product: fix CREATE DATABASE failure on special characters

The PostgreSQL path of _create_database() interpolated the user-supplied
database name directly into a CREATE DATABASE statement via an f-string.
This caused syntax errors for any name that is not a legal unquoted
PostgreSQL identifier - in particular names containing a dash
(e.g. 'test-product') or starting with a digit (e.g. '1team') - both
reported by users via the GUI's product creation dialog.

SQLAlchemy does not auto-quote identifiers in free-form text() clauses,
so the fix has two parts:

  * Quote the identifier explicitly using the dialect's
    IdentifierPreparer before embedding it in the statement. This
    produces a properly double-quoted name such as CREATE DATABASE
    "test-product", which PostgreSQL accepts.

  * Validate the database name in addProduct() using the new
    is_valid_postgresql_db_name() helper, so that inputs containing
    quotes, semicolons, whitespace, control characters, or that
    exceed PostgreSQL's 63-byte identifier limit are rejected with a
    clear error message before any SQL is issued, rather than crashing
    later with an opaque driver error.

Author: bishara74

web/server/codechecker_server/api/product_server.py

@@ -31,7 +31,7 @@
 from .. import permissions
 from ..database.config_db_model import IDENTIFIER, Product, ProductPermission
 from ..database.database import DBSession, SQLServer, conv, escape_like
-from ..routing import is_valid_product_endpoint
+from ..routing import is_valid_product_endpoint, is_valid_postgresql_db_name
 
 from .thrift_enum_helper import confidentiality_enum, \
         confidentiality_str
@@ -368,7 +368,10 @@ def __create_product_database(self, product):
             with engine.connect() as conn:
                 conn.execute(text("commit"))
                 LOG.info("Creating database '%s'", db_name)
-                conn.execute(text(f"CREATE DATABASE {db_name}"))
+                quoted_db_name = engine.dialect.identifier_preparer \
+                    .quote_identifier(db_name)
+                conn.execute(
+                    text(f"CREATE DATABASE {quoted_db_name}"))
                 conn.close()
         except exc.ProgrammingError as e:
             LOG.error("ProgrammingError occurred: %s", str(e))
@@ -411,6 +414,19 @@ def addProduct(self, product):
                 codechecker_api_shared.ttypes.ErrorCode.GENERAL,
                 msg)
 
+        if dbc.engine == 'postgresql' \
+                and not is_valid_postgresql_db_name(dbc.database):
+            msg = (
+                f"The specified PostgreSQL database name "
+                f"'{dbc.database}' contains characters that are "
+                "not allowed (quotes, semicolons, whitespace, or "
+                "control characters), or is empty, or exceeds "
+                "PostgreSQL's 63-byte identifier limit.")
+            LOG.error(msg)
+            raise codechecker_api_shared.ttypes.RequestFailed(
+                codechecker_api_shared.ttypes.ErrorCode.DATABASE,
+                msg)
+
         if self.__server.get_product(product.endpoint):
             msg = \
                 f"A product endpoint '/{product.endpoint}' is already " \