Re: [PR] [#8659] fix(core): Fix parameter mismatch in UserRoleRelBaseSQLProvider and Test [gravitino]

Mon, 01 Dec 2025 23:22:57 -0800 


Copilot commented on code in PR #8702:
URL: https://github.com/apache/gravitino/pull/8702#discussion_r2579950682


##########
core/src/main/java/org/apache/gravitino/storage/relational/mapper/provider/base/UserRoleRelBaseSQLProvider.java:
##########
@@ -28,8 +27,7 @@
 
 public class UserRoleRelBaseSQLProvider {
 
-  public String batchInsertUserRoleRel(
-      @Param("userRoleRelList") List<UserRoleRelPO> userRoleRelList) {
+  public String batchInsertUserRoleRel(@Param("userRoleRels") 
List<UserRoleRelPO> userRoleRelList) {

Review Comment:
   The method parameter name `userRoleRelList` does not match the `@Param` 
annotation value `userRoleRels`. While the `@Param` annotation correctly 
matches the MyBatis template collection name, the Java parameter should also be 
renamed to `userRoleRels` for consistency and clarity. This would also align 
with the parameter naming in `batchInsertUserRoleRelOnDuplicateKeyUpdate` 
method which uses `userRoleRelPOs`.
   ```suggestion
     public String batchInsertUserRoleRel(@Param("userRoleRels") 
List<UserRoleRelPO> userRoleRels) {
   ```



##########
core/src/test/java/org/apache/gravitino/storage/relational/mapper/provider/base/TestUserRoleRelMapper.java:
##########
@@ -0,0 +1,217 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.gravitino.storage.relational.mapper;
+
+import com.google.common.collect.Lists;
+import java.io.File;
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.time.Instant;
+import java.util.List;
+import java.util.UUID;
+import org.apache.commons.io.FileUtils;
+import org.apache.gravitino.Config;
+import org.apache.gravitino.Configs;
+import org.apache.gravitino.meta.AuditInfo;
+import org.apache.gravitino.storage.relational.JDBCBackend;
+import org.apache.gravitino.storage.relational.po.MetalakePO;
+import org.apache.gravitino.storage.relational.po.RolePO;
+import org.apache.gravitino.storage.relational.po.UserPO;
+import org.apache.gravitino.storage.relational.po.UserRoleRelPO;
+import org.apache.gravitino.storage.relational.session.SqlSessionFactoryHelper;
+import org.apache.ibatis.session.SqlSession;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+
+public class TestUserRoleRelMapper {
+
+  private static final String JDBC_STORE_PATH =
+      "/tmp/gravitino_jdbc_entityStore_" + 
UUID.randomUUID().toString().replace("-", "");
+  private static final String DB_DIR = JDBC_STORE_PATH + "/testdb";
+  private static JDBCBackend backend;
+  private static UserRoleRelMapper userRoleRelMapper;
+  private static UserMetaMapper userMetaMapper;
+  private static RoleMetaMapper roleMetaMapper;
+  private static MetalakeMetaMapper metalakeMetaMapper;
+
+  @BeforeAll
+  public static void setup() throws Exception {
+    File dir = new File(DB_DIR);
+    if (dir.exists()) {
+      FileUtils.deleteDirectory(dir);
+    }
+    dir.mkdirs();
+
+    Config config = Mockito.mock(Config.class);
+    Mockito.when(config.get(Configs.ENTITY_STORE)).thenReturn("relational");
+    Mockito.when(config.get(Configs.ENTITY_RELATIONAL_STORE)).thenReturn("h2");
+    Mockito.when(config.get(Configs.ENTITY_RELATIONAL_JDBC_BACKEND_URL))
+        
.thenReturn(String.format("jdbc:h2:file:%s;DB_CLOSE_DELAY=-1;MODE=MYSQL", 
DB_DIR));
+    
Mockito.when(config.get(Configs.ENTITY_RELATIONAL_JDBC_BACKEND_USER)).thenReturn("gravitino");
+    Mockito.when(config.get(Configs.ENTITY_RELATIONAL_JDBC_BACKEND_PASSWORD))
+        .thenReturn("gravitino");
+    Mockito.when(config.get(Configs.ENTITY_RELATIONAL_JDBC_BACKEND_DRIVER))
+        .thenReturn("org.h2.Driver");
+    
Mockito.when(config.get(Configs.ENTITY_RELATIONAL_JDBC_BACKEND_MAX_CONNECTIONS)).thenReturn(20);
+    
Mockito.when(config.get(Configs.ENTITY_RELATIONAL_JDBC_BACKEND_WAIT_MILLISECONDS))
+        .thenReturn(1000L);
+
+    backend = new JDBCBackend();
+    backend.initialize(config);
+
+    SqlSession sqlSession =
+        
SqlSessionFactoryHelper.getInstance().getSqlSessionFactory().openSession(true);
+    userRoleRelMapper = sqlSession.getMapper(UserRoleRelMapper.class);
+    userMetaMapper = sqlSession.getMapper(UserMetaMapper.class);
+    roleMetaMapper = sqlSession.getMapper(RoleMetaMapper.class);
+    metalakeMetaMapper = sqlSession.getMapper(MetalakeMetaMapper.class);
+  }
+
+  @AfterAll
+  public static void tearDown() throws IOException {
+    if (backend != null) {
+      backend.close();
+    }
+    File dir = new File(JDBC_STORE_PATH);
+    if (dir.exists()) {
+      FileUtils.deleteDirectory(dir);
+    }
+  }
+
+  @BeforeEach
+  public void init() {
+    try (SqlSession sqlSession =
+        
SqlSessionFactoryHelper.getInstance().getSqlSessionFactory().openSession(true)) 
{
+      try (Connection connection = sqlSession.getConnection()) {
+        try (Statement statement = connection.createStatement()) {
+          statement.execute("TRUNCATE TABLE user_role_rel");
+          statement.execute("TRUNCATE TABLE user_meta");
+          statement.execute("TRUNCATE TABLE role_meta");
+          statement.execute("TRUNCATE TABLE metalake_meta");
+        }
+      }
+    } catch (SQLException e) {
+      throw new RuntimeException("Truncate table failed", e);
+    }
+  }
+
+  private int countUserRoleRelsByUserId(Long userId) {
+    try (SqlSession sqlSession =
+        
SqlSessionFactoryHelper.getInstance().getSqlSessionFactory().openSession(true)) 
{
+      try (Connection connection = sqlSession.getConnection()) {
+        try (Statement statement = connection.createStatement()) {
+          String query = "SELECT count(*) FROM user_role_rel WHERE user_id = " 
+ userId;
+          try (ResultSet rs = statement.executeQuery(query)) {

Review Comment:
   SQL injection vulnerability: The query concatenates `userId` directly into 
the SQL string without using a prepared statement. This creates a security 
risk. Use a prepared statement instead:
   
   ```java
   String query = "SELECT count(*) FROM user_role_rel WHERE user_id = ?";
   try (PreparedStatement ps = connection.prepareStatement(query)) {
     ps.setLong(1, userId);
     try (ResultSet rs = ps.executeQuery()) {
       if (rs.next()) {
         return rs.getInt(1);
       }
       return 0;
     }
   }
   ```
   ```suggestion
           String query = "SELECT count(*) FROM user_role_rel WHERE user_id = 
?";
           try (java.sql.PreparedStatement ps = 
connection.prepareStatement(query)) {
             ps.setLong(1, userId);
             try (ResultSet rs = ps.executeQuery()) {
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to