fix: properly escape table name when querying for failed events

[atzoum]

Description

Using double quotes and escaping the table name when querying for failed events, until we drop support for the old endpoint.

Reference

Security

• The code changed/added as part of this pull request won't create any security issues with how the software is being used.

[codecov]

Codecov Report

Base: 43.73% // Head: 45.34% // Increases project coverage by +1.60% 🎉

Coverage data is based on head (d1efe2d) compared to base (43dde0c).
Patch coverage: 68.18% of modified lines in pull request are covered.

❗ Current head d1efe2d differs from pull request most recent head c0c4c43. Consider uploading reports for the commit c0c4c43 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2663      +/-   ##
==========================================
+ Coverage   43.73%   45.34%   +1.60%     
==========================================
  Files         191      287      +96     
  Lines       40483    47780    +7297     
==========================================
+ Hits        17707    21667    +3960     
- Misses      21671    24745    +3074     
- Partials     1105     1368     +263     

Impacted Files	Coverage Δ
config/backend-config/types.go	74.07% <ø> (+74.07%)	⬆️
enterprise/reporting/noop.go	50.00% <0.00%> (+50.00%)	⬆️
router/failed-events-manager.go	12.93% <0.00%> (+9.48%)	⬆️
services/streammanager/kafka/client/producer.go	82.24% <46.66%> (+1.85%)	⬆️
enterprise/reporting/reporting.go	15.89% <66.66%> (+6.12%)	⬆️
services/streammanager/kafka/kafkamanager.go	75.40% <100.00%> (+12.18%)	⬆️
router/router.go	73.86% <0.00%> (-0.19%)	⬇️
testhelper/destination/redis.go	0.00% <0.00%> (ø)
utils/sysUtils/compress.go	0.00% <0.00%> (ø)
utils/googleutils/googleutils.go	85.71% <0.00%> (ø)
... and 176 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[fracasula]

Maybe we could use a function for escaping these 🤔 Optional of course.

[chrikar]

I know this is probably a temporary measure. It would make more sense to perform this in failedEventsHandler() where both SaveFailedRecordIDs() and FetchFailedRecordIDs() are called.

[chandumlg]

@chrikar The goal of this pr is to evade a security risk with respect to /v1/failed-events endpoint. SaveFailedRecordIDs function is not exposed outside. So, no risk.

[chrikar]

My point @chandumlg is that this conversion should happen at the handler endpoint, not the internal function.

[atzoum]

the HTTP handler should not know how/where failed events are stored, let alone that jobRunId needs to be escaped as if it was a postgresql identifier in the first place :)

[chandumlg]

Oh! Apologies. I misread the changes in this pr. I thought the escaping is done on exposed functions FetchFailedRecordIDs & DropFailedRecordIDs and felt it is not necessary to modify SaveFailedRecordIDs.