Fix release workflow GPG secret names to match JFalkorDB pattern (#11)

shahar-biron · web-flow · commit 768dc63e339a · 2025-10-27T14:31:31.000+02:00
* Fix release workflow to use correct GPG secret names matching JFalkorDB pattern * Fix critical CodeRabbitAI issues - Fix ORDER BY for count/exists queries (don't add ORDER BY to aggregation queries) - Fix regex injection vulnerability by properly escaping user input with Pattern.quote() - Add parameter bounds checking to prevent ArrayIndexOutOfBoundsException - Fix ID semantics: only set internal IDs, never overwrite external @id properties These changes address security and correctness issues identified by CodeRabbitAI in PR #10.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,8 +26,8 @@ jobs:
         distribution: 'temurin'
         cache: maven
         server-id: central
-        server-username: CENTRAL_USERNAME
-        server-password: CENTRAL_TOKEN
+        server-username: MAVEN_CENTRAL_USERNAME
+        server-password: MAVEN_CENTRAL_TOKEN
         
     - name: Cache Maven dependencies
       uses: actions/cache@v4
@@ -45,7 +45,8 @@ jobs:
     - name: Get version from tag
       id: get_version
       run: |
-        realversion="${GITHUB_REF/refs\/tags\/v/}"
+        realversion="${GITHUB_REF/refs\/tags\/}"
+        realversion="${realversion//v/}"
         echo "VERSION=$realversion" >> $GITHUB_OUTPUT
         
     - name: Update version in POM
@@ -56,8 +57,8 @@ jobs:
       if: github.event_name == 'release'  
       uses: crazy-max/ghaction-import-gpg@v6
       with:
-        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-        passphrase: ${{ secrets.GPG_PASSPHRASE }}
+        gpg_private_key: ${{ secrets.OSSH_GPG_SECRET_KEY }}
+        passphrase: ${{ secrets.OSSH_GPG_SECRET_KEY_PASSWORD }}
         
     - name: Start FalkorDB
       run: |
@@ -79,9 +80,9 @@ jobs:
           --batch-mode \
           clean deploy -P release
       env:
-        CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
-        CENTRAL_TOKEN: ${{ secrets.CENTRAL_TOKEN }}
-        MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        MAVEN_CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
+        MAVEN_CENTRAL_TOKEN: ${{ secrets.CENTRAL_TOKEN }}
+        MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSH_GPG_SECRET_KEY_PASSWORD }}
         
     - name: Build artifacts for workflow dispatch
       if: github.event_name == 'workflow_dispatch'
diff --git a/src/main/java/org/springframework/data/falkordb/core/mapping/DefaultFalkorDBEntityConverter.java b/src/main/java/org/springframework/data/falkordb/core/mapping/DefaultFalkorDBEntityConverter.java
@@ -656,9 +656,10 @@ private Object saveEntityAndGetId(Object entity, FalkorDBPersistentEntity<?> per
 		});
 
 		if (nodeId != null) {
-			// Update the entity's ID property if it exists and is writable
+			// Update the entity's ID property only if it's an internal FalkorDB ID
+			// Never overwrite external @Id properties with internal node IDs
 			FalkorDBPersistentProperty idProperty = persistentEntity.getIdProperty();
-			if (idProperty != null && !idProperty.isImmutable()) {
+			if (idProperty != null && !idProperty.isImmutable() && idProperty.isInternalIdProperty()) {
 				accessor.setProperty(idProperty, nodeId);
 			}
 
diff --git a/src/main/java/org/springframework/data/falkordb/repository/query/DerivedCypherQueryGenerator.java b/src/main/java/org/springframework/data/falkordb/repository/query/DerivedCypherQueryGenerator.java
@@ -130,8 +130,9 @@ else if (this.partTree.isDelete()) {
 			cypher.append(" RETURN n");
 		}
 
-		// Add ORDER BY clause
-		if (sort.isSorted() && !this.partTree.isDelete()) {
+		// Add ORDER BY clause (only for regular SELECT queries, not for count/exists/delete)
+		if (sort.isSorted() && !this.partTree.isDelete() && !this.partTree.isCountProjection()
+				&& !this.partTree.isExistsProjection()) {
 			cypher.append(" ORDER BY ");
 			boolean first = true;
 			for (Sort.Order order : sort) {
@@ -168,6 +169,13 @@ private void appendCondition(StringBuilder cypher, Part part, Map<String, Object
 
 		String property = part.getProperty().toDotPath();
 		String paramName = "param" + parameterIndex.getAndIncrement();
+		int currentParamIndex = parameterIndex.get() - 1;
+
+		// Validate parameter index bounds
+		if (currentParamIndex >= parameters.length) {
+			throw new IllegalArgumentException("Parameter index " + currentParamIndex
+					+ " out of bounds for parameters array of length " + parameters.length);
+		}
 
 		switch (part.getType()) {
 			case SIMPLE_PROPERTY:
@@ -196,26 +204,36 @@ private void appendCondition(StringBuilder cypher, Part part, Map<String, Object
 				break;
 			case LIKE:
 				cypher.append("n.").append(property).append(" =~ $").append(paramName);
-				// Convert SQL LIKE to regex pattern
+				// Convert SQL LIKE to regex pattern with proper escaping
 				String likeValue = String.valueOf(parameters[parameterIndex.get() - 1]);
-				String regexPattern = "(?i)" + likeValue.replace("%", ".*").replace("_", ".");
+				// Split by wildcards, escape each part, then reassemble
+				String regexPattern = likeValue.replace("%", "\u0000").replace("_", "\u0001");
+				regexPattern = java.util.regex.Pattern.quote(regexPattern);
+				regexPattern = regexPattern.replace("\\Q\u0000\\E", ".*").replace("\\Q\u0001\\E", ".");
+				regexPattern = "(?i)" + regexPattern;
 				queryParameters.put(paramName, regexPattern);
 				break;
 			case STARTING_WITH:
 				cypher.append("n.").append(property).append(" =~ $").append(paramName);
-				queryParameters.put(paramName, "(?i)" + parameters[parameterIndex.get() - 1] + ".*");
+				String startValue = String.valueOf(parameters[parameterIndex.get() - 1]);
+				queryParameters.put(paramName, "(?i)" + java.util.regex.Pattern.quote(startValue) + ".*");
 				break;
 			case ENDING_WITH:
 				cypher.append("n.").append(property).append(" =~ $").append(paramName);
-				queryParameters.put(paramName, "(?i).*" + parameters[parameterIndex.get() - 1]);
+				String endValue = String.valueOf(parameters[parameterIndex.get() - 1]);
+				queryParameters.put(paramName, "(?i).*" + java.util.regex.Pattern.quote(endValue));
 				break;
 			case CONTAINING:
 				cypher.append("n.").append(property).append(" =~ $").append(paramName);
-				queryParameters.put(paramName, "(?i).*" + parameters[parameterIndex.get() - 1] + ".*");
+				String containValue = String.valueOf(parameters[parameterIndex.get() - 1]);
+				queryParameters.put(paramName,
+						"(?i).*" + java.util.regex.Pattern.quote(containValue) + ".*");
 				break;
 			case NOT_CONTAINING:
 				cypher.append("NOT n.").append(property).append(" =~ $").append(paramName);
-				queryParameters.put(paramName, "(?i).*" + parameters[parameterIndex.get() - 1] + ".*");
+				String notContainValue = String.valueOf(parameters[parameterIndex.get() - 1]);
+				queryParameters.put(paramName,
+						"(?i).*" + java.util.regex.Pattern.quote(notContainValue) + ".*");
 				break;
 			case IS_NULL:
 				cypher.append("n.").append(property).append(" IS NULL");
