fix: PR #4039 review item E4 — tighten Identifiers.AssertSafe to reject leading underscore

iancooper · claude · iancooper · commit e9aa73cae151 · 2026-05-19T00:37:31.000+01:00
Identifiers.AssertSafe accepted `^[A-Za-z_][A-Za-z0-9_]*$`, allowing identifiers that start with `_`. Spanner rejects `_`-prefixed names as reserved (which is why SpannerBoxMigrationRunner's internal history table is `BrighterMigrationHistory`, not `_BrighterMigrationHistory`). A user-configured `OutBoxTableName = "_my_outbox"` would therefore pass the framework chokepoint and fail at Spanner's DDL with a less actionable "reserved identifier" error. Tighten the regex to `^[A-Za-z][A-Za-z0-9_]*$` so the strictest supported backend's rule applies to the framework-level identifier validation. Underscores remain legal in non-leading positions; only the leading character is now restricted to `[A-Za-z]`. No internal caller passes a `_`-prefixed name through AssertSafe — verified via grep of all AssertSafe call sites and all *MigrationCatalog constants — so this is a tightening, not a breaking change for downstream consumers using the standard configuration shape. TDD: flipped the existing `_underscore_leading` test case from the "safe inputs" Theory to the "unsafe inputs" Theory. RED before regex tightening (AssertSafe accepted `_underscore_leading`, no exception thrown), GREEN after. All 11 AssertSafe tests and 65 BoxProvisioning core tests pass on net9.0 and net10.0; 6 SQLite unsafe-name rejection tests pass on net9.0 (no regression in per-backend chokepoints). Updated the Identifiers <remarks> xmldoc and the exception-message regex hint so contributors and operators see the tightened rule. Review comment: #4039 (comment) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/src/Paramore.Brighter.BoxProvisioning/Identifiers.cs b/src/Paramore.Brighter.BoxProvisioning/Identifiers.cs
@@ -33,17 +33,19 @@ namespace Paramore.Brighter.BoxProvisioning;
 /// allowed set is an injection vector for any host that builds the table name from external input.
 /// </summary>
 /// <remarks>
-/// The allowed regex <c>^[A-Za-z_][A-Za-z0-9_]*$</c> matches the bare-identifier rules common to
+/// The allowed regex <c>^[A-Za-z][A-Za-z0-9_]*$</c> matches the bare-identifier rules common to
 /// every supported backend (MSSQL, PostgreSQL, MySQL, SQLite, Spanner) and is a strict subset of
 /// what each backend permits inside quoted/backticked identifiers. The over-restriction is
-/// deliberate: the helper rejects unusual but legal identifiers (e.g. names containing spaces or
-/// non-ASCII characters that would otherwise need quoting) before they reach a code path where a
-/// future contributor might forget to escape them.
+/// deliberate: the helper rejects unusual but legal identifiers (e.g. names containing spaces,
+/// non-ASCII characters, or a leading underscore — Spanner rejects <c>_</c>-prefixed names as
+/// reserved while every other backend accepts them, so the regex picks the strictest backend's
+/// rule to keep portable configuration safe) before they reach a code path where a future
+/// contributor might forget to escape them.
 /// </remarks>
 public static class Identifiers
 {
     private static readonly Regex s_safeIdentifier = new(
-        "^[A-Za-z_][A-Za-z0-9_]*$",
+        "^[A-Za-z][A-Za-z0-9_]*$",
         RegexOptions.Compiled | RegexOptions.CultureInvariant);
 
     /// <summary>
@@ -53,7 +55,8 @@ public static class Identifiers
     /// <param name="parameterName">The name of the caller's parameter — included in the exception
     /// message so contributors can see which call-site rejected the value.</param>
     /// <exception cref="ConfigurationException">Thrown when <paramref name="identifier"/> is null,
-    /// empty, or contains characters outside <c>[A-Za-z0-9_]</c> or starts with a digit.</exception>
+    /// empty, or contains characters outside <c>[A-Za-z0-9_]</c>, starts with a digit, or starts
+    /// with an underscore.</exception>
     public static void AssertSafe(string identifier, string parameterName)
     {
         // Split missing-configuration (null) from malformed-identifier so operators see the real
@@ -69,6 +72,6 @@ public static void AssertSafe(string identifier, string parameterName)
 
         throw new ConfigurationException(
             $"Unsafe SQL identifier supplied for '{parameterName}': '{identifier}'. " +
-            $"Identifiers must match the regex ^[A-Za-z_][A-Za-z0-9_]*$.");
+            $"Identifiers must match the regex ^[A-Za-z][A-Za-z0-9_]*$.");
     }
 }
diff --git a/tests/Paramore.Brighter.BoxProvisioning.Tests/When_assert_safe_identifier_is_called_with_known_unsafe_inputs_it_should_throw.cs b/tests/Paramore.Brighter.BoxProvisioning.Tests/When_assert_safe_identifier_is_called_with_known_unsafe_inputs_it_should_throw.cs
@@ -42,11 +42,12 @@ namespace Paramore.Brighter.BoxProvisioning.Tests;
 public class AssertSafeIdentifierTests
 {
     [Theory]
-    [InlineData("O'Brien")]      // single quote — breaks information_schema probe at MySqlOutboxMigrationCatalog.cs:165
-    [InlineData("Outbox; DROP")] // semicolon — statement terminator
-    [InlineData("my-outbox")]    // hyphen — invalid in bare identifiers
-    [InlineData("1Outbox")]      // leading digit — invalid as bare identifier across all backends
-    [InlineData("")]             // empty
+    [InlineData("O'Brien")]              // single quote — breaks information_schema probe at MySqlOutboxMigrationCatalog.cs:165
+    [InlineData("Outbox; DROP")]         // semicolon — statement terminator
+    [InlineData("my-outbox")]            // hyphen — invalid in bare identifiers
+    [InlineData("1Outbox")]              // leading digit — invalid as bare identifier across all backends
+    [InlineData("")]                     // empty
+    [InlineData("_underscore_leading")]  // leading underscore — Spanner rejects `_`-prefixed identifiers as reserved (PR #4039 review item E4)
     public void When_assert_safe_identifier_is_called_with_known_unsafe_inputs_it_should_throw(string unsafeIdentifier)
     {
         //Arrange
@@ -65,7 +66,6 @@ public void When_assert_safe_identifier_is_called_with_known_unsafe_inputs_it_sh
     [Theory]
     [InlineData("Outbox")]
     [InlineData("my_outbox_v2")]
-    [InlineData("_underscore_leading")]
     [InlineData("Outbox123")]
     public void When_assert_safe_identifier_is_called_with_safe_inputs_it_should_not_throw(string safeIdentifier)
     {
