MINOR: Modify logic to use parameterized queries (#24902)

Author: ayush-shah

openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/ListFilter.java

@@ -153,9 +153,9 @@ private String getEventSubscriptionAlertType() {
       return "";
     } else {
       if (Boolean.TRUE.equals(DatasourceConfig.getInstance().isMySQL())) {
-        return String.format("JSON_EXTRACT(json, '$.alertType') = '%s'", alertType);
+        return "JSON_UNQUOTE(JSON_EXTRACT(json, '$.alertType')) = :alertType";
       } else {
-        return String.format("json->>'alertType' = '%s'", alertType);
+        return "json->>'alertType' = :alertType";
       }
     }
   }
@@ -166,10 +166,9 @@ private String getNotificationTemplateCondition() {
       return "";
     } else {
       if (Boolean.TRUE.equals(DatasourceConfig.getInstance().isMySQL())) {
-        return String.format(
-            "JSON_EXTRACT(json, '$.notificationTemplate.id') = '%s'", notificationTemplate);
+        return "JSON_UNQUOTE(JSON_EXTRACT(json, '$.notificationTemplate.id')) = :notificationTemplate";
       } else {
-        return String.format("json->'notificationTemplate'->>'id' = '%s'", notificationTemplate);
+        return "json->'notificationTemplate'->>'id' = :notificationTemplate";
       }
     }
   }

openmetadata-service/src/test/java/org/openmetadata/service/resources/events/EventSubscriptionResourceTest.java

@@ -2598,4 +2598,46 @@ void test_querySubscriptionsByTemplate(TestInfo test) throws IOException {
     templateTest.deleteEntity(template1.getId(), ADMIN_AUTH_HEADERS);
     templateTest.deleteEntity(template2.getId(), ADMIN_AUTH_HEADERS);
   }
+
+  private void assertSqlInjectionAttempt(Map<String, String> params) throws IOException {
+    ResultList<EventSubscription> results = null;
+    try {
+      results = listEntities(params, ADMIN_AUTH_HEADERS);
+    } catch (HttpResponseException e) {
+      // SQL injection should not crash the server with a 500 error
+      assertTrue(e.getStatusCode() != 500, "SQL injection should not cause internal server error");
+      return;
+    }
+
+    // If no exception is thrown, malicious input must not expose any data
+    assertNotNull(results, "Malicious input should not produce null results");
+    assertTrue(
+        results.getData() == null || results.getData().isEmpty(),
+        "Malicious input should return empty results");
+  }
+
+  @Test
+  void test_parameterizedQueriesPreventSqlInjection(TestInfo test) throws IOException {
+    Map<String, String> sqlInjectionAttempts = new HashMap<>();
+    sqlInjectionAttempts.put("alertType", "Observability' OR '1'='1");
+    assertSqlInjectionAttempt(sqlInjectionAttempts);
+
+    sqlInjectionAttempts.clear();
+    sqlInjectionAttempts.put("alertType", "Observability'--");
+    assertSqlInjectionAttempt(sqlInjectionAttempts);
+
+    sqlInjectionAttempts.clear();
+    sqlInjectionAttempts.put("alertType", "' UNION SELECT * FROM user_entity--");
+    assertSqlInjectionAttempt(sqlInjectionAttempts);
+
+    sqlInjectionAttempts.clear();
+    sqlInjectionAttempts.put(
+        "notificationTemplate", "00000000-0000-0000-0000-000000000000' OR '1'='1");
+    assertSqlInjectionAttempt(sqlInjectionAttempts);
+
+    Map<String, String> validParams = new HashMap<>();
+    validParams.put("alertType", "Observability");
+    ResultList<EventSubscription> validResults = listEntities(validParams, ADMIN_AUTH_HEADERS);
+    assertNotNull(validResults, "Valid alertType should work correctly");
+  }
 }