From 68a13fe12b03654167a2429d7414d470572e0f54 Mon Sep 17 00:00:00 2001
From: Kurt Niemi <kurtn718@gmail.com>
Date: Fri, 24 Mar 2023 15:16:55 -0400
Subject: [PATCH] Add SpEL support for `@Table` and `@Column`.

If SpEl expressions are specified in the `@Table` or `@Column` annotation, they will be evaluated and the output will be sanitized to prevent SQL Injections.

The default sanitization only allows digits, alphabetic characters, and _ character. (i.e. [0-9, a-z, A-Z, _])

Closes #1325
Original pull request: #1461
---
 .../jdbc/core/mapping/JdbcMappingContext.java |  1 +
 .../BasicRelationalPersistentProperty.java    | 10 +++
 .../mapping/RelationalMappingContext.java     | 11 +++
 .../RelationalPersistentEntityImpl.java       | 11 +++
 .../core/mapping/SpelExpressionProcessor.java | 87 +++++++++++++++++++
 .../SpelExpressionResultSanitizer.java        | 10 +++
 ...RelationalPersistentPropertyUnitTests.java | 30 +++++++
 ...lationalPersistentEntityImplUnitTests.java | 54 ++++++++++++
 8 files changed, 214 insertions(+)
 create mode 100644 spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionProcessor.java
 create mode 100644 spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionResultSanitizer.java

diff --git a/spring-data-jdbc/src/main/java/org/springframework/data/jdbc/core/mapping/JdbcMappingContext.java b/spring-data-jdbc/src/main/java/org/springframework/data/jdbc/core/mapping/JdbcMappingContext.java
index ef574390bd..0a13fd61fe 100644
--- a/spring-data-jdbc/src/main/java/org/springframework/data/jdbc/core/mapping/JdbcMappingContext.java
+++ b/spring-data-jdbc/src/main/java/org/springframework/data/jdbc/core/mapping/JdbcMappingContext.java
@@ -82,6 +82,7 @@ protected RelationalPersistentProperty createPersistentProperty(Property propert
 		BasicJdbcPersistentProperty persistentProperty = new BasicJdbcPersistentProperty(property, owner, simpleTypeHolder,
 				this.getNamingStrategy());
 		persistentProperty.setForceQuote(isForceQuote());
+		persistentProperty.setSpelExpressionProcessor(getSpelExpressionProcessor());
 		return persistentProperty;
 	}
 
diff --git a/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentProperty.java b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentProperty.java
index f372e8bb01..a5f30b01d1 100644
--- a/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentProperty.java
+++ b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentProperty.java
@@ -37,6 +37,7 @@
  * @author Greg Turnquist
  * @author Florian Lüdiger
  * @author Bastian Wilhelm
+ * @author Kurt Niemi
  */
 public class BasicRelationalPersistentProperty extends AnnotationBasedPersistentProperty<RelationalPersistentProperty>
 		implements RelationalPersistentProperty {
@@ -48,6 +49,7 @@ public class BasicRelationalPersistentProperty extends AnnotationBasedPersistent
 	private final Lazy<String> embeddedPrefix;
 	private final NamingStrategy namingStrategy;
 	private boolean forceQuote = true;
+	private SpelExpressionProcessor spelExpressionProcessor = new SpelExpressionProcessor();
 
 	/**
 	 * Creates a new {@link BasicRelationalPersistentProperty}.
@@ -90,6 +92,7 @@ public BasicRelationalPersistentProperty(Property property, PersistentEntity<?,
 
 		this.columnName = Lazy.of(() -> Optional.ofNullable(findAnnotation(Column.class)) //
 				.map(Column::value) //
+				.map(spelExpressionProcessor::applySpelExpression) //
 				.filter(StringUtils::hasText) //
 				.map(this::createSqlIdentifier) //
 				.orElseGet(() -> createDerivedSqlIdentifier(namingStrategy.getColumnName(this))));
@@ -109,6 +112,13 @@ public BasicRelationalPersistentProperty(Property property, PersistentEntity<?,
 				.map(this::createSqlIdentifier) //
 				.orElseGet(() -> createDerivedSqlIdentifier(namingStrategy.getKeyColumn(this))));
 	}
+	public SpelExpressionProcessor getSpelExpressionProcessor() {
+		return spelExpressionProcessor;
+	}
+
+	public void setSpelExpressionProcessor(SpelExpressionProcessor spelExpressionProcessor) {
+		this.spelExpressionProcessor = spelExpressionProcessor;
+	}
 
 	private SqlIdentifier createSqlIdentifier(String name) {
 		return isForceQuote() ? SqlIdentifier.quoted(name) : SqlIdentifier.unquoted(name);
diff --git a/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalMappingContext.java b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalMappingContext.java
index c6712a4c9a..5e3be949a8 100644
--- a/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalMappingContext.java
+++ b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalMappingContext.java
@@ -36,6 +36,7 @@ public class RelationalMappingContext
 
 	private final NamingStrategy namingStrategy;
 	private boolean forceQuote = true;
+	private SpelExpressionProcessor spelExpressionProcessor = new SpelExpressionProcessor();
 
 	/**
 	 * Creates a new {@link RelationalMappingContext}.
@@ -77,12 +78,21 @@ public void setForceQuote(boolean forceQuote) {
 		this.forceQuote = forceQuote;
 	}
 
+	public SpelExpressionProcessor getSpelExpressionProcessor() {
+		return spelExpressionProcessor;
+	}
+
+	public void setSpelExpressionProcessor(SpelExpressionProcessor spelExpressionProcessor) {
+		this.spelExpressionProcessor = spelExpressionProcessor;
+	}
+
 	@Override
 	protected <T> RelationalPersistentEntity<T> createPersistentEntity(TypeInformation<T> typeInformation) {
 
 		RelationalPersistentEntityImpl<T> entity = new RelationalPersistentEntityImpl<>(typeInformation,
 				this.namingStrategy);
 		entity.setForceQuote(isForceQuote());
+		entity.setSpelExpressionProcessor(getSpelExpressionProcessor());
 
 		return entity;
 	}
@@ -94,6 +104,7 @@ protected RelationalPersistentProperty createPersistentProperty(Property propert
 		BasicRelationalPersistentProperty persistentProperty = new BasicRelationalPersistentProperty(property, owner,
 				simpleTypeHolder, this.namingStrategy);
 		persistentProperty.setForceQuote(isForceQuote());
+		persistentProperty.setSpelExpressionProcessor(getSpelExpressionProcessor());
 
 		return persistentProperty;
 	}
diff --git a/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImpl.java b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImpl.java
index 6bab03ff8c..29b62e0635 100644
--- a/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImpl.java
+++ b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImpl.java
@@ -31,6 +31,7 @@
  * @author Greg Turnquist
  * @author Bastian Wilhelm
  * @author Mikhail Polivakha
+ * @author Kurt Niemi
  */
 class RelationalPersistentEntityImpl<T> extends BasicPersistentEntity<T, RelationalPersistentProperty>
 		implements RelationalPersistentEntity<T> {
@@ -39,6 +40,7 @@ class RelationalPersistentEntityImpl<T> extends BasicPersistentEntity<T, Relatio
 	private final Lazy<Optional<SqlIdentifier>> tableName;
 	private final Lazy<Optional<SqlIdentifier>> schemaName;
 	private boolean forceQuote = true;
+	private SpelExpressionProcessor spelExpressionProcessor = new SpelExpressionProcessor();
 
 	/**
 	 * Creates a new {@link RelationalPersistentEntityImpl} for the given {@link TypeInformation}.
@@ -53,6 +55,7 @@ class RelationalPersistentEntityImpl<T> extends BasicPersistentEntity<T, Relatio
 
 		this.tableName = Lazy.of(() -> Optional.ofNullable(findAnnotation(Table.class)) //
 				.map(Table::value) //
+				.map(spelExpressionProcessor::applySpelExpression) //
 				.filter(StringUtils::hasText) //
 				.map(this::createSqlIdentifier));
 
@@ -62,6 +65,14 @@ class RelationalPersistentEntityImpl<T> extends BasicPersistentEntity<T, Relatio
 				.map(this::createSqlIdentifier));
 	}
 
+	public SpelExpressionProcessor getSpelExpressionProcessor() {
+		return spelExpressionProcessor;
+	}
+
+	public void setSpelExpressionProcessor(SpelExpressionProcessor spelExpressionProcessor) {
+		this.spelExpressionProcessor = spelExpressionProcessor;
+	}
+
 	private SqlIdentifier createSqlIdentifier(String name) {
 		return isForceQuote() ? SqlIdentifier.quoted(name) : SqlIdentifier.unquoted(name);
 	}
diff --git a/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionProcessor.java b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionProcessor.java
new file mode 100644
index 0000000000..5cb3bb9cdf
--- /dev/null
+++ b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionProcessor.java
@@ -0,0 +1,87 @@
+package org.springframework.data.relational.core.mapping;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.expression.EvaluationException;
+import org.springframework.expression.Expression;
+import org.springframework.expression.common.TemplateParserContext;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+import org.springframework.util.Assert;
+
+/**
+ * Provide support for processing SpEL expressions in @Table and @Column annotations,
+ * or anywhere we want to use SpEL expressions and sanitize the result of the evaluated
+ * SpEL expression.
+ *
+ * The default sanitization allows for digits, alphabetic characters and _ characters
+ * and strips out any other characters.
+ *
+ * Custom sanitization (if desired) can be achieved by creating a class that implements
+ * the {@link SpelExpressionResultSanitizer} interface and then invoking the
+ * {@link #setSpelExpressionResultSanitizer(SpelExpressionResultSanitizer)} method.
+ *
+ * @author Kurt Niemi
+ * @see SpelExpressionResultSanitizer
+ * @since 3.1
+ */
+public class SpelExpressionProcessor {
+    private SpelExpressionResultSanitizer spelExpressionResultSanitizer;
+    private StandardEvaluationContext evalContext = new StandardEvaluationContext();
+    private SpelExpressionParser parser = new SpelExpressionParser();
+    private TemplateParserContext templateParserContext = new TemplateParserContext();
+
+    public String applySpelExpression(String expression) throws EvaluationException {
+
+        Assert.notNull(expression, "Expression must not be null.");
+
+        // Only apply logic if we have the prefixes/suffixes required for a SpEL expression as firstly
+        // there is nothing to evaluate (i.e. whatever literal passed in is returned as-is) and more
+        // importantly we do not want to perform any sanitization logic.
+        if (!isSpellExpression(expression)) {
+            return expression;
+        }
+
+        Expression expr = parser.parseExpression(expression, templateParserContext);
+        String result = expr.getValue(evalContext, String.class);
+
+        // Normally an exception is thrown by the Spel parser on invalid syntax/errors but this will provide
+        // a consistent experience for any issues with Spel parsing.
+        if (result == null) {
+            throw new EvaluationException("Spel Parsing of expression \"" + expression + "\" failed.");
+        }
+
+        String sanitizedResult = getSpelExpressionResultSanitizer().sanitize(result);
+
+        return sanitizedResult;
+    }
+
+    protected boolean isSpellExpression(String expression) {
+
+        String trimmedExpression = expression.trim();
+        if (trimmedExpression.startsWith(templateParserContext.getExpressionPrefix()) &&
+                trimmedExpression.endsWith(templateParserContext.getExpressionSuffix())) {
+            return true;
+        }
+
+        return false;
+    }
+    public SpelExpressionResultSanitizer getSpelExpressionResultSanitizer() {
+
+        if (this.spelExpressionResultSanitizer == null) {
+            this.spelExpressionResultSanitizer = new SpelExpressionResultSanitizer() {
+                @Override
+                public String sanitize(String result) {
+
+                    String cleansedResult = result.replaceAll("[^\\w]", "");
+                    return cleansedResult;
+                }
+            };
+        }
+        return this.spelExpressionResultSanitizer;
+    }
+
+    public void setSpelExpressionResultSanitizer(SpelExpressionResultSanitizer spelExpressionResultSanitizer) {
+        this.spelExpressionResultSanitizer = spelExpressionResultSanitizer;
+    }
+
+}
diff --git a/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionResultSanitizer.java b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionResultSanitizer.java
new file mode 100644
index 0000000000..c2c8983c18
--- /dev/null
+++ b/spring-data-relational/src/main/java/org/springframework/data/relational/core/mapping/SpelExpressionResultSanitizer.java
@@ -0,0 +1,10 @@
+package org.springframework.data.relational.core.mapping;
+
+/**
+ * Interface for sanitizing Spel Expression results
+ *
+ * @author Kurt Niemi
+ */
+public interface SpelExpressionResultSanitizer {
+    public String sanitize(String result);
+}
diff --git a/spring-data-relational/src/test/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentPropertyUnitTests.java b/spring-data-relational/src/test/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentPropertyUnitTests.java
index ce3a77ea2d..2353db4370 100644
--- a/spring-data-relational/src/test/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentPropertyUnitTests.java
+++ b/spring-data-relational/src/test/java/org/springframework/data/relational/core/mapping/BasicRelationalPersistentPropertyUnitTests.java
@@ -40,6 +40,7 @@
  * @author Oliver Gierke
  * @author Florian Lüdiger
  * @author Bastian Wilhelm
+ * @author Kurt Niemi
  */
 public class BasicRelationalPersistentPropertyUnitTests {
 
@@ -68,6 +69,19 @@ public void detectsAnnotatedColumnAndKeyName() {
 		assertThat(listProperty.getKeyColumn()).isEqualTo(quoted("dummy_key_column_name"));
 	}
 
+	@Test // GH-1325
+	void testRelationalPersistentEntitySpelExpressions() {
+
+		assertThat(entity.getRequiredPersistentProperty("spelExpression1").getColumnName()).isEqualTo(quoted("THE_FORCE_IS_WITH_YOU"));
+		assertThat(entity.getRequiredPersistentProperty("littleBobbyTables").getColumnName())
+				.isEqualTo(quoted("DROPALLTABLES"));
+
+		// Test that sanitizer does affect non-spel expressions
+		assertThat(entity.getRequiredPersistentProperty(
+				"poorDeveloperProgrammaticallyAskingToShootThemselvesInTheFoot").getColumnName())
+				.isEqualTo(quoted("--; DROP ALL TABLES;--"));
+	}
+
 	@Test // DATAJDBC-111
 	public void detectsEmbeddedEntity() {
 
@@ -149,6 +163,22 @@ private static class DummyEntity {
 		// DATACMNS-106
 		private @Column("dummy_name") String name;
 
+		public static String spelExpression1Value = "THE_FORCE_IS_WITH_YOU";
+
+		public static String littleBobbyTablesValue = "--; DROP ALL TABLES;--";
+		@Column(value="#{T(org.springframework.data.relational.core.mapping." +
+				"BasicRelationalPersistentPropertyUnitTests$DummyEntity" +
+				").spelExpression1Value}")
+		private String spelExpression1;
+
+		@Column(value="#{T(org.springframework.data.relational.core.mapping." +
+				"BasicRelationalPersistentPropertyUnitTests$DummyEntity" +
+				").littleBobbyTablesValue}")
+		private String littleBobbyTables;
+
+		@Column(value="--; DROP ALL TABLES;--")
+		private String poorDeveloperProgrammaticallyAskingToShootThemselvesInTheFoot;
+
 		// DATAJDBC-111
 		private @Embedded(onEmpty = OnEmpty.USE_NULL) EmbeddableEntity embeddableEntity;
 
diff --git a/spring-data-relational/src/test/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImplUnitTests.java b/spring-data-relational/src/test/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImplUnitTests.java
index 9de2750579..7998a647f6 100644
--- a/spring-data-relational/src/test/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImplUnitTests.java
+++ b/spring-data-relational/src/test/java/org/springframework/data/relational/core/mapping/RelationalPersistentEntityImplUnitTests.java
@@ -31,6 +31,7 @@
  * @author Bastian Wilhelm
  * @author Mark Paluch
  * @author Mikhail Polivakha
+ * @author Kurt Niemi
  */
 class RelationalPersistentEntityImplUnitTests {
 
@@ -96,6 +97,41 @@ void testRelationalPersistentEntitySchemaNameChoice() {
 		assertThat(entity.getTableName()).isEqualTo(simpleExpected);
 	}
 
+	@Test // GH-1325
+	void testRelationalPersistentEntitySpelExpression() {
+
+		mappingContext = new RelationalMappingContext(NamingStrategyWithSchema.INSTANCE);
+		RelationalPersistentEntity<?> entity = mappingContext.getRequiredPersistentEntity(EntityWithSchemaAndTableSpelExpression.class);
+
+		SqlIdentifier simpleExpected = quoted("USE_THE_FORCE");
+		SqlIdentifier expected = SqlIdentifier.from(quoted("HELP_ME_OBI_WON"), simpleExpected);
+		assertThat(entity.getQualifiedTableName()).isEqualTo(expected);
+		assertThat(entity.getTableName()).isEqualTo(simpleExpected);
+	}
+	@Test // GH-1325
+	void testRelationalPersistentEntitySpelExpression_Sanitized() {
+
+		mappingContext = new RelationalMappingContext(NamingStrategyWithSchema.INSTANCE);
+		RelationalPersistentEntity<?> entity = mappingContext.getRequiredPersistentEntity(LittleBobbyTables.class);
+
+		SqlIdentifier simpleExpected = quoted("RobertDROPTABLEstudents");
+		SqlIdentifier expected = SqlIdentifier.from(quoted("LITTLE_BOBBY_TABLES"), simpleExpected);
+		assertThat(entity.getQualifiedTableName()).isEqualTo(expected);
+		assertThat(entity.getTableName()).isEqualTo(simpleExpected);
+	}
+
+	@Test // GH-1325
+	void testRelationalPersistentEntitySpelExpression_NonSpelExpression() {
+
+		mappingContext = new RelationalMappingContext(NamingStrategyWithSchema.INSTANCE);
+		RelationalPersistentEntity<?> entity = mappingContext.getRequiredPersistentEntity(EntityWithSchemaAndName.class);
+
+		SqlIdentifier simpleExpected = quoted("I_AM_THE_SENATE");
+		SqlIdentifier expected = SqlIdentifier.from(quoted("DART_VADER"), simpleExpected);
+		assertThat(entity.getQualifiedTableName()).isEqualTo(expected);
+		assertThat(entity.getTableName()).isEqualTo(simpleExpected);
+	}
+
 	@Test // GH-1099
 	void specifiedSchemaGetsCombinedWithNameFromNamingStrategy() {
 
@@ -117,6 +153,24 @@ private static class EntityWithSchemaAndName {
 		@Id private Long id;
 	}
 
+	@Table(schema = "HELP_ME_OBI_WON",
+			name="#{T(org.springframework.data.relational.core.mapping." +
+					"RelationalPersistentEntityImplUnitTests$EntityWithSchemaAndTableSpelExpression" +
+					").desiredTableName}")
+	private static class EntityWithSchemaAndTableSpelExpression {
+		@Id private Long id;
+		public static String desiredTableName = "USE_THE_FORCE";
+	}
+
+	@Table(schema = "LITTLE_BOBBY_TABLES",
+			name="#{T(org.springframework.data.relational.core.mapping." +
+					"RelationalPersistentEntityImplUnitTests$LittleBobbyTables" +
+					").desiredTableName}")
+	private static class LittleBobbyTables {
+		@Id private Long id;
+		public static String desiredTableName = "Robert'); DROP TABLE students;--";
+	}
+
 	@Table("dummy_sub_entity")
 	static class DummySubEntity {
 		@Id @Column("renamedId") Long id;