Added validation for operators and non raw column names

JanHolger · JanHolger · commit 478ef588db13 · 2021-03-30T20:28:09.000+02:00
diff --git a/src/main/java/org/javawebstack/orm/query/QueryColumn.java b/src/main/java/org/javawebstack/orm/query/QueryColumn.java
@@ -1,12 +1,16 @@
 package org.javawebstack.orm.query;
 
 import org.javawebstack.orm.TableInfo;
+import org.javawebstack.orm.exception.ORMQueryException;
 
 import java.util.Arrays;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
 public class QueryColumn {
 
+    private static final Pattern NAME_PATTERN = Pattern.compile("[A-Za-z0-9_-]+");
+
     private final String name;
     private final boolean raw;
 
@@ -15,6 +19,8 @@ public QueryColumn(String name) {
     }
 
     public QueryColumn(String name, boolean raw) {
+        if(!raw)
+            validateName(name);
         this.name = name;
         this.raw = raw;
     }
@@ -37,4 +43,9 @@ public String toString(TableInfo info) {
         return Arrays.stream((info != null ? info.getColumnName(name) : name).split("\\.")).map(s -> "`" + s + "`").collect(Collectors.joining("."));
     }
 
+    private static void validateName(String name) {
+        if(!NAME_PATTERN.matcher(name).matches())
+            throw new ORMQueryException("Invalid column name '" + name + "' (Use raw in case you know what you're doing)");
+    }
+
 }
diff --git a/src/main/java/org/javawebstack/orm/query/QueryCondition.java b/src/main/java/org/javawebstack/orm/query/QueryCondition.java
@@ -1,15 +1,41 @@
 package org.javawebstack.orm.query;
 
+import org.javawebstack.orm.exception.ORMQueryException;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Locale;
+
 public class QueryCondition implements QueryElement {
 
+    private static final List<String> VALID_OPERATORS = Arrays.asList(
+            "=",
+            "<=>",
+            "!=",
+            "<>",
+            "<=",
+            ">=",
+            "<",
+            ">",
+            "is null",
+            "is not null",
+            "is",
+            "is not",
+            "in",
+            "not in",
+            "like",
+            "not like"
+    );
+
     private final Object left;
     private final String operator;
     private final Object right;
     private final boolean not;
 
     public QueryCondition(Object left, String operator, Object right, boolean not) {
+        validateOperator(operator);
         this.left = left;
-        this.operator = operator; // TODO Validate and throw exception
+        this.operator = operator;
         this.right = right;
         this.not = not;
     }
@@ -38,4 +64,9 @@ public boolean isNot() {
         return not;
     }
 
+    private static void validateOperator(String operator) {
+        if(!VALID_OPERATORS.contains(operator.toLowerCase(Locale.ROOT)))
+            throw new ORMQueryException("The given operator '" + operator + "' is invalid or not supported");
+    }
+
 }
