From 6b873a918c5c79e11d881f50b60195d5a014b456 Mon Sep 17 00:00:00 2001
From: labkey-jeckels <jeckels@labkey.com>
Date: Sat, 30 May 2026 10:02:32 -0700
Subject: [PATCH 1/2] Continue enhancing SQL protections

---
 modules/ETLtest/module.properties             |  8 ++--
 .../resources/ETLs/SProcSpecialCharacters.xml | 13 +++++
 .../postgresql/etltest-26.000-26.001.sql      | 43 +++++++++++++++++
 .../sqlserver/etltest-26.000-26.001.sql       | 47 +++++++++++++++++++
 .../resources/schemas/etl test!schema.xml     |  6 +++
 5 files changed, 113 insertions(+), 4 deletions(-)
 create mode 100644 modules/ETLtest/resources/ETLs/SProcSpecialCharacters.xml
 create mode 100644 modules/ETLtest/resources/schemas/dbscripts/postgresql/etltest-26.000-26.001.sql
 create mode 100644 modules/ETLtest/resources/schemas/dbscripts/sqlserver/etltest-26.000-26.001.sql
 create mode 100644 modules/ETLtest/resources/schemas/etl test!schema.xml

diff --git a/modules/ETLtest/module.properties b/modules/ETLtest/module.properties
index a9cc147c99..8323310475 100644
--- a/modules/ETLtest/module.properties
+++ b/modules/ETLtest/module.properties
@@ -1,4 +1,4 @@
-Name: ETLtest
-SchemaVersion: 26.000
-SupportedDatabases: mssql, pgsql
-ManageVersion: true
+Name= ETLtest
+SchemaVersion= 26.001
+SupportedDatabases= mssql, pgsql
+ManageVersion= true
diff --git a/modules/ETLtest/resources/ETLs/SProcSpecialCharacters.xml b/modules/ETLtest/resources/ETLs/SProcSpecialCharacters.xml
new file mode 100644
index 0000000000..01f5411775
--- /dev/null
+++ b/modules/ETLtest/resources/ETLs/SProcSpecialCharacters.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<etl xmlns="http://labkey.org/etl/xml">
+    <name>Stored Proc Special Characters</name>
+    <description>Run a stored procedure whose schema and procedure names contain special characters (spaces, '!', and an embedded double-quote) to verify identifier quoting/escaping.</description>
+    <transforms>
+        <transform id="step1" type="StoredProcedure">
+            <procedure schemaName="etl test!schema" procedureName='etl"test proc!' useTransaction="false"/>
+        </transform>
+    </transforms>
+    <schedule>
+        <poll interval="5s" />
+    </schedule>
+</etl>
diff --git a/modules/ETLtest/resources/schemas/dbscripts/postgresql/etltest-26.000-26.001.sql b/modules/ETLtest/resources/schemas/dbscripts/postgresql/etltest-26.000-26.001.sql
new file mode 100644
index 0000000000..69297d9abb
--- /dev/null
+++ b/modules/ETLtest/resources/schemas/dbscripts/postgresql/etltest-26.000-26.001.sql
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2026 LabKey Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+-- Create a schema and stored procedure whose names contain special characters (spaces, '!', and an embedded
+-- double-quote in the procedure name). These exercise the identifier quoting/escaping that SqlDialect applies
+-- when building the CALL statement for the DataIntegration StoredProcedureStep. The schema is registered with
+-- the module via the matching "etl test!schema.xml" metadata file; it is created here because the module dbscript
+-- filename convention only permits word-character schema names.
+
+CREATE SCHEMA "etl test!schema";
+
+CREATE FUNCTION "etl test!schema"."etl""test proc!"
+  (IN transformrunid integer
+    , INOUT rowsinserted integer DEFAULT 0
+    , INOUT rowsdeleted integer DEFAULT 0
+    , INOUT rowsmodified integer DEFAULT 0
+    , INOUT returnmsg character varying DEFAULT 'default message'::character varying
+    , OUT return_status integer)
+  RETURNS record AS
+$BODY$
+BEGIN
+  rowsInserted := 1;
+  rowsDeleted := 0;
+  rowsModified := 0;
+  returnMsg := 'Special characters proc ran';
+  return_status := 0;
+  RETURN;
+END;
+$BODY$
+LANGUAGE plpgsql;
diff --git a/modules/ETLtest/resources/schemas/dbscripts/sqlserver/etltest-26.000-26.001.sql b/modules/ETLtest/resources/schemas/dbscripts/sqlserver/etltest-26.000-26.001.sql
new file mode 100644
index 0000000000..b59a44fa51
--- /dev/null
+++ b/modules/ETLtest/resources/schemas/dbscripts/sqlserver/etltest-26.000-26.001.sql
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2026 LabKey Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+-- Create a schema and stored procedure whose names contain special characters (spaces, exclamation point, and an
+-- embedded double-quote in the procedure name). These exercise the identifier quoting/escaping that SqlDialect
+-- applies when building the CALL statement for the DataIntegration StoredProcedureStep. The schema is registered
+-- with the module via the matching schema metadata file; it is created here because the module dbscript filename
+-- convention only permits word-character schema names.
+
+-- Use double-quote delimited identifiers (with the interior quote doubled as "") rather than [bracket] identifiers.
+-- LabKey's SqlScanner, which splits scripts into statements, does not understand bracket quoting and would misread a
+-- double-quote inside [ ... ] as the start of a string literal; it does correctly handle a doubled "" as an escaped
+-- quote inside a "-delimited identifier. QUOTED_IDENTIFIER must be ON for "..." to be treated as an identifier.
+SET QUOTED_IDENTIFIER ON;
+GO
+
+CREATE SCHEMA "etl test!schema";
+GO
+
+CREATE PROCEDURE "etl test!schema"."etl""test proc!"
+    @transformRunId int,
+    @rowsInserted int = 0 OUTPUT,
+    @rowsDeleted int = 0 OUTPUT,
+    @rowsModified int = 0 OUTPUT,
+    @returnMsg varchar(100) = 'default message' OUTPUT
+AS
+BEGIN
+    SET @rowsInserted = 1
+    SET @rowsDeleted = 0
+    SET @rowsModified = 0
+    SET @returnMsg = 'Special characters proc ran'
+    RETURN 0
+END
+GO
diff --git a/modules/ETLtest/resources/schemas/etl test!schema.xml b/modules/ETLtest/resources/schemas/etl test!schema.xml
new file mode 100644
index 0000000000..f915ee68c6
--- /dev/null
+++ b/modules/ETLtest/resources/schemas/etl test!schema.xml	
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Registers the special-character schema "etl test!schema" with the ETLtest module so the DataIntegration
+     StoredProcedureStep can resolve it. The schema holds only a stored procedure (no tables); it is
+     created by the etltest-26.000-26.001.sql dbscript. -->
+<tables xmlns="http://labkey.org/data/xml">
+</tables>

From 4f7b06a58f2ff0c3e8802c5a31c2b4150e55e99c Mon Sep 17 00:00:00 2001
From: labkey-jeckels <jeckels@labkey.com>
Date: Sat, 30 May 2026 10:51:05 -0700
Subject: [PATCH 2/2] Formatting

---
 modules/ETLtest/module.properties | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/ETLtest/module.properties b/modules/ETLtest/module.properties
index 8323310475..5377f7ecc1 100644
--- a/modules/ETLtest/module.properties
+++ b/modules/ETLtest/module.properties
@@ -1,4 +1,4 @@
-Name= ETLtest
-SchemaVersion= 26.001
-SupportedDatabases= mssql, pgsql
-ManageVersion= true
+Name: ETLtest
+SchemaVersion: 26.001
+SupportedDatabases: mssql, pgsql
+ManageVersion: true