From 9f6cd0168f56e5dbbb835fb7b273b34aa2ba886b Mon Sep 17 00:00:00 2001
From: Nitin Singla <nitgla@amazon.com>
Date: Wed, 9 Oct 2024 23:50:33 +0530
Subject: [PATCH] Bug fix: Enhanced SQL statement validation with word boundary
 matching

Enhanced SQL statement validation to handle disallowed keywords appearing as substrings. Introduced regular expression-based word boundary matching to accurately detect whole-word occurrences of disallowed operations, preventing potential misinterpretations and unintended false positives.
---
 .../dynamodb/qpt/DDBQueryPassthrough.java     | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/athena-dynamodb/src/main/java/com/amazonaws/athena/connectors/dynamodb/qpt/DDBQueryPassthrough.java b/athena-dynamodb/src/main/java/com/amazonaws/athena/connectors/dynamodb/qpt/DDBQueryPassthrough.java
index 09a250a1fd..593d0930a9 100644
--- a/athena-dynamodb/src/main/java/com/amazonaws/athena/connectors/dynamodb/qpt/DDBQueryPassthrough.java
+++ b/athena-dynamodb/src/main/java/com/amazonaws/athena/connectors/dynamodb/qpt/DDBQueryPassthrough.java
@@ -32,6 +32,8 @@
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 public class DDBQueryPassthrough implements QueryPassthroughSignature
 {
@@ -86,10 +88,21 @@ public void customConnectorVerifications(Map<String, String> engineQptArguments)
         // List of disallowed keywords
         Set<String> disallowedKeywords = ImmutableSet.of("INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "ALTER");
 
-        // Check if the statement contains any disallowed keywords
-        for (String keyword : disallowedKeywords) {
-            if (upperCaseStatement.contains(keyword)) {
-                throw new AthenaConnectorException("Unaccepted operation; only SELECT statements are allowed. Found: " + keyword, new ErrorDetails().withErrorCode(FederationSourceErrorCode.OperationNotSupportedException.toString()));
+        // Regular expression pattern to match one or more word characters
+        Pattern WORD_PATTERN = Pattern.compile("\\w+");
+
+        // Create a Matcher object to find all word matches in the SQL statement
+        Matcher matcher = WORD_PATTERN.matcher(uppercaseStatement);
+
+        // Iterate through all the word matches found by the Matcher
+        while (matcher.find()) {
+            // Get the matched word
+            String word = matcher.group();
+
+            // Check if the matched word is present in the disallowed keywords set
+            if (disallowedKeywords.contains(word)) {
+                // If a disallowed keyword is found, throw exception
+                throw new AthenaConnectorException("Unaccepted operation; only SELECT statements are allowed. Found: " + word, new ErrorDetails().withErrorCode(FederationSourceErrorCode.OperationNotSupportedException.toString()));
             }
         }
     }