fix sonar error and security issues

[sheyanjie-qq]

Description

Please briefly describe the code changes in this pull request.

Jira: https://jira.taosdata.com:18080/browse/TD-

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Summary of Changes

Hello @sheyanjie-qq, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the security and code quality of the JDBC driver. It primarily addresses potential SQL injection vulnerabilities by migrating several database metadata queries to use parameterized statements. Additionally, it refines exception handling mechanisms for better robustness and introduces structural improvements like centralizing utility functions and modularizing WebSocket client setup, all aimed at improving the overall stability and maintainability of the codebase.

Highlights

• SQL Injection Prevention: Refactored AbstractDatabaseMetaData methods to use parameterized queries instead of string concatenation, significantly reducing the risk of SQL injection vulnerabilities.
• Improved Exception Handling: Enhanced error handling across various JDBC components (AbstractConnection, TSDBStatement, Transport) for InterruptedException and ExecutionException, ensuring proper thread interruption and consistent error reporting.
• Code Quality and Refactoring: Introduced a new BlockUtil class to centralize null-checking logic, modularized WebSocket client initialization into WebSocketChannelInitializer, and applied various SonarQube-recommended improvements like NOSONAR annotations and private constructors for utility classes.
• Concurrency Safety: Updated WSEWPreparedStatement and WSRetryableStmt to use AtomicReference for lastError to ensure thread-safe updates in concurrent environments.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/build.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses several SonarQube issues and security vulnerabilities, which is a great improvement. The use of parameterized queries to prevent SQL injection is a critical security fix. The refactoring of exception handling, particularly for InterruptedException, and the improvements to singleton implementation and code structure are also valuable.

However, I've identified a few new issues that have been introduced:

• A critical performance issue due to Thread.sleep() in a Netty I/O thread.
• A potential concurrency issue from removing the volatile keyword without alternative synchronization.
• A potential resource leak from not properly canceling a task on timeout.

Please see the detailed comments for suggestions on how to address these points.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 81.02837% with 107 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.18%. Comparing base (9c473bc) to head (8f0c909).

Files with missing lines	Patch %	Lines
...va/com/taosdata/jdbc/AbstractDatabaseMetaData.java	82.56%	9 Missing and 10 partials ⚠️
src/main/java/com/taosdata/jdbc/ws/Transport.java	50.00%	17 Missing and 1 partial ⚠️
src/main/java/com/taosdata/jdbc/ws/WSClient.java	64.28%	7 Missing and 3 partials ⚠️
src/main/java/com/taosdata/jdbc/TSDBStatement.java	0.00%	9 Missing ⚠️
...taosdata/jdbc/ws/tmq/entity/FetchRawBlockResp.java	30.00%	0 Missing and 7 partials ⚠️
...ain/java/com/taosdata/jdbc/AbstractConnection.java	77.77%	6 Missing ⚠️
...va/com/taosdata/jdbc/ws/WSEWPreparedStatement.java	45.45%	5 Missing and 1 partial ⚠️
.../taosdata/jdbc/ws/WebSocketChannelInitializer.java	80.00%	5 Missing and 1 partial ⚠️
.../com/taosdata/jdbc/ws/tmq/WSConsumerResultSet.java	58.33%	5 Missing ⚠️
...a/com/taosdata/jdbc/utils/DataTypeConvertUtil.java	0.00%	4 Missing ⚠️
... and 8 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #295      +/-   ##
============================================
+ Coverage     74.17%   78.18%   +4.01%     
- Complexity     4065     4197     +132     
============================================
  Files           223      224       +1     
  Lines         13455    13225     -230     
  Branches       1761     1751      -10     
============================================
+ Hits           9980    10340     +360     
+ Misses         2372     1935     -437     
+ Partials       1103      950     -153     

Flag	Coverage Δ
unittests	78.18% <81.02%> (+4.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sheyanjie-qq]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a significant number of improvements, primarily focused on addressing SonarQube errors and security vulnerabilities. Key changes include the remediation of SQL injection risks by adopting parameterized queries, enhanced exception handling for InterruptedException, and substantial refactoring of abstract classes to reduce code duplication. Additionally, numerous style and correctness fixes have been applied throughout the codebase, such as converting fields to final and adhering to camelCase naming conventions. My review highlights a few areas for further improvement, including an inconsistency in the refactoring of unsupported methods, a potential behavioral change in EmptyResultSet that could affect backward compatibility, and a possible concurrency issue in SyncObj related to spurious wakeups.

[sheyanjie-qq]

/gemini review

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[sheyanjie-qq]

/gemini review

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!