Use prepared statements to avoid injection attack and clickhouse native array to improve performance

Author: dippindots

src/main/java/org/cbioportal/persistence/helper/StudyViewFilterHelper.java

@@ -34,13 +34,21 @@ public static StudyViewFilterHelper build(@Nullable StudyViewFilter studyViewFil
     private final StudyViewFilter studyViewFilter;
     private final CategorizedGenericAssayDataCountFilter categorizedGenericAssayDataCountFilter;
     private final List<CustomSampleIdentifier> customDataSamples;
+    private final String[] filteredSampleIdentifiers;
 
     private StudyViewFilterHelper(@NonNull StudyViewFilter studyViewFilter, 
                                   @NonNull Map<DataSource, List<MolecularProfile>> genericAssayProfilesMap,
                                   @NonNull List<CustomSampleIdentifier> customDataSamples) {
         this.studyViewFilter = studyViewFilter;
         this.categorizedGenericAssayDataCountFilter = extractGenericAssayDataCountFilters(studyViewFilter, genericAssayProfilesMap);
         this.customDataSamples = customDataSamples;
+        if (studyViewFilter != null && studyViewFilter.getSampleIdentifiers() != null) {
+            this.filteredSampleIdentifiers = studyViewFilter.getSampleIdentifiers().stream()
+                .map(sampleIdentifier -> sampleIdentifier.getStudyId() + "_" + sampleIdentifier.getSampleId())
+                .toArray(String[]::new);
+        } else {
+            this.filteredSampleIdentifiers = new String[0];
+        }
     }
 
     public StudyViewFilter studyViewFilter() {
@@ -54,6 +62,10 @@ public CategorizedGenericAssayDataCountFilter categorizedGenericAssayDataCountFi
     public List<CustomSampleIdentifier> customDataSamples() {
         return this.customDataSamples;
     }
+    
+    public String[] filteredSampleIdentifiers() {
+        return this.filteredSampleIdentifiers;
+    }
 
     private CategorizedGenericAssayDataCountFilter extractGenericAssayDataCountFilters(final StudyViewFilter studyViewFilter, Map<DataSource, List<MolecularProfile>> genericAssayProfilesMap) {
         if ((studyViewFilter.getGenericAssayDataFilters() == null || genericAssayProfilesMap.isEmpty()))

src/main/java/org/cbioportal/web/parameter/CustomSampleIdentifier.java

@@ -22,4 +22,14 @@ public String getValue() {
     public void setValue(String value) {
         this.value = value;
     }
+
+    // Generating unique SampleId by concatenating studyId and sampleId
+    public String getUniqueSampleId() {
+        // Assuming studyId and sampleId are available in SampleIdentifier
+        // Concatenate with "_" in between if both values are not null
+        if (getStudyId() != null && getSampleId() != null) {
+            return getStudyId() + "_" + getSampleId();
+        }
+        return null;  // or return a default value if either studyId or sampleId is null
+    }
 }

src/main/resources/org/cbioportal/persistence/mybatisclickhouse/StudyViewFilterMapper.xml

@@ -59,14 +59,14 @@
 
             </if>
 
-            <if test="studyViewFilterHelper.studyViewFilter.sampleIdentifiers != null and !studyViewFilterHelper.studyViewFilter.sampleIdentifiers.isEmpty()">
-                INTERSECT
+            <if test="studyViewFilterHelper.filteredSampleIdentifiers != null and studyViewFilterHelper.filteredSampleIdentifiers.length > 0">
+            INTERSECT
                 SELECT sample_unique_id
                 FROM sample_derived
                 WHERE sample_unique_id IN
-                <foreach item="sampleIdentifier" collection="studyViewFilterHelper.studyViewFilter.sampleIdentifiers" open="(" separator="," close=")">
-                    '${sampleIdentifier.studyId}_${sampleIdentifier.sampleId}'
-                </foreach>
+                (
+                    #{studyViewFilterHelper.filteredSampleIdentifiers, typeHandler=org.apache.ibatis.type.ArrayTypeHandler}
+                )
             </if>
             <if test="studyViewFilterHelper.studyViewFilter.customDataFilters != null and !studyViewFilterHelper.studyViewFilter.customDataFilters.isEmpty() and studyViewFilterHelper.customDataSamples != null">
                 INTERSECT
@@ -84,8 +84,8 @@
                             sample_unique_id IN (
                                 '',
                                 <foreach item="sampleIdentifier" collection="studyViewFilterHelper.customDataSamples" separator=",">
-                                    <if test="!sampleIdentifier.getIsFilteredOut()">
-                                        '${sampleIdentifier.studyId}_${sampleIdentifier.sampleId}'
+                                    <if test="!sampleIdentifier.getIsFilteredOut() and sampleIdentifier.getUniqueSampleId != null">
+                                        #{sampleIdentifier.getUniqueSampleId}
                                     </if>
                                 </foreach>
                             )
@@ -96,7 +96,9 @@
                                     OR
                                     sample_unique_id NOT IN (
                                         <foreach item="sampleIdentifier" collection="studyViewFilterHelper.customDataSamples" separator=",">
-                                            '${sampleIdentifier.studyId}_${sampleIdentifier.sampleId}'
+                                            <if test="sampleIdentifier.getUniqueSampleId != null">
+                                                #{sampleIdentifier.getUniqueSampleId}
+                                            </if>
                                         </foreach>
                                     )
                                 </if>