Custom sample filtering performance and security improvement (#11296)

* Use prepared statements to avoid injection attack and clickhouse native array to improve performance * Dynamically calculate sample identifiers in study view filter helper
cBioPortal · Dec 19, 2024 · 6d58f8f · 6d58f8f
1 parent a7d0d14
commit 6d58f8f
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 9 deletions.
diff --git a/src/main/java/org/cbioportal/persistence/helper/StudyViewFilterHelper.java b/src/main/java/org/cbioportal/persistence/helper/StudyViewFilterHelper.java
@@ -79,6 +79,16 @@ public List<CustomSampleIdentifier> customDataSamples() {
         return this.customDataSamples;
     }
 
+    public String[] filteredSampleIdentifiers() {
+        if (studyViewFilter != null && studyViewFilter.getSampleIdentifiers() != null) {
+            return studyViewFilter.getSampleIdentifiers().stream()
+                .map(sampleIdentifier -> sampleIdentifier.getStudyId() + "_" + sampleIdentifier.getSampleId())
+                .toArray(String[]::new);
+        } else {
+            return new String[0];
+        }
+    }
+
     public List<String> involvedCancerStudies() {
         return involvedCancerStudies;
     }

diff --git a/src/main/java/org/cbioportal/web/parameter/CustomSampleIdentifier.java b/src/main/java/org/cbioportal/web/parameter/CustomSampleIdentifier.java
@@ -6,6 +6,7 @@ public class CustomSampleIdentifier extends SampleIdentifier implements Serializ
 
     private boolean isFilteredOut = false;
     private String value;
+    private String uniqueSampleId;
 
     public boolean getIsFilteredOut() {
         return isFilteredOut;
@@ -22,4 +23,14 @@ public String getValue() {
     public void setValue(String value) {
         this.value = value;
     }
+
+    // Generating unique SampleId by concatenating studyId and sampleId
+    public String getUniqueSampleId() {
+        // Assuming studyId and sampleId are available in SampleIdentifier
+        // Concatenate with "_" in between if both values are not null
+        if (getStudyId() != null && getSampleId() != null) {
+            return getStudyId() + "_" + getSampleId();
+        }
+        return null;  // or return null if either studyId or sampleId is null
+    }
 }
diff --git a/src/main/resources/org/cbioportal/persistence/mybatisclickhouse/StudyViewFilterMapper.xml b/src/main/resources/org/cbioportal/persistence/mybatisclickhouse/StudyViewFilterMapper.xml
@@ -60,15 +60,15 @@
                 )
 
             </if>
-
-            <if test="studyViewFilterHelper.studyViewFilter.sampleIdentifiers != null and !studyViewFilterHelper.studyViewFilter.sampleIdentifiers.isEmpty()">
-                INTERSECT
+            <bind name="filteredSampleIdentifiers" value="studyViewFilterHelper.filteredSampleIdentifiers()" />
+            <if test="filteredSampleIdentifiers != null and filteredSampleIdentifiers.length > 0">
+            INTERSECT
                 SELECT sample_unique_id
                 FROM sample_derived
                 WHERE sample_unique_id IN
-                <foreach item="sampleIdentifier" collection="studyViewFilterHelper.studyViewFilter.sampleIdentifiers" open="(" separator="," close=")">
-                    '${sampleIdentifier.studyId}_${sampleIdentifier.sampleId}'
-                </foreach>
+                (
+                    #{filteredSampleIdentifiers, typeHandler=org.apache.ibatis.type.ArrayTypeHandler}
+                )
             </if>
             <if test="studyViewFilterHelper.studyViewFilter.customDataFilters != null and !studyViewFilterHelper.studyViewFilter.customDataFilters.isEmpty() and studyViewFilterHelper.customDataSamples != null">
                 INTERSECT
@@ -86,8 +86,8 @@
                             sample_unique_id IN (
                                 '',
                                 <foreach item="sampleIdentifier" collection="studyViewFilterHelper.customDataSamples" separator=",">
-                                    <if test="!sampleIdentifier.getIsFilteredOut()">
-                                        '${sampleIdentifier.studyId}_${sampleIdentifier.sampleId}'
+                                    <if test="!sampleIdentifier.getIsFilteredOut() and sampleIdentifier.getUniqueSampleId() != null">
+                                        #{sampleIdentifier.uniqueSampleId}
                                     </if>
                                 </foreach>
                             )
@@ -97,8 +97,11 @@
                                 <if test="customDataFilterValue.value eq 'NA'">
                                     OR
                                     sample_unique_id NOT IN (
+                                        '',
                                         <foreach item="sampleIdentifier" collection="studyViewFilterHelper.customDataSamples" separator=",">
-                                            '${sampleIdentifier.studyId}_${sampleIdentifier.sampleId}'
+                                            <if test="sampleIdentifier.getUniqueSampleId() != null">
+                                                #{sampleIdentifier.uniqueSampleId}
+                                            </if>
                                         </foreach>
                                     )
                                 </if>