Add SpEl support for table and column names

If SpEl expressions are specified in the @table or @column annotation, they will be evaluated and the output will be sanitized to prevent SQL Injections.

The default sanitization only allows digits, alphabetic characters, and _ character.  (i.e. [0-9, a-z, A-Z, _])

It is possible to customize the sanitization by implementing a class that implements the SpelExpressionResultSanitizer interface by configuring the spellExpressionResultSanitizer bean

Closes #1325

Author: kurtn718

spring-data-jdbc/src/main/java/org/springframework/data/jdbc/core/mapping/BasicJdbcPersistentProperty.java

@@ -18,16 +18,14 @@
 import org.springframework.data.mapping.PersistentEntity;
 import org.springframework.data.mapping.model.Property;
 import org.springframework.data.mapping.model.SimpleTypeHolder;
-import org.springframework.data.relational.core.mapping.BasicRelationalPersistentProperty;
-import org.springframework.data.relational.core.mapping.NamingStrategy;
-import org.springframework.data.relational.core.mapping.RelationalMappingContext;
-import org.springframework.data.relational.core.mapping.RelationalPersistentProperty;
+import org.springframework.data.relational.core.mapping.*;
 
 /**
  * Extension to {@link BasicRelationalPersistentProperty}.
  *
  * @author Mark Paluch
  * @author Jens Schauder
+ * @author Kurt Niemi
  */
 public class BasicJdbcPersistentProperty extends BasicRelationalPersistentProperty {
 
@@ -38,11 +36,16 @@ public class BasicJdbcPersistentProperty extends BasicRelationalPersistentProper
 	 * @param owner must not be {@literal null}.
 	 * @param simpleTypeHolder must not be {@literal null}.
 	 * @param namingStrategy must not be {@literal null}
+	 * @param sanitizer must not be {@literal null}
 	 * @since 2.0
 	 */
-	public BasicJdbcPersistentProperty(Property property, PersistentEntity<?, RelationalPersistentProperty> owner,
-			SimpleTypeHolder simpleTypeHolder, NamingStrategy namingStrategy) {
-		super(property, owner, simpleTypeHolder, namingStrategy);
+	public BasicJdbcPersistentProperty(Property property,
+									   PersistentEntity<?, RelationalPersistentProperty> owner,
+									   SimpleTypeHolder simpleTypeHolder,
+									   NamingStrategy namingStrategy,
+									   SpelExpressionResultSanitizer sanitizer) {
+
+		super(property, owner, simpleTypeHolder, namingStrategy, sanitizer);
 	}
 
 	@Override

spring-data-jdbc/src/main/java/org/springframework/data/jdbc/core/mapping/JdbcMappingContext.java

@@ -80,7 +80,7 @@ protected <T> RelationalPersistentEntity<T> createPersistentEntity(TypeInformati
 	protected RelationalPersistentProperty createPersistentProperty(Property property,
 			RelationalPersistentEntity<?> owner, SimpleTypeHolder simpleTypeHolder) {
 		BasicJdbcPersistentProperty persistentProperty = new BasicJdbcPersistentProperty(property, owner, simpleTypeHolder,
-				this.getNamingStrategy());
+				this.getNamingStrategy(),super.getSpelExpressionResultSanitizer());
 		persistentProperty.setForceQuote(isForceQuote());
 		return persistentProperty;
 	}

spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentProperty.java

@@ -27,6 +27,11 @@
 import org.springframework.data.relational.core.sql.SqlIdentifier;
 import org.springframework.data.util.Lazy;
 import org.springframework.data.util.Optionals;
+import org.springframework.expression.EvaluationException;
+import org.springframework.expression.Expression;
+import org.springframework.expression.common.TemplateParserContext;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
@@ -37,6 +42,7 @@
  * @author Greg Turnquist
  * @author Florian Lüdiger
  * @author Bastian Wilhelm
+ * @author Kurt Niemi
  */
 public class BasicRelationalPersistentProperty extends AnnotationBasedPersistentProperty<RelationalPersistentProperty>
 		implements RelationalPersistentProperty {
@@ -48,6 +54,7 @@ public class BasicRelationalPersistentProperty extends AnnotationBasedPersistent
 	private final Lazy<String> embeddedPrefix;
 	private final NamingStrategy namingStrategy;
 	private boolean forceQuote = true;
+	private SpelExpressionResultSanitizer sanitizer;
 
 	/**
 	 * Creates a new {@link BasicRelationalPersistentProperty}.
@@ -57,12 +64,12 @@ public class BasicRelationalPersistentProperty extends AnnotationBasedPersistent
 	 * @param simpleTypeHolder must not be {@literal null}.
 	 * @param context must not be {@literal null}
 	 * @since 2.0, use
-	 *        {@link #BasicRelationalPersistentProperty(Property, PersistentEntity, SimpleTypeHolder, NamingStrategy)}.
+	 *        {@link #BasicRelationalPersistentProperty(Property, PersistentEntity, SimpleTypeHolder, NamingStrategy, SpelExpressionResultSanitizer)}.
 	 */
-	@Deprecated
+	@Deprecated(since = "3.1", forRemoval = true)
 	public BasicRelationalPersistentProperty(Property property, PersistentEntity<?, RelationalPersistentProperty> owner,
 			SimpleTypeHolder simpleTypeHolder, RelationalMappingContext context) {
-		this(property, owner, simpleTypeHolder, context.getNamingStrategy());
+		this(property, owner, simpleTypeHolder, context.getNamingStrategy(), context.getSpelExpressionResultSanitizer());
 	}
 
 	/**
@@ -74,11 +81,34 @@ public BasicRelationalPersistentProperty(Property property, PersistentEntity<?,
 	 * @param namingStrategy must not be {@literal null}
 	 * @since 2.0
 	 */
-	public BasicRelationalPersistentProperty(Property property, PersistentEntity<?, RelationalPersistentProperty> owner,
-			SimpleTypeHolder simpleTypeHolder, NamingStrategy namingStrategy) {
+	@Deprecated(since = "3.1", forRemoval = true)
+	public BasicRelationalPersistentProperty(Property property,
+											 PersistentEntity<?, RelationalPersistentProperty> owner,
+											 SimpleTypeHolder simpleTypeHolder,
+											 NamingStrategy namingStrategy) {
+		// ::TODO:: Where should I put the code that has the default sanitizer implementation??
+		this(property, owner, simpleTypeHolder, namingStrategy, null);
+	}
+
+	/**
+	 * Creates a new {@link BasicRelationalPersistentProperty}.
+	 *
+	 * @param property must not be {@literal null}.
+	 * @param owner must not be {@literal null}.
+	 * @param simpleTypeHolder must not be {@literal null}.
+	 * @param namingStrategy must not be {@literal null}
+	 * @param sanitizer must not be {@literal null}
+	 * @since 2.0
+	 */
+	public BasicRelationalPersistentProperty(Property property,
+											 PersistentEntity<?, RelationalPersistentProperty> owner,
+											 SimpleTypeHolder simpleTypeHolder,
+											 NamingStrategy namingStrategy,
+											 SpelExpressionResultSanitizer sanitizer) {
 
 		super(property, owner, simpleTypeHolder);
 		this.namingStrategy = namingStrategy;
+		this.sanitizer = sanitizer;
 
 		Assert.notNull(namingStrategy, "NamingStrategy must not be null");
 
@@ -90,6 +120,7 @@ public BasicRelationalPersistentProperty(Property property, PersistentEntity<?,
 
 		this.columnName = Lazy.of(() -> Optional.ofNullable(findAnnotation(Column.class)) //
 				.map(Column::value) //
+				.map(this::applySpelExpression)
 				.filter(StringUtils::hasText) //
 				.map(this::createSqlIdentifier) //
 				.orElseGet(() -> createDerivedSqlIdentifier(namingStrategy.getColumnName(this))));
@@ -110,6 +141,47 @@ public BasicRelationalPersistentProperty(Property property, PersistentEntity<?,
 				.orElseGet(() -> createDerivedSqlIdentifier(namingStrategy.getKeyColumn(this))));
 	}
 
+	// ::TODO:: Discuss where we want this common code for Table and Columns
+	private StandardEvaluationContext evalContext = new StandardEvaluationContext();
+	private SpelExpressionParser parser = new SpelExpressionParser();
+	private TemplateParserContext templateParserContext = new TemplateParserContext();
+	private boolean isSpellExpression(String expression) {
+
+		String trimmedExpression = expression.trim();
+		if (trimmedExpression.startsWith(templateParserContext.getExpressionPrefix()) &&
+				trimmedExpression.endsWith(templateParserContext.getExpressionSuffix())) {
+			return true;
+		}
+
+		return false;
+	}
+
+	private String applySpelExpression(String expression) throws EvaluationException {
+
+		Assert.notNull(expression, "Expression must not be null.");
+
+		// Only apply logic if we have the prefixes/suffixes required for a Spel expression as firstly
+		// there is nothing to evaluate (i.e. whatever literal passed in is returned as-is) and more
+		// importantly we do not want to perform any sanitization logic.
+		if (!isSpellExpression(expression)) {
+			return expression;
+		}
+
+		Expression expr = parser.parseExpression(expression, templateParserContext);
+		String result = expr.getValue(evalContext, String.class);
+
+		// Normally an exception is thrown by the Spel parser on invalid syntax/errors but this will provide
+		// a consistent experience for any issues with Spel parsing.
+		if (result == null) {
+			throw new EvaluationException("Spel Parsing of expression \"" + expression + "\" failed.");
+		}
+
+		String sanitizedResult = sanitizer.sanitize(result);
+
+		return sanitizedResult;
+	}
+
+
 	private SqlIdentifier createSqlIdentifier(String name) {
 		return isForceQuote() ? SqlIdentifier.quoted(name) : SqlIdentifier.unquoted(name);
 	}

spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalMappingContext.java

@@ -15,6 +15,7 @@
  */
 package org.springframework.data.relational.core.mapping;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.mapping.context.AbstractMappingContext;
 import org.springframework.data.mapping.context.MappingContext;
 import org.springframework.data.mapping.model.Property;
@@ -30,13 +31,17 @@
  * @author Kazuki Shimizu
  * @author Oliver Gierke
  * @author Mark Paluch
+ * @author Kurt Niemi
  */
 public class RelationalMappingContext
 		extends AbstractMappingContext<RelationalPersistentEntity<?>, RelationalPersistentProperty> {
 
 	private final NamingStrategy namingStrategy;
 	private boolean forceQuote = true;
 
+	@Autowired(required = false)
+	private SpelExpressionResultSanitizer spelExpressionResultSanitizer;
+
 	/**
 	 * Creates a new {@link RelationalMappingContext}.
 	 */
@@ -77,11 +82,27 @@ public void setForceQuote(boolean forceQuote) {
 		this.forceQuote = forceQuote;
 	}
 
+	protected SpelExpressionResultSanitizer getSpelExpressionResultSanitizer() {
+
+		if (this.spelExpressionResultSanitizer == null) {
+			this.spelExpressionResultSanitizer = new SpelExpressionResultSanitizer() {
+				@Override
+				public String sanitize(String result) {
+
+					String cleansedResult = result.replaceAll("[^\\w]", "");
+					return cleansedResult;
+				}
+			};
+		}
+		return this.spelExpressionResultSanitizer;
+	}
+
 	@Override
 	protected <T> RelationalPersistentEntity<T> createPersistentEntity(TypeInformation<T> typeInformation) {
 
 		RelationalPersistentEntityImpl<T> entity = new RelationalPersistentEntityImpl<>(typeInformation,
-				this.namingStrategy);
+				this.namingStrategy,
+				getSpelExpressionResultSanitizer());
 		entity.setForceQuote(isForceQuote());
 
 		return entity;
@@ -92,7 +113,7 @@ protected RelationalPersistentProperty createPersistentProperty(Property propert
 			RelationalPersistentEntity<?> owner, SimpleTypeHolder simpleTypeHolder) {
 
 		BasicRelationalPersistentProperty persistentProperty = new BasicRelationalPersistentProperty(property, owner,
-				simpleTypeHolder, this.namingStrategy);
+				simpleTypeHolder, this.namingStrategy, getSpelExpressionResultSanitizer());
 		persistentProperty.setForceQuote(isForceQuote());
 
 		return persistentProperty;

spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImpl.java

@@ -21,8 +21,16 @@
 import org.springframework.data.relational.core.sql.SqlIdentifier;
 import org.springframework.data.util.Lazy;
 import org.springframework.data.util.TypeInformation;
+import org.springframework.expression.EvaluationException;
+import org.springframework.expression.Expression;
+import org.springframework.expression.ParserContext;
+import org.springframework.expression.common.TemplateParserContext;
 import org.springframework.lang.Nullable;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+
 
 /**
  * Meta data a repository might need for implementing persistence operations for instances of type {@code T}
@@ -31,6 +39,7 @@
  * @author Greg Turnquist
  * @author Bastian Wilhelm
  * @author Mikhail Polivakha
+ * @author Kurt Niemi
  */
 class RelationalPersistentEntityImpl<T> extends BasicPersistentEntity<T, RelationalPersistentProperty>
 		implements RelationalPersistentEntity<T> {
@@ -40,19 +49,29 @@ class RelationalPersistentEntityImpl<T> extends BasicPersistentEntity<T, Relatio
 	private final Lazy<Optional<SqlIdentifier>> schemaName;
 	private boolean forceQuote = true;
 
+	private SpelExpressionResultSanitizer sanitizer;
+	private StandardEvaluationContext evalContext = new StandardEvaluationContext();
+	private SpelExpressionParser parser = new SpelExpressionParser();
+	private TemplateParserContext templateParserContext = new TemplateParserContext();
+
+
 	/**
 	 * Creates a new {@link RelationalPersistentEntityImpl} for the given {@link TypeInformation}.
 	 *
 	 * @param information must not be {@literal null}.
 	 */
-	RelationalPersistentEntityImpl(TypeInformation<T> information, NamingStrategy namingStrategy) {
+	RelationalPersistentEntityImpl(TypeInformation<T> information,
+								   NamingStrategy namingStrategy,
+								   SpelExpressionResultSanitizer sanitizer) {
 
 		super(information);
 
 		this.namingStrategy = namingStrategy;
+		this.sanitizer = sanitizer;
 
 		this.tableName = Lazy.of(() -> Optional.ofNullable(findAnnotation(Table.class)) //
 				.map(Table::value) //
+				.map(this::applySpelExpression)
 				.filter(StringUtils::hasText) //
 				.map(this::createSqlIdentifier));
 
@@ -66,6 +85,42 @@ private SqlIdentifier createSqlIdentifier(String name) {
 		return isForceQuote() ? SqlIdentifier.quoted(name) : SqlIdentifier.unquoted(name);
 	}
 
+	private boolean isSpellExpression(String expression) {
+
+		String trimmedExpression = expression.trim();
+		if (trimmedExpression.startsWith(templateParserContext.getExpressionPrefix()) &&
+				trimmedExpression.endsWith(templateParserContext.getExpressionSuffix())) {
+			return true;
+		}
+
+		return false;
+	}
+
+	private String applySpelExpression(String expression) throws EvaluationException {
+
+		Assert.notNull(expression, "Expression must not be null.");
+
+		// Only apply logic if we have the prefixes/suffixes required for a Spel expression as firstly
+		// there is nothing to evaluate (i.e. whatever literal passed in is returned as-is) and more
+		// importantly we do not want to perform any sanitization logic.
+		if (!isSpellExpression(expression)) {
+			return expression;
+		}
+
+		Expression expr = parser.parseExpression(expression, templateParserContext);
+		String result = expr.getValue(evalContext, String.class);
+
+		// Normally an exception is thrown by the Spel parser on invalid syntax/errors but this will provide
+		// a consistent experience for any issues with Spel parsing.
+		if (result == null) {
+			throw new EvaluationException("Spel Parsing of expression \"" + expression + "\" failed.");
+		}
+
+		String sanitizedResult = sanitizer.sanitize(result);
+
+		return sanitizedResult;
+	}
+
 	private SqlIdentifier createDerivedSqlIdentifier(String name) {
 		return new DerivedSqlIdentifier(name, isForceQuote());
 	}

spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionResultSanitizer.java

@@ -0,0 +1,10 @@
+package org.springframework.data.relational.core.mapping;
+
+/**
+ * Interface for sanitizing Spel Expression results
+ *
+ * @author Kurt Niemi
+ */
+public interface SpelExpressionResultSanitizer {
+    public String sanitize(String result);
+}