Add a presubmit check to require use of templated SQL string literals (#954)

* Add a presubmit check to require use of templated SQL string literals This PR proposes a coding style convention that helps prevent SQL-injection attacks, and is easy to enforce in the presubmit check. SQL-injections can be effectively prevented if all parameterized queries are generated using the proper param-binding methods. In our project which uses Hibernate exclusively, this can be achieved if we all follow a simple convention: only use constant sql templates assigned to static final String variables as the first parameter to creat(Native)Query methods. This PR adds a presubmit check to enforce the proposed rule, and modified one class as a demo. If the team agrees with this proposal, we will change all other use cases.
2025-07-13 14:35:16 +02:00 · 2021-02-06 19:28:38 -05:00 · 2021-02-06 19:28:38 -05:00 · d7e65d95e6
commit d7e65d95e6
parent 1d96de98c9
2 changed files with 39 additions and 1 deletions
--- a/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
+++ b/core/src/main/java/google/registry/persistence/transaction/JpaTransactionManagerImpl.java
@ -458,6 +458,7 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
    assertInTransaction();
    EntityType<?> entityType = getEntityType(key.getKind());
    ImmutableSet<EntityId> entityIds = getEntityIdsFromSqlKey(entityType, key.getSqlKey());
+    // TODO(b/179158393): use Criteria for query to leave not doubt about sql injection risk.
    String sql =
        String.format("DELETE FROM %s WHERE %s", entityType.getName(), getAndClause(entityIds));
    Query query = getEntityManager().createQuery(sql);