Samin061 opened a new pull request, #5075:
URL: https://github.com/apache/calcite/pull/5075

   ## Jira Link
   
   No Jira filed yet; happy to open one under CALCITE if you'd prefer to track 
it there.
   
   ## Changes Proposed
   
   When the Cassandra and Geode adapters push a filter down to the backend, a 
SQL string literal is wrapped in single quotes to build the CQL/OQL predicate, 
but embedded single quotes are not escaped. `CassandraFilter.translateOp2` and 
`GeodeFilter.quoteCharLiteral` emit `col = '<value>'` verbatim, so a value that 
itself contains a quote breaks out of the string literal. A legitimate value 
such as `O'Brien` produces malformed CQL/OQL, and a runtime-supplied literal 
can inject additional predicate syntax into the query that reaches 
`session.execute` / `QueryService.newQuery`.
   
   The Geode test for `WHERE city = 'a''b'` currently makes the OQL parser fail 
with `unexpected token: b`, which shows the value leaking out of the literal. 
Doubling the embedded quote (`'` -> `''`) keeps the value inside the literal 
for both dialects; this is the same escaping the Druid adapter already applies 
in `DruidExpressions.stringLiteral`.
   
   Added a Geode test that asserts the generated OQL is `... WHERE city = 
'a''b'`, and a Cassandra test that a quoted filter value executes cleanly.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to