(":" + BindParameterNameSanitizer.sanitize(renderReference(columnName)));
 	}
 
 	/**
@@ -887,7 +885,7 @@ private String createUpdateWithVersionSql() {
 
 		Update update = createBaseUpdate() //
 			.and(getVersionColumn().isEqualTo(
-				SQL.bindMarker(":" + renderReference(VERSION_SQL_PARAMETER)))) //
+				getBindMarker(VERSION_SQL_PARAMETER))) //
 			.build();
 
 		return render(update);
@@ -950,7 +948,7 @@ private String createDeleteByIdAndVersionSql() {
 
 		Delete delete = createBaseDeleteById(getDmlTable()) //
 			.and(getVersionColumn().isEqualTo(
-				SQL.bindMarker(":" + renderReference(VERSION_SQL_PARAMETER)))) //
+				getBindMarker(VERSION_SQL_PARAMETER))) //
 			.build();
 
 		return render(delete);
@@ -959,13 +957,13 @@ private String createDeleteByIdAndVersionSql() {
 	private DeleteBuilder.DeleteWhereAndOr createBaseDeleteById(Table table) {
 		return Delete.builder().from(table)
 			.where(getIdColumn().isEqualTo(
-				SQL.bindMarker(":" + renderReference(ID_SQL_PARAMETER))));
+				getBindMarker(ID_SQL_PARAMETER)));
 	}
 
 	private DeleteBuilder.DeleteWhereAndOr createBaseDeleteByIdIn(Table table) {
 
 		return Delete.builder().from(table)
-			.where(getIdColumn().in(SQL.bindMarker(":" + renderReference(IDS_SQL_PARAMETER))));
+			.where(getIdColumn().in(getBindMarker(IDS_SQL_PARAMETER)));
 	}
 
 	private String createDeleteByPathAndCriteria(PersistentPropertyPathExtension path,
diff --git a/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/BindParameterNameSanitizer.java b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/BindParameterNameSanitizer.java
new file mode 100644
index 00000000..877f444b
--- /dev/null
+++ b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/BindParameterNameSanitizer.java
@@ -0,0 +1,21 @@
+package com.navercorp.spring.data.jdbc.plus.sql.parametersource;
+
+import java.util.regex.Pattern;
+
+/**
+ * Sanitizes the name of bind parameters, so they don't contain any illegal characters.
+ *
+ * @author Jens Schauder
+ *
+ * @since 3.0.2
+ *
+ * COPY: org.springframework.data.jdbc.core.convert.BindParameterNameSanitizer
+ */
+public abstract class BindParameterNameSanitizer {
+
+	private static final Pattern parameterPattern = Pattern.compile("\\W");
+
+	public static String sanitize(String rawName) {
+		return parameterPattern.matcher(rawName).replaceAll("");
+	}
+}
diff --git a/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/SqlIdentifierParameterSource.java b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/SqlIdentifierParameterSource.java
index db96e87a..978156ca 100644
--- a/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/SqlIdentifierParameterSource.java
+++ b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/SqlIdentifierParameterSource.java
@@ -74,7 +74,7 @@ void addValue(SqlIdentifier name, Object value) {
 	void addValue(SqlIdentifier identifier, Object value, int sqlType) {
 
 		identifiers.add(identifier);
-		String name = identifier.getReference(identifierProcessing);
+		String name = BindParameterNameSanitizer.sanitize(identifier.getReference(identifierProcessing));
 		namesToValues.put(name, value);
 		registerSqlType(name, sqlType);
 	}