Consistently use InvalidDataAccessApiUsageException for JpaOrder validation.

Closes #4062

Author: mp911de

spring-data-envers/src/main/java/org/springframework/data/envers/repository/support/EnversRevisionRepositoryImpl.java

@@ -44,6 +44,7 @@
 import org.springframework.data.history.RevisionMetadata;
 import org.springframework.data.history.RevisionSort;
 import org.springframework.data.history.Revisions;
+import org.springframework.data.jpa.repository.query.QueryUtils;
 import org.springframework.data.jpa.repository.support.JpaEntityInformation;
 import org.springframework.data.repository.core.EntityInformation;
 import org.springframework.data.repository.history.RevisionRepository;
@@ -166,6 +167,7 @@ private List<AuditOrder> mapPropertySort(Sort sort) {
 		List<AuditOrder> result = new ArrayList<>();
 		for (Sort.Order order : sort) {
 
+			QueryUtils.checkSortExpression(order);
 			AuditProperty<Object> property = AuditEntity.property(order.getProperty());
 			AuditOrder auditOrder = order.getDirection().isAscending() //
 					? property.asc() //

spring-data-jpa/src/main/java/org/springframework/data/jpa/repository/query/JpaQueryTransformerSupport.java

@@ -8,12 +8,10 @@
 import java.util.Set;
 import java.util.regex.Pattern;
 
-import org.springframework.dao.InvalidDataAccessApiUsageException;
-
 import org.jspecify.annotations.Nullable;
+
 import org.springframework.data.domain.Sort;
 import org.springframework.data.domain.Sort.NullHandling;
-import org.springframework.data.jpa.domain.JpaSort;
 import org.springframework.util.ObjectUtils;
 
 /**
@@ -61,7 +59,7 @@ List<QueryToken> orderBy(@Nullable String primaryFromAlias, Sort sort) {
 
 		sort.forEach(order -> {
 
-			checkSortExpression(order);
+			QueryUtils.checkSortExpression(order);
 
 			StringBuilder builder = new StringBuilder();
 
@@ -94,23 +92,6 @@ List<QueryToken> orderBy(@Nullable String primaryFromAlias, Sort sort) {
 		return tokens;
 	}
 
-	/**
-	 * Check any given {@link JpaSort.JpaOrder#isUnsafe()} order for presence of at least one property offending the
-	 * {@link #PUNCTUATION_PATTERN} and throw an {@link Exception} indicating potential unsafe order by expression.
-	 *
-	 * @param order
-	 */
-	private void checkSortExpression(Sort.Order order) {
-
-		if (order instanceof JpaSort.JpaOrder jpaOrder && jpaOrder.isUnsafe()) {
-			return;
-		}
-
-		if (PUNCTUATION_PATTERN.matcher(order.getProperty()).find()) {
-			throw new InvalidDataAccessApiUsageException(String.format(UNSAFE_PROPERTY_REFERENCE, order));
-		}
-	}
-
 	/**
 	 * Using the {@code primaryFromAlias} and the {@link org.springframework.data.domain.Sort.Order}, construct a suitable
 	 * argument to be added to an {@literal ORDER BY} expression.

spring-data-jpa/src/main/java/org/springframework/data/jpa/repository/query/KeysetScrollDelegate.java

@@ -64,7 +64,10 @@ public static Collection<String> getProjectionInputProperties(JpaEntityInformati
 			Collection<String> projectionProperties, Sort sort) {
 
 		Collection<String> properties = new LinkedHashSet<>(projectionProperties);
-		sort.forEach(it -> properties.add(it.getProperty()));
+		sort.forEach(it -> {
+			QueryUtils.checkSortExpression(it);
+			properties.add(it.getProperty());
+		});
 		properties.addAll(entity.getIdAttributeNames());
 
 		return properties;
@@ -95,6 +98,7 @@ public static Collection<String> getProjectionInputProperties(JpaEntityInformati
 			int j = 0;
 			for (Order inner : sort) {
 
+				QueryUtils.checkSortExpression(order);
 				E propertyExpression = strategy.createExpression(inner.getProperty());
 				Object o = keysetValues.get(inner.getProperty());
 

spring-data-jpa/src/main/java/org/springframework/data/jpa/repository/query/KeysetScrollSpecification.java

@@ -101,7 +101,6 @@ public CriteriaBuilderStrategy(From<?, ?> from, CriteriaBuilder cb) {
 
 		@Override
 		public Expression<Comparable> createExpression(String property) {
-
 			PropertyPath path = PropertyPath.from(property, from.getJavaType());
 			return QueryUtils.toExpressionRecursively(from, path);
 		}
@@ -164,6 +163,8 @@ public JpqlQueryBuilder.Predicate compare(Order order, JpqlQueryBuilder.Expressi
 			if (value == null) {
 				return order.isAscending() ? where.isNull() : where.isNotNull();
 			}
+
+			QueryUtils.checkSortExpression(order);
 			return order.isAscending() ? where.gt(factory.capture(order.getProperty(), value))
 					: where.lt(factory.capture(order.getProperty(), value));
 		}

spring-data-jpa/src/main/java/org/springframework/data/jpa/repository/query/QueryUtils.java

@@ -751,6 +751,8 @@ private static jakarta.persistence.criteria.Order toJpaOrder(Order order, From<?
 
 		Expression<?> expression;
 
+		checkSortExpression(order);
+
 		if (order instanceof JpaOrder jpaOrder && jpaOrder.isUnsafe()) {
 			expression = new HqlOrderExpressionVisitor(cb, from, QueryUtils::toExpressionRecursively)
 					.createCriteriaExpression(order);
@@ -784,7 +786,7 @@ private static Nulls toNulls(Sort.NullHandling nullHandling) {
 	 *
 	 * @param order
 	 */
-	static void checkSortExpression(Order order) {
+	public static void checkSortExpression(Order order) {
 
 		if (order instanceof JpaOrder jpaOrder && jpaOrder.isUnsafe()) {
 			return;

spring-data-jpa/src/main/java/org/springframework/data/jpa/repository/query/ScrollDelegate.java

@@ -86,7 +86,8 @@ private static <T> Window<T> createWindow(Sort sort, int limit, Direction direct
 		IntFunction<ScrollPosition> positionFunction = value -> {
 
 			T object = resultsToUse.get(value);
-			Map<String, Object> keys = entity.getKeyset(sort.stream().map(Order::getProperty).toList(), object);
+			Map<String, Object> keys = entity
+					.getKeyset(sort.stream().peek(QueryUtils::checkSortExpression).map(Order::getProperty).toList(), object);
 
 			return ScrollPosition.of(keys, direction);
 		};

spring-data-jpa/src/main/java/org/springframework/data/jpa/repository/support/Querydsl.java

@@ -23,6 +23,7 @@
 import org.springframework.data.domain.Sort;
 import org.springframework.data.domain.Sort.Order;
 import org.springframework.data.jpa.provider.PersistenceProvider;
+import org.springframework.data.jpa.repository.query.QueryUtils;
 import org.springframework.data.mapping.PropertyPath;
 import org.springframework.data.querydsl.QSort;
 import org.springframework.util.Assert;
@@ -228,6 +229,7 @@ private Expression<?> buildOrderPropertyPathFrom(Order order) {
 
 		Assert.notNull(order, "Order must not be null");
 
+		QueryUtils.checkSortExpression(order);
 		PropertyPath path = PropertyPath.from(order.getProperty(), builder.getType());
 		Expression<?> sortPropertyExpression = builder;
 

spring-data-jpa/src/test/java/org/springframework/data/jpa/repository/query/QueryUtilsIntegrationTests.java

@@ -50,6 +50,7 @@
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
 
+import org.springframework.dao.InvalidDataAccessApiUsageException;
 import org.springframework.data.domain.Sort;
 import org.springframework.data.domain.Sort.Direction;
 import org.springframework.data.jpa.domain.sample.Category;
@@ -358,6 +359,19 @@ void toOrdersCanSortByJoinColumn() {
 		assertThat(orders).hasSize(1);
 	}
 
+	@Test //
+	void shouldReportCorrectException() {
+
+		CriteriaBuilder builder = em.getCriteriaBuilder();
+		CriteriaQuery<User> query = builder.createQuery(User.class);
+		Root<User> root = query.from(User.class);
+
+		Sort sort = Sort.by(Direction.ASC, "LENGTH(username)");
+
+		assertThatExceptionOfType(InvalidDataAccessApiUsageException.class)
+				.isThrownBy(() -> QueryUtils.toOrders(sort, root, builder));
+	}
+
 	@Test // GH-3529, GH-3587
 	void queryUtilsConsidersNullPrecedence() {