Copilot commented on code in PR #18398: URL: https://github.com/apache/dolphinscheduler/pull/18398#discussion_r3569742788
########## dolphinscheduler-task-plugin/dolphinscheduler-task-sql/src/main/java/org/apache/dolphinscheduler/plugin/task/sql/SqlTaskParameterRenderer.java: ########## @@ -0,0 +1,284 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.dolphinscheduler.plugin.task.sql; + +import org.apache.dolphinscheduler.common.utils.JSONUtils; +import org.apache.dolphinscheduler.plugin.task.api.TaskException; +import org.apache.dolphinscheduler.plugin.task.api.enums.DataType; +import org.apache.dolphinscheduler.plugin.task.api.model.Property; + +import org.apache.commons.lang3.StringUtils; + +import java.util.List; +import java.util.Map; +import java.util.stream.Collectors; + +final class SqlTaskParameterRenderer { + + private SqlTaskParameterRenderer() { + } + + static String render(String sql, Map<String, Property> paramsMap, int taskInstanceId) { + if (StringUtils.isEmpty(sql) || paramsMap == null || paramsMap.isEmpty()) { + return sql; + } + return renderParameters(sql, paramsMap, taskInstanceId); + } + + private static String renderParameters(String sql, Map<String, Property> paramsMap, int taskInstanceId) { + StringBuilder renderedSql = new StringBuilder(sql.length()); + boolean insideSingleQuotedString = false; + int index = 0; + while (index < sql.length()) { + char current = sql.charAt(index); + if (current == '\'' && insideSingleQuotedString) { + renderedSql.append(current); + if (index + 1 < sql.length() && sql.charAt(index + 1) == '\'') { + renderedSql.append('\''); + index += 2; + continue; + } + insideSingleQuotedString = false; + index++; + continue; + } + + Placeholder rawQuotedPlaceholder = matchQuotedPlaceholder(sql, index, '!', insideSingleQuotedString); + if (rawQuotedPlaceholder != null) { + Property property = getProperty(paramsMap, rawQuotedPlaceholder.paramName, taskInstanceId); + renderedSql.append(renderRawProperty(property)); + index = rawQuotedPlaceholder.endIndex; + continue; + } + + Placeholder sqlQuotedPlaceholder = matchQuotedPlaceholder(sql, index, '$', insideSingleQuotedString); + if (sqlQuotedPlaceholder != null) { + Property property = getProperty(paramsMap, sqlQuotedPlaceholder.paramName, taskInstanceId); + renderedSql.append(renderProperty(property, false, false)); + index = sqlQuotedPlaceholder.endIndex; + continue; + } + + Placeholder rawPlaceholder = matchPlaceholder(sql, index, '!'); + if (rawPlaceholder != null) { + Property property = getProperty(paramsMap, rawPlaceholder.paramName, taskInstanceId); + renderedSql.append(renderRawProperty(property)); + index = rawPlaceholder.endIndex; + continue; + } + + Placeholder sqlPlaceholder = matchPlaceholder(sql, index, '$'); + if (sqlPlaceholder != null) { + Property property = getProperty(paramsMap, sqlPlaceholder.paramName, taskInstanceId); + boolean identifierContext = !insideSingleQuotedString + && isIdentifierContext(sql, index, sqlPlaceholder.endIndex); + renderedSql.append(renderProperty(property, identifierContext, insideSingleQuotedString)); + index = sqlPlaceholder.endIndex; + continue; + } + + renderedSql.append(current); + if (current == '\'') { + insideSingleQuotedString = true; + } + index++; + } + return renderedSql.toString(); + } + + private static Placeholder matchQuotedPlaceholder(String sql, int start, char marker, + boolean insideSingleQuotedString) { + if (insideSingleQuotedString || start >= sql.length()) { + return null; + } + char quote = sql.charAt(start); + if (quote != '\'' && quote != '"') { + return null; + } + Placeholder placeholder = matchPlaceholder(sql, start + 1, marker); + if (placeholder == null || placeholder.endIndex >= sql.length() || sql.charAt(placeholder.endIndex) != quote) { + return null; + } + return new Placeholder(placeholder.paramName, placeholder.endIndex + 1); + } + + private static Placeholder matchPlaceholder(String sql, int start, char marker) { + if (start + 2 >= sql.length() || sql.charAt(start) != marker || sql.charAt(start + 1) != '{') { + return null; + } + int end = sql.indexOf('}', start + 2); + if (end < 0) { + return null; + } + return new Placeholder(sql.substring(start + 2, end), end + 1); + } + + private static Property getProperty(Map<String, Property> paramsMap, String paramName, int taskInstanceId) { + Property property = paramsMap.get(paramName); + if (property == null) { + throw new TaskException(String.format( + "No Property with paramName: %s is found in paramsMap of task instance with id: %s", + paramName, + taskInstanceId)); + } + return property; + } + + private static String renderRawProperty(Property property) { + return StringUtils.defaultString(property.getValue()); + } + + private static String renderProperty(Property property, boolean identifierContext, boolean insideStringLiteral) { + String value = property.getValue(); + if (value == null) { + return "null"; + } + if (insideStringLiteral) { + return escapeSqlString(value); + } + if (identifierContext) { + return value; + } Review Comment: In identifier context, `${name}` is rendered as a raw identifier fragment with no validation. If the supplied value contains characters that are not valid in unquoted identifiers (whitespace, quotes, punctuation), the rendered SQL becomes syntactically invalid and can unintentionally change the executed SQL. Consider failing fast by validating identifier fragments against an allowlist before returning them unquoted. ########## dolphinscheduler-task-plugin/dolphinscheduler-task-sql/src/test/java/org/apache/dolphinscheduler/plugin/task/sql/SqlTaskTest.java: ########## @@ -479,6 +484,233 @@ void testEnsureSqlContent_whenResourceMissing_throwsTaskException(@TempDir Path Assertions.assertInstanceOf(TaskException.class, thrown.getCause()); } + @Test + void testSqlTaskLocalRenderer_rendersIdentifiersValuesListsAndEscapedStrings() throws Exception { + Map<String, Property> prepareParamsMap = new HashMap<>(); + prepareParamsMap.put("dd", new Property("dd", Direct.IN, DataType.VARCHAR, "20250411")); + prepareParamsMap.put("name", new Property("name", Direct.IN, DataType.VARCHAR, "O'Reilly")); + prepareParamsMap.put("ids", new Property("ids", Direct.IN, DataType.LIST, + JSONUtils.toJsonString(Lists.newArrayList(1, "x'y")))); + prepareParamsMap.put("enabled", new Property("enabled", Direct.IN, DataType.BOOLEAN, "true")); + + TaskExecutionContext ctx = new TaskExecutionContext(); + ctx.setTaskParams("{\"type\":\"HIVE\",\"datasource\":1,\"sql\":\"select 1\"}"); + ctx.setScheduleTime(System.currentTimeMillis()); + ctx.setTaskInstanceId(1); + ctx.setResourceParametersHelper(getResourceParametersHelperWithDatasourceType(DbType.HIVE)); + ctx.setPrepareParamsMap(prepareParamsMap); + + SqlTask task = new SqlTask(ctx); + + Method method = SqlTask.class.getDeclaredMethod("getSqlAndSqlParamsMap", String.class); + method.setAccessible(true); + + String inputSql = "create table test_${dd} as select * from user where name=${name} " + + "and id in (${ids}) and enabled=${enabled}"; + SqlBinds binds = (SqlBinds) method.invoke(task, inputSql); + + Assertions.assertEquals( + "create table test_20250411 as select * from user where name='O''Reilly' " + + "and id in (1,'x''y') and enabled=true", + binds.getSql()); + Assertions.assertTrue(binds.getParamsMap().isEmpty()); + } + + @Test + void testSqlTaskLocalRenderer_replacesQuotedPlaceholdersWithSqlLiterals() throws Exception { + Map<String, Property> prepareParamsMap = new HashMap<>(); + prepareParamsMap.put("dt", new Property("dt", Direct.IN, DataType.DATE, "2026-07-06")); + prepareParamsMap.put("name", new Property("name", Direct.IN, DataType.VARCHAR, "O'Reilly")); + + TaskExecutionContext ctx = new TaskExecutionContext(); + ctx.setTaskParams("{\"type\":\"HIVE\",\"datasource\":1,\"sql\":\"select 1\"}"); + ctx.setScheduleTime(System.currentTimeMillis()); + ctx.setTaskInstanceId(1); + ctx.setResourceParametersHelper(getResourceParametersHelperWithDatasourceType(DbType.HIVE)); + ctx.setPrepareParamsMap(prepareParamsMap); + + SqlTask task = new SqlTask(ctx); + + Method method = SqlTask.class.getDeclaredMethod("getSqlAndSqlParamsMap", String.class); + method.setAccessible(true); + + SqlBinds binds = (SqlBinds) method.invoke(task, + "select * from student where dt='${dt}' and name=\"${name}\""); + + Assertions.assertEquals("select * from student where dt='2026-07-06' and name='O''Reilly'", + binds.getSql()); + } + + @Test + void testSqlTaskLocalRenderer_replacesRawPlaceholderWithDollarAndBackslashCharacters() throws Exception { + Map<String, Property> prepareParamsMap = new HashMap<>(); + prepareParamsMap.put("partition", new Property("partition", Direct.IN, DataType.VARCHAR, + "dt='$[yyyyMMdd]' and path='s3://bucket/a\\b'")); + + TaskExecutionContext ctx = new TaskExecutionContext(); + ctx.setTaskParams("{\"type\":\"HIVE\",\"datasource\":1,\"sql\":\"select 1\"}"); + ctx.setScheduleTime(System.currentTimeMillis()); + ctx.setTaskInstanceId(1); + ctx.setResourceParametersHelper(getResourceParametersHelperWithDatasourceType(DbType.HIVE)); + ctx.setPrepareParamsMap(prepareParamsMap); + + SqlTask task = new SqlTask(ctx); + + Method method = SqlTask.class.getDeclaredMethod("getSqlAndSqlParamsMap", String.class); + method.setAccessible(true); + + SqlBinds binds = (SqlBinds) method.invoke(task, + "alter table t add if not exists partition (!{partition})"); + + Assertions.assertEquals( + "alter table t add if not exists partition (dt='$[yyyyMMdd]' and path='s3://bucket/a\\b')", + binds.getSql()); + } + + @Test + void testExecuteQueryUsesStatementWithRenderedSql() throws Exception { + Connection connection = mock(Connection.class); + Statement statement = mock(Statement.class); + ResultSet resultSet = mock(ResultSet.class); + ResultSetMetaData metaData = mock(ResultSetMetaData.class); + + when(connection.createStatement()).thenReturn(statement); + when(statement.executeQuery("select 1 as id")).thenReturn(resultSet); + when(resultSet.getMetaData()).thenReturn(metaData); + when(metaData.getColumnCount()).thenReturn(1); + when(metaData.getColumnLabel(1)).thenReturn("id"); + when(resultSet.next()).thenReturn(false); + + Method method = SqlTask.class.getDeclaredMethod("executeQuery", Connection.class, SqlBinds.class, String.class); + method.setAccessible(true); + + String result = (String) method.invoke(sqlTask, connection, + new SqlBinds("select 1 as id", new HashMap<>()), "main"); + + Assertions.assertEquals("[{\"id\":\"\"}]", result); + verify(connection).createStatement(); + verify(connection, never()).prepareStatement(anyString()); + verify(statement).executeQuery("select 1 as id"); + } + + @Test + void testSqlTaskLocalRenderer_doesNotTreatPlaceholderInsideStringLiteralAsIdentifier() throws Exception { + Map<String, Property> prepareParamsMap = new HashMap<>(); + prepareParamsMap.put("name", new Property("name", Direct.IN, DataType.VARCHAR, "O'Reilly")); + + TaskExecutionContext ctx = new TaskExecutionContext(); + ctx.setTaskParams("{\"type\":\"HIVE\",\"datasource\":1,\"sql\":\"select 1\"}"); + ctx.setScheduleTime(System.currentTimeMillis()); + ctx.setTaskInstanceId(1); + ctx.setResourceParametersHelper(getResourceParametersHelperWithDatasourceType(DbType.HIVE)); + ctx.setPrepareParamsMap(prepareParamsMap); + + SqlTask task = new SqlTask(ctx); + + Method method = SqlTask.class.getDeclaredMethod("getSqlAndSqlParamsMap", String.class); + method.setAccessible(true); + + SqlBinds binds = (SqlBinds) method.invoke(task, + "select * from student where name='prefix_${name}'"); + + Assertions.assertEquals("select * from student where name='prefix_O''Reilly'", binds.getSql()); + } + + @Test + void testSqlTaskLocalRenderer_doesNotRescanRawReplacementForSqlParameters() throws Exception { + Map<String, Property> prepareParamsMap = new HashMap<>(); + prepareParamsMap.put("fragment", new Property("fragment", Direct.IN, DataType.VARCHAR, + "dt='${hiveconf:dt}'")); + + TaskExecutionContext ctx = new TaskExecutionContext(); + ctx.setTaskParams("{\"type\":\"HIVE\",\"datasource\":1,\"sql\":\"select 1\"}"); + ctx.setScheduleTime(System.currentTimeMillis()); + ctx.setTaskInstanceId(1); + ctx.setResourceParametersHelper(getResourceParametersHelperWithDatasourceType(DbType.HIVE)); + ctx.setPrepareParamsMap(prepareParamsMap); + + SqlTask task = new SqlTask(ctx); + + Method method = SqlTask.class.getDeclaredMethod("getSqlAndSqlParamsMap", String.class); + method.setAccessible(true); + + SqlBinds binds = (SqlBinds) method.invoke(task, + "alter table t add if not exists partition (!{fragment})"); + + Assertions.assertEquals( + "alter table t add if not exists partition (dt='${hiveconf:dt}')", + binds.getSql()); + } + + @Test + void testSqlTaskLocalRenderer_doesNotRescanSqlParameterValueForRawPlaceholder() throws Exception { + Map<String, Property> prepareParamsMap = new HashMap<>(); + prepareParamsMap.put("name", new Property("name", Direct.IN, DataType.VARCHAR, "!{fragment}")); + prepareParamsMap.put("fragment", new Property("fragment", Direct.IN, DataType.VARCHAR, "unsafe_sql")); + + TaskExecutionContext ctx = new TaskExecutionContext(); + ctx.setTaskParams("{\"type\":\"HIVE\",\"datasource\":1,\"sql\":\"select 1\"}"); + ctx.setScheduleTime(System.currentTimeMillis()); + ctx.setTaskInstanceId(1); + ctx.setResourceParametersHelper(getResourceParametersHelperWithDatasourceType(DbType.HIVE)); + ctx.setPrepareParamsMap(prepareParamsMap); + + SqlTask task = new SqlTask(ctx); + + Method method = SqlTask.class.getDeclaredMethod("getSqlAndSqlParamsMap", String.class); + method.setAccessible(true); + + SqlBinds binds = (SqlBinds) method.invoke(task, + "select * from student where name=${name}"); + + Assertions.assertEquals("select * from student where name='!{fragment}'", binds.getSql()); + } + + @Test + void testSqlTaskLocalRenderer_keepsPlaceholderInsideJsonStringLiteral() throws Exception { Review Comment: The test name says it "keeps" the placeholder inside a JSON string literal, but the assertion verifies that the placeholder is replaced. Renaming the test will better reflect the behavior being covered. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
