Add SpEL support for table and column names #1325
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
I'm highly sceptical of this since it seems likely to open us up to SQL injection. |
I don't think there is an SQL injection problem with @table("${dynamic_table:user_01}) |
That is exactly the problem. A developer can use any variable and sooner than later will use untrusted data. And since bind variables can't be used, it has to be done by String concatenation, which pretty much the definition of a SQL injection problem. |
No, the |
I still don't quite understand, even the parameters of properties, env, -D are set by the developer, who will attack their own application? I just wish this feature could be more flexible? |
|
Assuming I have multiple shards in my database, how do I aggregate the results of |
|
unless I go to use DatabaseClient |
|
for example @table("${TABLE:cba}") |
gregturn
added
the
status: pending-design-work
christophstrobl
removed
the
status: waiting-for-triage
|
We came up with this plan: Have SpEL support for names provided in If someone really wants to allow strange names they can do so be providing a custom sanitizer. Of course it is then up to them to make sure the whole is still safe. |
schauder
added
type: enhancement
mp911de
changed the title
|
The feature should also apply to reference and key columns specified via |
|
Hi,How long before the feature is expected to be available |
|
We don't have schedule for this. And to be honest I don't consider it high priority. Of course if there would be a good pull request ... |
@schauder @mp911de This gives me a way to pass the ApplicationContext into the RelationalPersistentEntityImpl for support of spel expressions |
|
I'm not sure what method you want to overload, my IDE doesn't find any with that signature. |
@schauder |
|
I don't think we want to overload that. @mp911de your thoughts on this? |
|
@schauder |
|
Maybe |
If SpEl expressions are specified in the @table or @column annotation, they will be evaluated and the output will be sanitized to prevent SQL Injections. The default sanitization only allows digits, alphabetic characters, and _ character. (i.e. [0-9, a-z, A-Z, _]) It is possible to customize the sanitization by implementing a class that implements the SpelExpressionResultSanitizer interface by configuring the spellExpressionResultSanitizer bean Closes #1325
Reuse existing EvaluationContextProvider infrastructure and static parser/parser context instances. Parse expressions early. Update Javadoc to reflect SpEL support. Reformat code to use tabs instead of spaces. Rename types for consistency. Rename SpelExpressionResultSanitizer to SqlIdentifierSanitizer to express its intended usage. Eagerly initialize entities where applicable. Simplify code. See #1325 Original pull request: #1461
We're from the [Seata] https://github.com/seata/seata community, we're a highly available, high-performance distributed transaction component, and currently our server side is considering moving from using jdbc to spring-data-r2dbc, but we've found some issues
Our transaction information is stored in mysql, oracle and other databases, because we support the resource isolation of transactions by configuring different table names, and then assembling them into corresponding sqls to use, which makes us unable to use @table to set a fixed table name, perhaps we can set the right through environment.resolvePlaceholders() or open doSelect table
If this requirement is reasonable, I am willing to complete this job
The text was updated successfully, but these errors were encountered: