Escape strings with quotes in custom query parameters.

(Backport of commit f8fbf77)

Author: sothawo

src/main/java/org/springframework/data/elasticsearch/repository/query/ElasticsearchStringQuery.java

@@ -15,16 +15,11 @@
  */
 package org.springframework.data.elasticsearch.repository.query;
 
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-import org.springframework.core.convert.support.GenericConversionService;
 import org.springframework.data.elasticsearch.core.ElasticsearchOperations;
-import org.springframework.data.elasticsearch.core.convert.DateTimeConverters;
 import org.springframework.data.elasticsearch.core.query.StringQuery;
+import org.springframework.data.elasticsearch.repository.support.StringQueryUtil;
 import org.springframework.data.repository.query.ParametersParameterAccessor;
 import org.springframework.util.Assert;
-import org.springframework.util.NumberUtils;
 
 /**
  * ElasticsearchStringQuery
@@ -33,26 +28,12 @@
  * @author Mohsin Husen
  * @author Mark Paluch
  * @author Taylor Ono
+ * @author Peter-Josef Meisch
  */
 public class ElasticsearchStringQuery extends AbstractElasticsearchRepositoryQuery {
 
-	private static final Pattern PARAMETER_PLACEHOLDER = Pattern.compile("\\?(\\d+)");
 	private String query;
 
-	private final GenericConversionService conversionService = new GenericConversionService();
-
-	{
-		if (!conversionService.canConvert(java.util.Date.class, String.class)) {
-			conversionService.addConverter(DateTimeConverters.JavaDateConverter.INSTANCE);
-		}
-		if (!conversionService.canConvert(org.joda.time.ReadableInstant.class, String.class)) {
-			conversionService.addConverter(DateTimeConverters.JodaDateTimeConverter.INSTANCE);
-		}
-		if (!conversionService.canConvert(org.joda.time.LocalDateTime.class, String.class)) {
-			conversionService.addConverter(DateTimeConverters.JodaLocalDateTimeConverter.INSTANCE);
-		}
-	}
-
 	public ElasticsearchStringQuery(ElasticsearchQueryMethod queryMethod, ElasticsearchOperations elasticsearchOperations,
 			String query) {
 		super(queryMethod, elasticsearchOperations);
@@ -79,31 +60,7 @@ public Object execute(Object[] parameters) {
 	}
 
 	protected StringQuery createQuery(ParametersParameterAccessor parameterAccessor) {
-		String queryString = replacePlaceholders(this.query, parameterAccessor);
+		String queryString = StringQueryUtil.replacePlaceholders(this.query, parameterAccessor);
 		return new StringQuery(queryString);
 	}
-
-	private String replacePlaceholders(String input, ParametersParameterAccessor accessor) {
-
-		Matcher matcher = PARAMETER_PLACEHOLDER.matcher(input);
-		String result = input;
-		while (matcher.find()) {
-
-			String placeholder = Pattern.quote(matcher.group()) + "(?!\\d+)";
-			int index = NumberUtils.parseNumber(matcher.group(1), Integer.class);
-			result = result.replaceAll(placeholder, getParameterWithIndex(accessor, index));
-		}
-		return result;
-	}
-
-	private String getParameterWithIndex(ParametersParameterAccessor accessor, int index) {
-		Object parameter = accessor.getBindableValue(index);
-		if (parameter == null) {
-			return "null";
-		}
-		if (conversionService.canConvert(parameter.getClass(), String.class)) {
-			return conversionService.convert(parameter, String.class);
-		}
-		return parameter.toString();
-	}
 }

src/main/java/org/springframework/data/elasticsearch/repository/query/ReactiveElasticsearchStringQuery.java

@@ -15,24 +15,20 @@
  */
 package org.springframework.data.elasticsearch.repository.query;
 
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
 import org.springframework.data.elasticsearch.core.ReactiveElasticsearchOperations;
 import org.springframework.data.elasticsearch.core.query.StringQuery;
+import org.springframework.data.elasticsearch.repository.support.StringQueryUtil;
 import org.springframework.data.repository.query.QueryMethodEvaluationContextProvider;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.util.NumberUtils;
-import org.springframework.util.ObjectUtils;
 
 /**
  * @author Christoph Strobl
  * @author Taylor Ono
+ * @author Peter-Josef Meisch
  * @since 3.2
  */
 public class ReactiveElasticsearchStringQuery extends AbstractReactiveElasticsearchRepositoryQuery {
 
-	private static final Pattern PARAMETER_PLACEHOLDER = Pattern.compile("\\?(\\d+)");
 	private final String query;
 
 	public ReactiveElasticsearchStringQuery(ReactiveElasticsearchQueryMethod queryMethod,
@@ -52,27 +48,10 @@ public ReactiveElasticsearchStringQuery(String query, ReactiveElasticsearchQuery
 
 	@Override
 	protected StringQuery createQuery(ElasticsearchParameterAccessor parameterAccessor) {
-		String queryString = replacePlaceholders(this.query, parameterAccessor);
+		String queryString = StringQueryUtil.replacePlaceholders(this.query, parameterAccessor);
 		return new StringQuery(queryString);
 	}
 
-	private String replacePlaceholders(String input, ElasticsearchParameterAccessor accessor) {
-
-		Matcher matcher = PARAMETER_PLACEHOLDER.matcher(input);
-		String result = input;
-		while (matcher.find()) {
-
-			String placeholder = Pattern.quote(matcher.group()) + "(?!\\d+)";
-			int index = NumberUtils.parseNumber(matcher.group(1), Integer.class);
-			result = result.replaceAll(placeholder, getParameterWithIndex(accessor, index));
-		}
-		return result;
-	}
-
-	private String getParameterWithIndex(ElasticsearchParameterAccessor accessor, int index) {
-		return ObjectUtils.nullSafeToString(accessor.getBindableValue(index));
-	}
-
 	@Override
 	boolean isCountQuery() {
 		return false;

src/main/java/org/springframework/data/elasticsearch/repository/support/StringQueryUtil.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.data.elasticsearch.repository.support;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.springframework.core.convert.support.GenericConversionService;
+import org.springframework.data.elasticsearch.core.convert.DateTimeConverters;
+import org.springframework.data.elasticsearch.repository.query.ElasticsearchStringQuery;
+import org.springframework.data.repository.query.ParameterAccessor;
+import org.springframework.util.ClassUtils;
+import org.springframework.util.NumberUtils;
+
+/**
+ * @author Peter-Josef Meisch
+ */
+final public class StringQueryUtil {
+
+	private static final Pattern PARAMETER_PLACEHOLDER = Pattern.compile("\\?(\\d+)");
+	private static final GenericConversionService conversionService = new GenericConversionService();
+
+	{
+		if (!conversionService.canConvert(java.util.Date.class, String.class)) {
+			conversionService.addConverter(DateTimeConverters.JavaDateConverter.INSTANCE);
+		}
+		if (ClassUtils.isPresent("org.joda.time.DateTimeZone", ElasticsearchStringQuery.class.getClassLoader())) {
+			if (!conversionService.canConvert(org.joda.time.ReadableInstant.class, String.class)) {
+				conversionService.addConverter(DateTimeConverters.JodaDateTimeConverter.INSTANCE);
+			}
+			if (!conversionService.canConvert(org.joda.time.LocalDateTime.class, String.class)) {
+				conversionService.addConverter(DateTimeConverters.JodaLocalDateTimeConverter.INSTANCE);
+			}
+		}
+	}
+
+	private StringQueryUtil() {}
+
+	public static String replacePlaceholders(String input, ParameterAccessor accessor) {
+
+		Matcher matcher = PARAMETER_PLACEHOLDER.matcher(input);
+		String result = input;
+		while (matcher.find()) {
+
+			String placeholder = Pattern.quote(matcher.group()) + "(?!\\d+)";
+			int index = NumberUtils.parseNumber(matcher.group(1), Integer.class);
+			result = result.replaceAll(placeholder, Matcher.quoteReplacement(getParameterWithIndex(accessor, index)));
+		}
+		return result;
+	}
+
+	private static String getParameterWithIndex(ParameterAccessor accessor, int index) {
+
+		Object parameter = accessor.getBindableValue(index);
+		String parameterValue = "null";
+
+		// noinspection ConstantConditions
+		if (parameter != null) {
+
+			if (conversionService.canConvert(parameter.getClass(), String.class)) {
+				String converted = conversionService.convert(parameter, String.class);
+
+				if (converted != null) {
+					parameterValue = converted;
+				}
+			} else {
+				parameterValue = parameter.toString();
+			}
+		}
+
+		parameterValue = parameterValue.replaceAll("\"", Matcher.quoteReplacement("\\\""));
+		return parameterValue;
+
+	}
+
+}

src/test/java/org/springframework/data/elasticsearch/repository/query/ElasticsearchStringQueryUnitTests.java

@@ -87,6 +87,16 @@ public void shouldReplaceRepeatedParametersCorrectly() throws Exception {
 				.isEqualTo("name:(zero, eleven, one, two, three, four, five, six, seven, eight, nine, ten, eleven, zero, one)");
 	}
 
+	@Test // #1790
+	public void shouldEscapeStringsInQueryParameters() throws Exception {
+
+		org.springframework.data.elasticsearch.core.query.Query query = createQuery("findByPrefix", "hello \"Stranger\"");
+
+		assertThat(query).isInstanceOf(StringQuery.class);
+		assertThat(((StringQuery) query).getSource())
+				.isEqualTo("{\"bool\":{\"must\": [{\"match\": {\"prefix\": {\"name\" : \"hello \\\"Stranger\\\"\"}}]}}");
+	}
+
 	private org.springframework.data.elasticsearch.core.query.Query createQuery(String methodName, String... args)
 			throws NoSuchMethodException {
 
@@ -166,6 +176,9 @@ private interface SampleRepository extends Repository<Person, String> {
 		@Query(value = "name:(?0, ?11, ?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?0, ?1)")
 		Person findWithRepeatedPlaceholder(String arg0, String arg1, String arg2, String arg3, String arg4, String arg5,
 				String arg6, String arg7, String arg8, String arg9, String arg10, String arg11);
+
+		@Query("{\"bool\":{\"must\": [{\"match\": {\"prefix\": {\"name\" : \"?0\"}}]}}")
+		List<Book> findByPrefix(String prefix);
 	}
 
 	/**

src/test/java/org/springframework/data/elasticsearch/repository/query/ReactiveElasticsearchStringQueryUnitTests.java

@@ -124,6 +124,16 @@ public void shouldReplaceRepeatedParametersCorrectly() throws Exception {
 				.isEqualTo("name:(zero, eleven, one, two, three, four, five, six, seven, eight, nine, ten, eleven, zero, one)");
 	}
 
+	@Test // #1790
+	public void shouldEscapeStringsInQueryParameters() throws Exception {
+
+		org.springframework.data.elasticsearch.core.query.Query query = createQuery("findByPrefix", "hello \"Stranger\"");
+
+		assertThat(query).isInstanceOf(StringQuery.class);
+		assertThat(((StringQuery) query).getSource())
+				.isEqualTo("{\"bool\":{\"must\": [{\"match\": {\"prefix\": {\"name\" : \"hello \\\"Stranger\\\"\"}}]}}");
+	}
+
 	private org.springframework.data.elasticsearch.core.query.Query createQuery(String methodName, String... args)
 			throws NoSuchMethodException {
 
@@ -168,6 +178,9 @@ Person findWithQuiteSomeParameters(String arg0, String arg1, String arg2, String
 		@Query(value = "name:(?0, ?11, ?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?0, ?1)")
 		Person findWithRepeatedPlaceholder(String arg0, String arg1, String arg2, String arg3, String arg4, String arg5,
 				String arg6, String arg7, String arg8, String arg9, String arg10, String arg11);
+
+		@Query("{\"bool\":{\"must\": [{\"match\": {\"prefix\": {\"name\" : \"?0\"}}]}}")
+		Flux<Book> findByPrefix(String prefix);
 	}
 
 	/**