feat/CUS-9617-Added class to create a procedure and call in postgresql

[akhil-testsigma]

Publish this addon as public

Addon Name: PostgreSQL_Queries
Jarvis Link: https://jarvis.testsigma.com/ui/tenants/2817/addons
Jira : https://testsigma.atlassian.net/browse/CUS-9617
Added class to create a procedure and call in postgresql

Summary by CodeRabbit

• New Features

  • Added PostgreSQL Create Procedure action for Android, iOS, Web, and Mobile Web.
  • Added PostgreSQL Call Procedure action for Android, iOS, Web, and Mobile Web.
  • Enhanced PostgreSQL Select validation to accept JSON file paths or inline JSON and perform subset validation (verify expected rows are present).

• New Utilities

  • Added file-path detection, JSON-from-file-or-text reading, JSON parsing and row-containment comparison utilities.

• Chores

  • Project version bumped from 1.0.4 to 1.0.6.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Version bumped to 1.0.6. Reworked PostgreSQL validation actions across platforms to accept file-or-text Expected_JSON and perform subset row validation. Added new PostgresCreateProcedure/PostgresCallProcedure actions for Web, Mobile Web, Android, iOS, and WindowsAdvanced. Extended DatabaseUtil with file detection, JSON parsing, and row-containment utilities.

Changes

Cohort / File(s)	Change Summary
Version Update postgres_286065315855831808517137372953049876371/pom.xml	Maven project version bumped from 1.0.4 to 1.0.6 (formatting tweaks only otherwise).
Database Utilities postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/postgresql/util/DatabaseUtil.java	Added isFilePath, readJsonFromFileOrText, parseJsonToList, containsAllRows and supporting parsing/value-matching helpers to read JSON from file/text and compare expected vs actual result rows.
Validation: PostgreSQLselectvalidateFull (all platforms) .../src/main/java/com/testsigma/addons/*/PostgreSQLselectvalidateFull.java (android/, ios/, mobileweb/, web/, windowsAdvanced/)	Replaced exact JSON equality with subset validation: detect file vs inline Expected_JSON, read/parse expected rows, compute actualRows, verify all expected rows exist in actual results; updated action annotations (actionText, description, applicationType) and success/failure messaging.
Procedure Call Actions (new) .../src/main/java/com/testsigma/addons/*/PostgresCallProcedure.java (android/, ios/, mobileweb/, web/)	Added new actions to execute PostgreSQL CALL/CallableStatement across platforms; expose TestData Query and PG_DB_Connection_URL, obtain JDBC Connection via DatabaseUtil, execute callable, handle exceptions, log and set result messages.
Procedure Create Actions (new) .../src/main/java/com/testsigma/addons/*/PostgresCreateProcedure.java (android/, ios/, mobileweb/, web/)	Added new actions to execute provided CREATE/DDL queries to create procedures; expose TestData Query and PG_DB_Connection_URL, run Statement via JDBC with try-with-resources, handle exceptions and set messages.
Minor Formatting postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgreSQLqueries.java postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgreSQLqueries.java	Small whitespace/blank-line adjustments; no behavioral changes.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Runner as Test Runner
    participant Action as PostgresCallProcedure / PostgresCreateProcedure
    participant Util as DatabaseUtil
    participant DB as PostgreSQL DB

    Runner->>Action: invoke.execute() with TestData(Query, PG_DB_Connection_URL)
    Note over Action: trim inputs, log values
    Action->>Util: Util.getConnection(dbUrl) / Util.open via JDBC
    Util->>DB: open TCP connection (JDBC)
    Action->>DB: prepare CallableStatement / Statement (query)
    Action->>DB: execute query / call procedure
    DB-->>Action: execution result / success
    Action->>Action: set success message, log
    Action-->>Runner: return Result.SUCCESS

    alt Exception
        DB--x Action: throws SQLException / error
        Action->>Action: capture ExceptionUtils.getMessage, log stacktrace
        Action-->>Runner: return Result.FAILED (error message)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

• Focus review on DatabaseUtil parsing and matching logic (edge cases, escaping, numeric vs string comparisons).
• Validate that subset comparison semantics are consistent across all PostgreSQLselectvalidateFull platform variants.
• Confirm JDBC resource handling, exception messages, and consistent logging across newly added Create/Call action classes.

Possibly related PRs

• [CUS-8665] Added postgres Nlp to fetch validate the entire query output #266 — Overlapping changes to PostgreSQL action classes and DatabaseUtil helpers; likely the same feature area and shared utilities.
• [cus-9388] added support to execute procedures. #272 — Adds stored-procedure CallableStatement handling for another DB (Oracle); related to the new procedure call action pattern here.

Suggested reviewers

• Ganesh-Testsigma
• vigneshtestsigma

Poem

🐰 I hopped through code, SQL in paw,

Expected JSON now read from file or raw,
Procedures created, calls leap true,
Rows that matter found in the view,
Version 1.0.6 — a joyful chew.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 43.48% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title references the main feature (create and call procedures in PostgreSQL) but is incomplete. It captures only one of two major aspects of the changeset—procedure creation/calling—while overlooking the equally significant subset validation logic changes across multiple files.	Consider updating the title to reflect both the procedure operations and the validation logic enhancements (e.g., 'feat/CUS-9617-Add PostgreSQL procedure operations and subset validation'), or clarify in the description which aspect is primary.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/CUS-9617-Added-class-to-create-a-procedure-and-call-in-postgresql

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 15

Note

Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.

🟡 Minor comments (10)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCallProcedure.java-42-42 (1)

42-42: Remove unused variable.

The hasResultSet variable is assigned but never used.

-            boolean hasResultSet = stmt.execute();
+            stmt.execute();

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCallProcedure.java-43-43 (1)

43-43: Remove unused variable.

The hasResultSet variable is assigned but never used.

-            boolean hasResultSet = stmt.execute();
+            stmt.execute();

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCreateProcedure.java-7-7 (1)

7-7: Remove unused import.

The WebAction import is not used in this iOS action class.

-import com.testsigma.sdk.WebAction;

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCallProcedure.java-43-43 (1)

43-43: Remove unused variable.

The hasResultSet variable is assigned but never used.

-            boolean hasResultSet = stmt.execute();
+            stmt.execute();

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCallProcedure.java-6-6 (1)

6-6: Remove unused import.

The IOSAction import is not used in this Android action class.

-import com.testsigma.sdk.IOSAction;

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCallProcedure.java-7-7 (1)

7-7: Remove unused import.

The WebAction import is not used in this iOS action class.

-import com.testsigma.sdk.WebAction;

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCreateProcedure.java-6-6 (1)

6-6: Remove unused import.

The IOSAction import is not used in this Android action class.

-import com.testsigma.sdk.IOSAction;

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCallProcedure.java-44-44 (1)

44-44: Remove unused variable.

The hasResultSet variable is assigned but never used.

If you need to handle result sets differently, add logic to check this value. Otherwise, simply call stmt.execute() without capturing the return value.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgreSQLselectvalidateFull.java-22-22 (1)

22-22: Fix typo in action text.

The action text contains "PostgresSQL" instead of "PostgreSQL".

Apply this diff:

-@Action(actionText = "Execute PostgresSQL Select_Query on the connection DB_Connection_URL and verify full output" +
+@Action(actionText = "Execute PostgreSQL Select_Query on the connection DB_Connection_URL and verify full output" +

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCallProcedure.java-26-26 (1)

26-26: Remove unused StringBuffer.

The StringBuffer sb is initialized but never populated or used meaningfully.

Apply this diff:

-    StringBuffer sb = new StringBuffer();
-

And update line 47:

-            logger.info(sb.toString());

Committable suggestion skipped: line range outside the PR's diff.

🧹 Nitpick comments (3)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/postgresql/util/DatabaseUtil.java (2)

192-192: Use StandardCharsets.UTF_8 instead of string literal.

Hard-coded charset strings can cause issues and StandardCharsets provides a type-safe constant.

-                return new String(bytes, "UTF-8");
+                return new String(bytes, java.nio.charset.StandardCharsets.UTF_8);

---

208-414: Use Jackson's ObjectMapper for robust JSON parsing instead of manual implementation.

The project already includes Jackson (jackson-annotations 2.13.0), making it straightforward to add jackson-databind and replace the manual parsing methods (parseJsonToList, parseJsonObject, parseJsonValue, unescapeJson) with Jackson's ObjectMapper. This will handle edge cases and special characters more reliably than custom parsing logic.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgreSQLselectvalidateFull.java (1)

86-88: Consider making the JSON display limit configurable.

The 500-character limit for displaying actual JSON might be insufficient for debugging complex queries. Consider making this configurable or increasing the limit.

Example:

+            final int JSON_DISPLAY_LIMIT = 1000;
             message.append("<br>Actual JSON (first 500 chars):<br><pre>")
-                   .append(actualJson.length() > 500 ? 
-                   	databaseUtil.maskSensitiveJson(actualJson.substring(0, 500)) + "..." : 
+                   .append(actualJson.length() > JSON_DISPLAY_LIMIT ? 
+                   	databaseUtil.maskSensitiveJson(actualJson.substring(0, JSON_DISPLAY_LIMIT)) + "..." : 
                    	databaseUtil.maskSensitiveJson(actualJson)).append("</pre>");

Also applies to: 101-103

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 21d5d2b and 6588158.

📒 Files selected for processing (16)

• postgres_286065315855831808517137372953049876371/pom.xml (2 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgreSQLselectvalidateFull.java (2 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCallProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCreateProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgreSQLselectvalidateFull.java (2 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCallProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCreateProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgreSQLselectvalidateFull.java (2 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCallProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCreateProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/postgresql/util/DatabaseUtil.java (2 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgreSQLqueries.java (0 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgreSQLselectvalidateFull.java (2 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCallProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCreateProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/windowsAdvanced/PostgreSQLselectvalidateFull.java (2 hunks)

💤 Files with no reviewable changes (1)

• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgreSQLqueries.java

🧰 Additional context used

🧬 Code graph analysis (2)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCreateProcedure.java (4)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/postgresql/util/DatabaseUtil.java (1)

• DatabaseUtil (17-506)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCreateProcedure.java (1)

• Data (17-61)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCreateProcedure.java (1)

• Data (16-60)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCreateProcedure.java (1)

• Data (17-61)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCallProcedure.java (2)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/postgresql/util/DatabaseUtil.java (1)

• DatabaseUtil (17-506)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCallProcedure.java (1)

• Data (16-59)

🔇 Additional comments (9)

postgres_286065315855831808517137372953049876371/pom.xml (2)

71-76: Commons Lang3 dependency addition looks good.

The addition of Apache Commons Lang3 (3.14.0) is appropriate and aligns with the new utility enhancements mentioned in the PR summary (DatabaseUtil JSON parsing, etc.). The version is recent and well-maintained.

---

9-9: Version bump correctly reflects feature additions.

Bumping from 1.0.4 to 1.0.6 appropriately reflects the new functionality for PostgreSQL procedure creation and invocation.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/postgresql/util/DatabaseUtil.java (1)

423-505: LGTM! Row comparison logic is well-structured.

The containsAllRows, rowContains, and valuesMatch methods provide flexible subset matching with proper null handling and type coercion.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgreSQLselectvalidateFull.java (2)

22-28: LGTM! Clear documentation of new subset validation behavior.

The updated action text and description clearly communicate that:

• Expected_JSON can be a file path or JSON string
• The validation now uses subset matching (actual can contain additional data)

This is a good improvement over strict equality checking.

---

50-77: DatabaseUtil enhancements are properly implemented.

All four required methods exist in the PostgreSQL DatabaseUtil class with appropriate error handling:

• isFilePath() (line 162): Validates file paths with null checks and file existence verification
• readJsonFromFileOrText() (line 182): Throws IOException with descriptive messages and chained exception cause on file read failures
• parseJsonToList() (line 208): Throws Exception and validates JSON array format with IllegalArgumentException
• containsAllRows() (line 423): Implements subset validation with null safety checks

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgreSQLselectvalidateFull.java (1)

1-115: LGTM! Consistent cross-platform implementation.

The iOS variant correctly implements the same subset validation logic as the web version. The changes are appropriate for the iOS ApplicationType.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgreSQLselectvalidateFull.java (1)

1-115: LGTM! Consistent implementation for mobile web.

The mobile web variant correctly mirrors the validation logic from other platforms.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/windowsAdvanced/PostgreSQLselectvalidateFull.java (1)

1-119: LGTM! Windows-specific features properly configured.

The Windows Advanced variant appropriately includes useCustomScreenshot = true and TestStepResult injection while maintaining consistent validation logic.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgreSQLselectvalidateFull.java (1)

23-115: LGTM! Consistent Android implementation.

Apart from the typo above, the Android variant correctly implements the subset validation logic consistent with other platforms.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

PostgreSQL JDBC driver 42.3.3 security vulnerabilities CVE

💡 Result:

Short answer: PostgreSQL JDBC 42.3.3 is vulnerable to CVE-2022-41946 and CVE-2024-1597.

Details and sources:

• CVE-2022-41946 (temporary-file information disclosure) — affects pgjdbc >42.3.0 and <42.3.8 (so 42.3.3 is affected). [1][2]
• CVE-2024-1597 (SQL injection when preferQueryMode=simple) — fixed in later 42.3.x releases (fix appears in 42.3.9), so 42.3.3 is affected. [3]

Notes:

• 42.3.3 release notes mention removal/neutralization of loggerFile/loggerLevel properties (not tracked as a CVE). [4]

Sources:
[1] PostgreSQL JDBC security update for CVE-2022-41946 (official advisory).
[2] ResolvedSecurity / vulnerability summary for CVE-2022-41946.
[3] PostgreSQL JDBC security update for CVE-2024-1597 (official advisory).
[4] PostgreSQL JDBC 42.3.3 release notes (loggerFile/loggerLevel discussion).

---

🌐 Web query:

PostgreSQL JDBC driver latest version 2025 stable release

💡 Result:

Latest stable pgJDBC (PostgreSQL JDBC) release: 42.7.7 — released June 13, 2025. [1][2]

Sources:
[1] pgJDBC download page (jdbc.postgresql.org).
[2] PostgreSQL JDBC 42.7.7 security update (CVE-2025-49146) announcement.

---

Upgrade PostgreSQL JDBC driver to address known security vulnerabilities.

Version 42.3.3 contains two known CVEs:

• CVE-2022-41946 (temporary-file information disclosure) — affects versions 42.3.0 through <42.3.8
• CVE-2024-1597 (SQL injection in simple query mode) — fixed in 42.3.9

Upgrade to at least version 42.3.9 to patch both vulnerabilities, or preferably to the latest stable release 42.7.7 (June 2025) if compatibility with your PostgreSQL versions permits.

🤖 Prompt for AI Agents

In postgres_286065315855831808517137372953049876371/pom.xml around lines 65 to
69, the declared PostgreSQL JDBC driver version (42.3.3) has known security
vulnerabilities; update the <version> element to at least 42.3.9 (or preferably
to the latest stable release such as 42.7.7) to patch CVE-2022-41946 and
CVE-2024-1597, then run mvn -U clean verify to ensure dependency resolution and
test compatibility with your database; if any incompatibilities arise, choose
the highest compatible 42.3.x patch (>=42.3.9) and document the change in the
PR.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid logging full query - may expose sensitive data.

Logging the complete query may expose sensitive information like passwords, tokens, or PII embedded in procedure definitions.

Consider logging only a confirmation message without the query content, as shown in the diff above.

🤖 Prompt for AI Agents

In
postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCreateProcedure.java
around line 48, the code logs the full SQL procedure text which may contain
sensitive data; remove the query content from logs and replace with a generic
confirmation message (e.g., "PostgreSQL procedure created successfully") or, if
needed for debugging, log a safe truncated/hashed identifier only, ensuring no
sensitive parts of the query are included in the success message.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

File path detection may have false positives.

The isFilePath() method uses heuristics that could incorrectly identify JSON strings containing file separators as file paths. For instance, a JSON value like "/api/endpoint" might be mistaken for a file path.

Consider requiring an explicit indicator (e.g., file: prefix) or checking file existence first:

 public boolean isFilePath(String input) {
     if (input == null || input.trim().isEmpty()) {
         return false;
     }
     String trimmed = input.trim();
-    // Check for common file path patterns
-    return trimmed.startsWith("/") || 
-           trimmed.startsWith("./") || 
-           trimmed.startsWith("../") ||
-           (trimmed.length() > 2 && trimmed.contains(File.separator)) ||
-           (trimmed.length() > 3 && trimmed.matches("^[A-Za-z]:[/\\\\].*")) ||
-           new File(trimmed).exists();
+    // Check if file exists first to reduce false positives
+    File file = new File(trimmed);
+    if (file.exists() && file.isFile()) {
+        return true;
+    }
+    // Only treat as path if it has clear path indicators AND file exists
+    return (trimmed.startsWith("./") || trimmed.startsWith("../") || 
+            trimmed.matches("^[A-Za-z]:[/\\\\].*")) && file.exists();
 }

🤖 Prompt for AI Agents

In
postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/postgresql/util/DatabaseUtil.java
around lines 162-174, the current heuristic (checking separators and drive
letters) causes false positives for strings like "/api/endpoint"; change the
detection to require an explicit indicator or existence check: trim input,
return false for null/empty, then if new File(trimmed).exists() return true;
else if trimmed.startsWith("file:") strip the "file:" prefix and return true
only if that File exists; otherwise return false (remove or disable the
separator/drive-letter regex heuristics).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate file paths to prevent path traversal attacks.

The method reads files without validating the path, potentially allowing access to sensitive files outside the intended directory.

Consider adding path validation:

public String readJsonFromFileOrText(String input) throws IOException {
    if (input == null || input.trim().isEmpty()) {
        return input;
    }
    String trimmed = input.trim();
    
    if (isFilePath(trimmed)) {
        File file = new File(trimmed);
        // Validate file is within allowed directory
        String canonicalPath = file.getCanonicalPath();
        // Add your security checks here, e.g.:
        // if (!canonicalPath.startsWith(ALLOWED_BASE_PATH)) {
        //     throw new SecurityException("Access denied");
        // }
        
        try {
            byte[] bytes = Files.readAllBytes(Paths.get(trimmed));
            return new String(bytes, java.nio.charset.StandardCharsets.UTF_8);
        } catch (Exception e) {
            throw new IOException("Failed to read JSON from file: " + trimmed + " - " + e.getMessage(), e);
        }
    }
    return trimmed;
}

🤖 Prompt for AI Agents

In
postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/postgresql/util/DatabaseUtil.java
around lines 182-199, the method reads files directly from a provided path which
can lead to path traversal; change the file handling to validate the target
file: create a File (or Path) from the trimmed input, resolve its canonical
path, verify the file exists, is a regular readable file, and that its canonical
path is within an allowed base directory (or otherwise matches an explicit
whitelist) before reading; use StandardCharsets.UTF_8 when converting bytes to
String and throw a SecurityException or IOException if validation fails; keep
the existing try/catch around Files.readAllBytes but perform these security
checks first to prevent unauthorized file access.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid logging full query - may expose sensitive data.

Logging the complete query may expose passwords, tokens, or other sensitive information.

Remove the query from the log message as shown in the diff above.

🤖 Prompt for AI Agents

In
postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCreateProcedure.java
around line 48, remove the full SQL query from the success log to avoid exposing
sensitive data; change the setSuccessMessage call to a generic message like
"PostgreSQL procedure created successfully." and scan nearby logging statements
in the method to ensure no other logs print the full query or sensitive
parameters.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (6)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCallProcedure.java (1)

34-39: Avoid logging full DB URL and full procedure SQL text

logger.info("Database URL: " + dbURL); and logger.info("Call Query: " + callQuery); (Line 37–38) may leak sensitive details (host, DB name, credentials in URL, and full procedure definition) into logs. Suggest either removing these logs or redacting/shortening them (e.g., log only a connection name/alias and perhaps the procedure name, not the full URL or statement text).

-            String dbURL = dbUrlData.getValue().toString().trim();
-            logger.info("Database URL: " + dbURL);
-            logger.info("Call Query: " + callQuery);
+            String dbURL = dbUrlData.getValue().toString().trim();
+            // Consider logging at most a safe identifier (e.g., profile/alias), not the raw URL/query
+            logger.info("Executing PostgreSQL procedure on configured connection");

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCreateProcedure.java (1)

34-39: Do not log full SQL or raw DB URL in INFO logs

logger.info("query: " + query); and logger.info("dbURL: " + dbURL); (Line 37–38) can expose sensitive SQL and connection details (including potential credentials in the URL) to anyone with log access. Earlier feedback already called out avoiding exposing the query in user-facing messages; the same concern applies to logs.

Prefer logging a generic message or a safe identifier (e.g., “using configured PG connection”) rather than the raw URL and full SQL text.

-            String query = queryData.getValue().toString().trim();
-            String dbURL = dbUrlData.getValue().toString().trim();
-            logger.info("query: " + query);
-            logger.info("dbURL: " + dbURL);
+            String query = queryData.getValue().toString().trim();
+            String dbURL = dbUrlData.getValue().toString().trim();
+            logger.info("Executing PostgreSQL procedure creation on configured connection");

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCallProcedure.java (1)

35-38: Avoid logging raw DB URL and procedure query (sensitive information)

Logging dbURL and the full callQuery at INFO can leak credentials (often embedded in JDBC URLs) and potentially sensitive SQL/business logic into logs. Prefer generic messages that don’t include these values.

Consider tightening the logs like this:

-            String callQuery = procedureQueryData.getValue().toString().trim();
-            String dbURL = dbUrlData.getValue().toString().trim();
-            logger.info("Database URL: " + dbURL);
-            logger.info("Call Query: " + callQuery);
+            String callQuery = procedureQueryData.getValue().toString().trim();
+            String dbURL = dbUrlData.getValue().toString().trim();
+            logger.info("Executing PostgreSQL procedure using provided connection URL and query.");

If you need deeper troubleshooting, prefer redacting or masking sensitive parts rather than logging the raw values.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCreateProcedure.java (1)

35-38: Stop logging full query and DB URL to avoid leaking sensitive data

logger.info("query: " + query); and logger.info("dbURL: " + dbURL); can expose SQL (including literals) and credentials embedded in the JDBC URL. This is the same concern raised in the earlier review.

A safer pattern is to log only generic context without actual values:

-            String query = queryData.getValue().toString().trim();
-            String dbURL = dbUrlData.getValue().toString().trim();
-            logger.info("query: " + query);
-            logger.info("dbURL: " + dbURL);
+            String query = queryData.getValue().toString().trim();
+            String dbURL = dbUrlData.getValue().toString().trim();
+            logger.info("Preparing to execute PostgreSQL procedure creation query on configured connection URL.");

If you later add more diagnostics, keep raw SQL and credentials out of INFO/WARN/ERROR logs, or mask/redact them before logging.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCreateProcedure.java (1)

35-38: Stop logging DB URL and full SQL at INFO – sensitive data risk

You’re logging the full query and dbURL at INFO. The URL can embed credentials, and the procedure body may contain sensitive schema or data. This is the same concern raised in the earlier review about logging the SQL.

-            String query = queryData.getValue().toString().trim();
-            String dbURL = dbUrlData.getValue().toString().trim();
-            logger.info("query: " + query);
-            logger.info("dbURL: " + dbURL);
+            String query = queryData.getValue().toString().trim();
+            String dbURL = dbUrlData.getValue().toString().trim();
+            logger.info("Preparing to create PostgreSQL procedure on configured connection URL");
+            // Optionally, at DEBUG only and with redaction/truncation:
+            // logger.debug("Executing PostgreSQL procedure creation statement");

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCreateProcedure.java (1)

37-38: Logging exposes sensitive credentials and query content.

Lines 37-38 log the full query and database URL, which may contain:

• Database credentials (username/password in JDBC URL)
• Sensitive data embedded in procedure definitions (passwords, tokens, PII)
• Business logic details

Apply this diff to use masked logging:

-            logger.info("query: " + query);
-            logger.info("dbURL: " + dbURL);
+            logger.info("Creating PostgreSQL procedure...");
+            logger.info("dbURL: " + databaseUtil.maskConnectionUrl(dbURL));

Note: DatabaseUtil.maskConnectionUrl() is already used in similar actions (e.g., PostgreSQLqueries.java line 41) and should be used consistently across all database actions.

🧹 Nitpick comments (2)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCallProcedure.java (1)

16-28: Consider avoiding Lombok @Data on types holding secrets

@Data generates toString() including all fields, which can accidentally log the raw query and DB URL if the action instance is logged. Using narrower Lombok annotations avoids this risk.

-@Data
+// Prefer only what you need to avoid exposing sensitive fields via toString()
+//@Data
+@lombok.Getter
+@lombok.Setter
 public class PostgresCallProcedure extends WebAction {

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCreateProcedure.java (1)

16-28: Avoid Lombok @Data to reduce accidental logging of secrets

Same as in PostgresCallProcedure: @Data generates a toString() that includes queryData and dbUrlData. If the action is ever logged, this can leak the SQL and connection string.

-@Data
+//@Data
+@lombok.Getter
+@lombok.Setter
 public class PostgresCreateProcedure extends WebAction {

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6588158 and 475b1e1.

📒 Files selected for processing (9)

• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgreSQLqueries.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCallProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCreateProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCallProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCreateProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCallProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCreateProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCallProcedure.java (1 hunks)
• postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCreateProcedure.java (1 hunks)

🔇 Additional comments (11)

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCallProcedure.java (1)

40-52: Execution flow and resource management look solid

The use of DatabaseUtil plus try-with-resources for Connection and CallableStatement, and the clear success/failure messaging pattern, all look correct and consistent with the rest of the addon actions.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/ios/PostgresCreateProcedure.java (1)

40-52: Procedure creation implementation is clean and consistent

Using DatabaseUtil plus try-with-resources for Connection and Statement, and centralizing success/failure handling via setSuccessMessage/setErrorMessage, is a good, maintainable pattern and matches the other platform implementations.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCallProcedure.java (1)

42-47: Good use of try‑with‑resources for JDBC resources

Wrapping Connection and CallableStatement in try‑with‑resources cleanly addresses leak risks and keeps execute() concise.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/web/PostgresCreateProcedure.java (1)

42-47: Resource management looks solid with try‑with‑resources

Using try‑with‑resources for Connection and Statement correctly ensures they’re always closed, resolving the earlier leak concern.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCallProcedure.java (1)

16-52: Core execution and resource handling look solid

execute() uses DatabaseUtil plus try‑with‑resources for Connection and CallableStatement, and maps exceptions to Result.FAILED with an error message. Flow and cleanup look correct for the intended “fire‑and‑forget” procedure call.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCreateProcedure.java (1)

30-52: Execution flow and JDBC resource management are correct

The procedure‑creation flow (reading test data, getting a connection via DatabaseUtil, executing in a try‑with‑resources block, mapping exceptions to Result.FAILED) looks correct and consistent with the rest of the addon set.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgreSQLqueries.java (1)

43-43: Minor formatting change - no action needed.

The added blank line improves visual separation but has no functional impact.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCreateProcedure.java (2)

42-47: Correct resource management.

The try-with-resources block ensures that both the Connection and Statement are properly closed, even if an exception occurs. This addresses the resource leak issue flagged in previous reviews.

---

53-57: Exception handling is appropriate.

The catch block properly captures exceptions, provides user-friendly error messages, logs detailed stack traces for debugging, and returns the appropriate failure result.

postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/android/PostgresCallProcedure.java (2)

42-47: Correct resource management.

The try-with-resources block ensures that both the Connection and CallableStatement are properly closed, even if an exception occurs. This addresses the resource leak issue flagged in previous reviews.

---

53-57: Exception handling is appropriate.

The catch block properly captures exceptions, provides user-friendly error messages, logs detailed stack traces for debugging, and returns the appropriate failure result.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Logging exposes sensitive credentials and procedure parameters.

Lines 37-38 log the full database URL and call query, which may expose:

• Database credentials (username/password in JDBC URL)
• Sensitive procedure parameters (e.g., passwords, tokens, PII passed to stored procedures)

Apply this diff to use masked logging:

-            logger.info("Database URL: " + dbURL);
-            logger.info("Call Query: " + callQuery);
+            logger.info("Calling PostgreSQL procedure...");
+            logger.info("Database URL: " + databaseUtil.maskConnectionUrl(dbURL));

Note: DatabaseUtil.maskConnectionUrl() is already used in similar actions (e.g., PostgreSQLqueries.java line 41) for consistent credential masking.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	logger.info("Database URL: " + dbURL);
	logger.info("Call Query: " + callQuery);
	logger.info("Calling PostgreSQL procedure...");
	logger.info("Database URL: " + databaseUtil.maskConnectionUrl(dbURL));

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Avoid logging DB URL and full procedure call at INFO – potential secret/PII leak

dbURL and callQuery can contain credentials or sensitive data; logging them at INFO can leak secrets and PII into logs and monitoring systems. Prefer a generic message, or at most a sanitized/truncated representation at DEBUG only.

-            String callQuery = procedureQueryData.getValue().toString().trim();
-            String dbURL = dbUrlData.getValue().toString().trim();
-            logger.info("Database URL: " + dbURL);
-            logger.info("Call Query: " + callQuery);
+            String callQuery = procedureQueryData.getValue().toString().trim();
+            String dbURL = dbUrlData.getValue().toString().trim();
+            logger.info("Preparing to execute PostgreSQL stored procedure on configured connection URL");
+            // If absolutely necessary, log a redacted or truncated query at DEBUG only:
+            // logger.debug("Executing PostgreSQL stored procedure call");

🤖 Prompt for AI Agents

In
postgres_286065315855831808517137372953049876371/src/main/java/com/testsigma/addons/mobileweb/PostgresCallProcedure.java
around lines 35-38, do not log the raw dbURL and callQuery at INFO since they
may contain credentials or PII; replace those info logs with a generic message
like "Connecting to database" / "Executing stored procedure" and move any
detailed output to DEBUG only, ensuring you sanitize or truncate values (strip
user:pass from the URL and remove or mask sensitive query parameters or body)
before logging at DEBUG so no secrets are written to logs.