Samin061 opened a new pull request, #5075: URL: https://github.com/apache/calcite/pull/5075
## Jira Link No Jira filed yet; happy to open one under CALCITE if you'd prefer to track it there. ## Changes Proposed When the Cassandra and Geode adapters push a filter down to the backend, a SQL string literal is wrapped in single quotes to build the CQL/OQL predicate, but embedded single quotes are not escaped. `CassandraFilter.translateOp2` and `GeodeFilter.quoteCharLiteral` emit `col = '<value>'` verbatim, so a value that itself contains a quote breaks out of the string literal. A legitimate value such as `O'Brien` produces malformed CQL/OQL, and a runtime-supplied literal can inject additional predicate syntax into the query that reaches `session.execute` / `QueryService.newQuery`. The Geode test for `WHERE city = 'a''b'` currently makes the OQL parser fail with `unexpected token: b`, which shows the value leaking out of the literal. Doubling the embedded quote (`'` -> `''`) keeps the value inside the literal for both dialects; this is the same escaping the Druid adapter already applies in `DruidExpressions.stringLiteral`. Added a Geode test that asserts the generated OQL is `... WHERE city = 'a''b'`, and a Cassandra test that a quoted filter value executes cleanly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
