Merge pull request #20 from topcoder-platform/CORE-140

eisbilir · web-flow · commit 73812d40e586 · 2023-11-28T10:13:28.000+03:00
feat: increase raw query length limit
diff --git a/src/main/java/com/topcoder/dal/DBAccessor.java b/src/main/java/com/topcoder/dal/DBAccessor.java
@@ -126,7 +126,7 @@ private Row rawQueryMapper(ResultSet rs, int rowNum) throws SQLException {
                 case java.sql.Types.BIGINT -> valueBuilder.setLongValue(rs.getLong(i + 1));
                 case java.sql.Types.FLOAT -> valueBuilder.setFloatValue(rs.getFloat(i + 1));
                 case java.sql.Types.DOUBLE -> valueBuilder.setDoubleValue(rs.getDouble(i + 1));
-                case java.sql.Types.VARCHAR ->
+                case java.sql.Types.VARCHAR, java.sql.Types.CHAR ->
                     valueBuilder.setStringValue(Objects.requireNonNullElse(rs.getString(i + 1), ""));
                 case java.sql.Types.BOOLEAN -> valueBuilder.setBooleanValue(rs.getBoolean(i + 1));
                 case java.sql.Types.DATE, java.sql.Types.TIMESTAMP -> valueBuilder
diff --git a/src/main/java/com/topcoder/dal/util/QueryHelper.java b/src/main/java/com/topcoder/dal/util/QueryHelper.java
@@ -192,23 +192,24 @@ public static String sanitizeSQLStatement(String sql) {
         }
 
         // Limit the length of the SQL statement to prevent very long strings
-        if (sql.length() > 1000) {
+        if (sql.length() > 2000) {
             throw new IllegalArgumentException("SQL statement length exceeds the allowed limit");
         }
 
         // Whitelist characters
         StringBuilder safeSQL = new StringBuilder();
         for (char c : sql.toCharArray()) {
             if (Character.isLetterOrDigit(c) || c == ' ' || c == ',' || c == '(' || c == ')' || c == '=' || c == '<'
-                    || c == '>' || c == '_' || c == ':' || c == '.' || c == '-' || c == '+' || c == '*' || c == '\'') {
+                    || c == '>' || c == '_' || c == ':' || c == '.' || c == '-' || c == '+' || c == '*' || c == '\''
+                    || c == '!') {
                 safeSQL.append(c);
             }
         }
         sql = safeSQL.toString();
 
         // replace single quotes with two single quotes to prevent SQL injection through
         // strings
-        sql = sql.replace("'", "''");
+        // sql = sql.replace("'", "''");
 
         return sql;
     }

Original file line number	Diff line number	Diff line change
`@@ -192,23 +192,24 @@ public static String sanitizeSQLStatement(String sql) {`
`192`	`192`	`}`
`193`	`193`
`194`	`194`	`// Limit the length of the SQL statement to prevent very long strings`
`195`		`- if (sql.length() > 1000) {`
	`195`	`+ if (sql.length() > 2000) {`
`196`	`196`	`throw new IllegalArgumentException("SQL statement length exceeds the allowed limit");`
`197`	`197`	`}`
`198`	`198`
`199`	`199`	`// Whitelist characters`
`200`	`200`	`StringBuilder safeSQL = new StringBuilder();`
`201`	`201`	`for (char c : sql.toCharArray()) {`
`202`	`202`	`if (Character.isLetterOrDigit(c) \|\| c == ' ' \|\| c == ',' \|\| c == '(' \|\| c == ')' \|\| c == '=' \|\| c == '<'`
`203`		`- \|\| c == '>' \|\| c == '_' \|\| c == ':' \|\| c == '.' \|\| c == '-' \|\| c == '+' \|\| c == '*' \|\| c == '\'') {`
	`203`	`+ \|\| c == '>' \|\| c == '_' \|\| c == ':' \|\| c == '.' \|\| c == '-' \|\| c == '+' \|\| c == '*' \|\| c == '\''`
	`204`	`+ \|\| c == '!') {`
`204`	`205`	`safeSQL.append(c);`
`205`	`206`	`}`
`206`	`207`	`}`
`207`	`208`	`sql = safeSQL.toString();`
`208`	`209`
`209`	`210`	`// replace single quotes with two single quotes to prevent SQL injection through`
`210`	`211`	`// strings`
`211`		`- sql = sql.replace("'", "''");`
	`212`	`+ // sql = sql.replace("'", "''");`
`212`	`213`
`213`	`214`	`return sql;`
`214`	`215`	`}`