feat: support DbCommand command-text via constructor string sql query parse (#135)

DeagleGross · web-flow · commit 25203a35aa41 · 2025-02-07T09:43:53.000Z
* support SqlCommand ctors for Sql parsing

* address PR comments

* and prettify

* adjust for VB validation
diff --git a/src/Dapper.AOT.Analyzers/CodeAnalysis/DapperAnalyzer.cs b/src/Dapper.AOT.Analyzers/CodeAnalysis/DapperAnalyzer.cs
@@ -35,8 +35,11 @@ private void OnCompilationStart(CompilationStartAnalysisContext context)
         // per-run state (in particular, so we can have "first time only" diagnostics)
         var state = new AnalyzerState(context);
 
-        // respond to method usages
-        context.RegisterOperationAction(state.OnOperation, OperationKind.Invocation, OperationKind.SimpleAssignment);
+        context.RegisterOperationAction(state.OnOperation, 
+            OperationKind.Invocation, // for Dapper method invocations
+            OperationKind.SimpleAssignment, // for assignments of query
+            OperationKind.ObjectCreation // for instantiating Command objects
+        );
 
         // final actions
         context.RegisterCompilationEndAction(state.OnCompilationEndAction);
@@ -111,8 +114,9 @@ public void OnOperation(OperationAnalysisContext ctx)
             try
             {
                 // we'll look for:
-                // method calls with a parameter called "sql" or marked [Sql]
-                // property assignments to "CommandText"
+                // - method calls with a parameter called "sql" or marked [Sql]
+                // - property assignments to "CommandText"
+                // - allocation of SqlCommand (i.e. `new SqlCommand(queryString, ...)` )
                 switch (ctx.Operation.Kind)
                 {
                     case OperationKind.Invocation when ctx.Operation is IInvocationOperation invoke:
@@ -155,6 +159,21 @@ public void OnOperation(OperationAnalysisContext ctx)
                                 ValidatePropertyUsage(ctx, assignment.Value, false);
                             }
                         }
+                        break;
+                    case OperationKind.ObjectCreation when ctx.Operation is IObjectCreationOperation objectCreationOperation:
+
+                        var ctor = objectCreationOperation.Constructor;
+                        var receiverType = ctor?.ReceiverType;
+
+                        if (ctor is not null && IsSqlClient(receiverType))
+                        {
+                            var sqlParam = ctor.Parameters.FirstOrDefault();
+                            if (sqlParam is not null && sqlParam.Type.SpecialType == SpecialType.System_String && sqlParam.Name == "cmdText")
+                            {
+                                ValidateParameterUsage(ctx, objectCreationOperation.Arguments.First(), sqlUsage: objectCreationOperation);
+                            }
+                        }
+
                         break;
                 }
             }
@@ -327,11 +346,11 @@ private void ValidateSurroundingLinqUsage(in OperationAnalysisContext ctx, Opera
             }
         }
 
-        private void ValidateParameterUsage(in OperationAnalysisContext ctx, IOperation sqlSource)
+        private void ValidateParameterUsage(in OperationAnalysisContext ctx, IOperation sqlSource, IOperation? sqlUsage = null)
         {
             // TODO: check other parameters for special markers like command type?
             var flags = SqlParseInputFlags.None;
-            ValidateSql(ctx, sqlSource, flags, SqlParameters.None);
+            ValidateSql(ctx, sqlSource, flags, SqlParameters.None, sqlUsageOperation: sqlUsage);
         }
 
         private void ValidatePropertyUsage(in OperationAnalysisContext ctx, IOperation sqlSource, bool isCommand)
@@ -372,12 +391,12 @@ public AnalyzerState(CompilationStartAnalysisContext context)
         }
 
         private void ValidateSql(in OperationAnalysisContext ctx, IOperation sqlSource, SqlParseInputFlags flags,
-            ImmutableArray<SqlParameter> parameters, Location? location = null)
+            ImmutableArray<SqlParameter> parameters, Location? location = null, IOperation? sqlUsageOperation = null)
         {
             var parseState = new ParseState(ctx);
 
             // should we consider this as a syntax we can handle?
-            var syntax = IdentifySqlSyntax(parseState, ctx.Operation, out var caseSensitive) ?? DefaultSqlSyntax ?? SqlSyntax.General;
+            var syntax = IdentifySqlSyntax(parseState, sqlUsageOperation ?? ctx.Operation, out var caseSensitive) ?? DefaultSqlSyntax ?? SqlSyntax.General;
             switch (syntax)
             {
                 case SqlSyntax.SqlServer:
diff --git a/src/Dapper.AOT.Analyzers/Internal/Inspection.cs b/src/Dapper.AOT.Analyzers/Internal/Inspection.cs
@@ -146,6 +146,24 @@ public static bool IsEnabled(in ParseState ctx, IOperation op, string attributeN
         return false;
     }
 
+    public static bool IsSqlClient(ITypeSymbol? typeSymbol) => typeSymbol is
+    {
+        Name: "SqlCommand",
+        ContainingNamespace:
+        {
+            Name: "SqlClient",
+            ContainingNamespace:
+            {
+                Name: "Data",
+                ContainingNamespace:
+                {
+                    Name: "Microsoft" or "System", // either Microsoft.Data.SqlClient or System.Data.SqlClient
+                    ContainingNamespace.IsGlobalNamespace: true
+                }
+            }
+        }
+    };
+
     public static bool IsDapperAttribute(AttributeData attrib)
         => attrib.AttributeClass is
         {
@@ -1432,6 +1450,26 @@ internal static bool IsCommand(INamedTypeSymbol type)
                 }
             }
         }
+        else if (op is IObjectCreationOperation objectCreationOp)
+        {
+            var ctorTypeNamespace = objectCreationOp.Type?.ContainingNamespace;
+            var ctorTypeName = objectCreationOp.Type?.Name;
+
+            if (ctorTypeNamespace is not null && ctorTypeName is not null)
+            {
+                foreach (var candidate in KnownConnectionTypes)
+                {
+                    var current = ctorTypeNamespace;
+                    if (ctorTypeName == candidate.Command
+                        && AssertAndAscend(ref current, candidate.Namespace0)
+                        && AssertAndAscend(ref current, candidate.Namespace1)
+                        && AssertAndAscend(ref current, candidate.Namespace2))
+                    {
+                        return candidate.Syntax;
+                    }
+                }
+            }
+        }
 
         return null;
 
diff --git a/src/Dapper.AOT.Analyzers/Internal/Roslyn/LanguageHelper.cs b/src/Dapper.AOT.Analyzers/Internal/Roslyn/LanguageHelper.cs
@@ -110,7 +110,7 @@ internal virtual bool IsGlobalStatement(SyntaxNode syntax, out SyntaxNode? entry
 
     internal virtual StringSyntaxKind? TryDetectOperationStringSyntaxKind(IOperation operation)
     {
-        if (operation is null) return null;
+        if (operation is null || operation is ILiteralOperation) return null;
         if (operation is IBinaryOperation)
         {
             return StringSyntaxKind.ConcatenatedString;
diff --git a/test/Dapper.AOT.Test/Verifiers/SqlDetection.cs b/test/Dapper.AOT.Test/Verifiers/SqlDetection.cs
@@ -184,41 +184,82 @@ static class Program
         {
             static void Main()
             {
-        using var conn = new SqlConnection("my connection string here");
-        string name = "abc";
-        conn.{|#0:Execute|}("""
-            select Id, Name, Age
-            from Users
-            where Id = @id
-            and Name = @name
-            and Age = @age
-            and Something = {|#1:null|}
-            """, new
-        {
-            name,
-            id = 42,
-            age = 24,
-        });
+                using var conn = new SqlConnection("my connection string here");
+                string name = "abc";
+                conn.{|#0:Execute|}("""
+                    select Id, Name, Age
+                    from Users
+                    where Id = @id
+                    and Name = @name
+                    and Age = @age
+                    and Something = {|#1:null|}
+                    """, new
+                {
+                    name,
+                    id = 42,
+                    age = 24,
+                });
 
-        using var cmd = new SqlCommand("should ' verify this too", conn);
-        cmd.CommandText = """
-            select Id, Name, Age
-            from Users
-            where Id = @id
-            and Name = @name
-            and Age = @age
-            and Something = {|#2:null|}
-            """;
-        cmd.ExecuteNonQuery();
+                using var cmd = new SqlCommand("should {|#3:|}' verify this too", conn);
+                cmd.CommandText = """
+                    select Id, Name, Age
+                    from Users
+                    where Id = @id
+                    and Name = @name
+                    and Age = @age
+                    and Something = {|#2:null|}
+                    """;
+                cmd.ExecuteNonQuery();
             }
         }
 """", [], [
         // (not enabled) Diagnostic(DapperAnalyzer.Diagnostics.DapperAotNotEnabled).WithLocation(0).WithArguments(1),
         Diagnostic(DapperAnalyzer.Diagnostics.ExecuteCommandWithQuery).WithLocation(0),
         Diagnostic(DapperAnalyzer.Diagnostics.NullLiteralComparison).WithLocation(1),
         Diagnostic(DapperAnalyzer.Diagnostics.NullLiteralComparison).WithLocation(2),
+        Diagnostic(DapperAnalyzer.Diagnostics.ParseError).WithLocation(3).WithArguments(46030, "Expected but did not find a closing quotation mark after the character string ' verify this too.")
     ], SqlSyntax.General, refDapperAot: false);
 
+    [Theory]
+    [InlineData("Microsoft.Data.SqlClient")]
+    [InlineData("System.Data.SqlClient")]
+    public Task SqlClientCommandReportsParseError(string @namespace) => CSVerifyAsync($$""""
+        using {{@namespace}};
+        using Dapper;
+
+        static class Program
+        {
+            static void Main()
+            {
+                using var conn = new {{@namespace}}.SqlConnection("my connection string here");
+                using var cmd = new {{@namespace}}.SqlCommand("should {|#0:|}' verify this too", conn);
+                cmd.ExecuteNonQuery();
+            }
+        }
+    """", [], [ Diagnostic(DapperAnalyzer.Diagnostics.ParseError).WithLocation(0).WithArguments(46030, "Expected but did not find a closing quotation mark after the character string ' verify this too.") ], SqlSyntax.General, refDapperAot: false);
+
+    [Theory]
+    [InlineData("Microsoft.Data.SqlClient")]
+    [InlineData("System.Data.SqlClient")]
+    public Task SqlClientCommandInlineCreationReportsParseError(string @namespace) => CSVerifyAsync($$""""
+        using {{@namespace}};
+        using Dapper;
+
+        static class Program
+        {
+            static void Main()
+            {
+                using var conn = new {{@namespace}}.SqlConnection("my connection string here");
+                RunCommand(new {{@namespace}}.SqlCommand("should {|#0:|}' verify this too", conn));
+            }
+
+            static void RunCommand({{@namespace}}.SqlCommand cmd)
+            {
+                cmd.ExecuteNonQuery();
+            }
+        }
+    """", [], [Diagnostic(DapperAnalyzer.Diagnostics.ParseError).WithLocation(0).WithArguments(46030, "Expected but did not find a closing quotation mark after the character string ' verify this too.")], SqlSyntax.General, refDapperAot: false);
+
     [Fact]
     public Task VBSmokeTestVanilla() => VBVerifyAsync("""
         Imports Dapper
@@ -235,7 +276,7 @@ from Users
             and Age = @age
             and Something = {|#1:null|}", New With {name, .id = 42, .age = 24 })
 
-                    Using cmd As New SqlCommand("should ' verify this too", conn)
+                    Using cmd As New SqlCommand("should {|#3:|}' verify this too", conn)
                         cmd.CommandText = "
             select Id, Name, Age
             from Users
@@ -251,6 +292,7 @@ End Module
 """, [], [
         Diagnostic(DapperAnalyzer.Diagnostics.ExecuteCommandWithQuery).WithLocation(0),
         Diagnostic(DapperAnalyzer.Diagnostics.NullLiteralComparison).WithLocation(1),
-        Diagnostic(DapperAnalyzer.Diagnostics.NullLiteralComparison).WithLocation(2)
+        Diagnostic(DapperAnalyzer.Diagnostics.NullLiteralComparison).WithLocation(2),
+        Diagnostic(DapperAnalyzer.Diagnostics.ParseError).WithLocation(3).WithArguments(46030, "Expected but did not find a closing quotation mark after the character string ' verify this too.")
     ], SqlSyntax.General, refDapperAot: false);
 }

Original file line number	Diff line number	Diff line change
`@@ -35,8 +35,11 @@ private void OnCompilationStart(CompilationStartAnalysisContext context)`
`35`	`35`	`// per-run state (in particular, so we can have "first time only" diagnostics)`
`36`	`36`	`var state = new AnalyzerState(context);`
`37`	`37`
`38`		`- // respond to method usages`
`39`		`- context.RegisterOperationAction(state.OnOperation, OperationKind.Invocation, OperationKind.SimpleAssignment);`
	`38`	`+ context.RegisterOperationAction(state.OnOperation,`
	`39`	`+ OperationKind.Invocation, // for Dapper method invocations`
	`40`	`+ OperationKind.SimpleAssignment, // for assignments of query`
	`41`	`+ OperationKind.ObjectCreation // for instantiating Command objects`
	`42`	`+ );`
`40`	`43`
`41`	`44`	`// final actions`
`42`	`45`	`context.RegisterCompilationEndAction(state.OnCompilationEndAction);`
`@@ -111,8 +114,9 @@ public void OnOperation(OperationAnalysisContext ctx)`
`111`	`114`	`try`
`112`	`115`	`{`
`113`	`116`	`// we'll look for:`
`114`		`- // method calls with a parameter called "sql" or marked [Sql]`
`115`		`- // property assignments to "CommandText"`
	`117`	`+ // - method calls with a parameter called "sql" or marked [Sql]`
	`118`	`+ // - property assignments to "CommandText"`
	`119`	+ // - allocation of SqlCommand (i.e. `new SqlCommand(queryString, ...)` )
`116`	`120`	`switch (ctx.Operation.Kind)`
`117`	`121`	`{`
`118`	`122`	`case OperationKind.Invocation when ctx.Operation is IInvocationOperation invoke:`
`@@ -155,6 +159,21 @@ public void OnOperation(OperationAnalysisContext ctx)`
`155`	`159`	`ValidatePropertyUsage(ctx, assignment.Value, false);`
`156`	`160`	`}`
`157`	`161`	`}`
	`162`	`+ break;`
	`163`	`+ case OperationKind.ObjectCreation when ctx.Operation is IObjectCreationOperation objectCreationOperation:`
	`164`	`+`
	`165`	`+ var ctor = objectCreationOperation.Constructor;`
	`166`	`+ var receiverType = ctor?.ReceiverType;`
	`167`	`+`
	`168`	`+ if (ctor is not null && IsSqlClient(receiverType))`
	`169`	`+ {`
	`170`	`+ var sqlParam = ctor.Parameters.FirstOrDefault();`
	`171`	`+ if (sqlParam is not null && sqlParam.Type.SpecialType == SpecialType.System_String && sqlParam.Name == "cmdText")`
	`172`	`+ {`
	`173`	`+ ValidateParameterUsage(ctx, objectCreationOperation.Arguments.First(), sqlUsage: objectCreationOperation);`
	`174`	`+ }`
	`175`	`+ }`
	`176`	`+`
`158`	`177`	`break;`
`159`	`178`	`}`
`160`	`179`	`}`
`@@ -327,11 +346,11 @@ private void ValidateSurroundingLinqUsage(in OperationAnalysisContext ctx, Opera`
`327`	`346`	`}`
`328`	`347`	`}`
`329`	`348`
`330`		`- private void ValidateParameterUsage(in OperationAnalysisContext ctx, IOperation sqlSource)`
	`349`	`+ private void ValidateParameterUsage(in OperationAnalysisContext ctx, IOperation sqlSource, IOperation? sqlUsage = null)`
`331`	`350`	`{`
`332`	`351`	`// TODO: check other parameters for special markers like command type?`
`333`	`352`	`var flags = SqlParseInputFlags.None;`
`334`		`- ValidateSql(ctx, sqlSource, flags, SqlParameters.None);`
	`353`	`+ ValidateSql(ctx, sqlSource, flags, SqlParameters.None, sqlUsageOperation: sqlUsage);`
`335`	`354`	`}`
`336`	`355`
`337`	`356`	`private void ValidatePropertyUsage(in OperationAnalysisContext ctx, IOperation sqlSource, bool isCommand)`
`@@ -372,12 +391,12 @@ public AnalyzerState(CompilationStartAnalysisContext context)`
`372`	`391`	`}`
`373`	`392`
`374`	`393`	`private void ValidateSql(in OperationAnalysisContext ctx, IOperation sqlSource, SqlParseInputFlags flags,`
`375`		`- ImmutableArray<SqlParameter> parameters, Location? location = null)`
	`394`	`+ ImmutableArray<SqlParameter> parameters, Location? location = null, IOperation? sqlUsageOperation = null)`
`376`	`395`	`{`
`377`	`396`	`var parseState = new ParseState(ctx);`
`378`	`397`
`379`	`398`	`// should we consider this as a syntax we can handle?`
`380`		`- var syntax = IdentifySqlSyntax(parseState, ctx.Operation, out var caseSensitive) ?? DefaultSqlSyntax ?? SqlSyntax.General;`
	`399`	`+ var syntax = IdentifySqlSyntax(parseState, sqlUsageOperation ?? ctx.Operation, out var caseSensitive) ?? DefaultSqlSyntax ?? SqlSyntax.General;`
`381`	`400`	`switch (syntax)`
`382`	`401`	`{`
`383`	`402`	`case SqlSyntax.SqlServer:`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ internal virtual bool IsGlobalStatement(SyntaxNode syntax, out SyntaxNode? entry`
`110`	`110`
`111`	`111`	`internal virtual StringSyntaxKind? TryDetectOperationStringSyntaxKind(IOperation operation)`
`112`	`112`	`{`
`113`		`- if (operation is null) return null;`
	`113`	`+ if (operation is null \|\| operation is ILiteralOperation) return null;`
`114`	`114`	`if (operation is IBinaryOperation)`
`115`	`115`	`{`
`116`	`116`	`return StringSyntaxKind.ConcatenatedString;`