FINERACT-2624: Sanitize input to runreports, with type checking

[terencemo]

Description

This PR enhances stretchy reporting in Fineract by:

1. Sanitising input parameters based on type definitions
2. Using Prepared statement to execute stretchy reports

Integrations tests have been added which invoke runreports with both valid and invalid inputs. Numeric parameter (officeId) positive and negative tests (numeric and non-numeric input) - some of the invalid inputs include SLEEP and pg_sleep commands. Also UNION ALL inputs passed attempting SQL injection. Also unregistered parameter passing is covered where a parameter not in stretchy_report_parameter for the given report is passed. Additional integration tests can be added to cover date and string parameter types.

Checklist

Please make sure these boxes are checked before submitting your pull request - thanks!

• Write the commit message as per our guidelines
• Acknowledge that we will not review PRs that are not passing the build ("green") - it is your responsibility to get a proposed PR to pass the build, not primarily the project's maintainers.
• Create/update unit or integration tests for verifying the changes made.
• Follow our coding conventions.
• Add required Swagger annotation and update API documentation at fineract-provider/src/main/resources/static/legacy-docs/apiLive.htm with details of any API changes
• This PR must not be a "code dump". Large changes can be made in a branch, with assistance. Ask for help on the developer mailing list.

Your assigned reviewer(s) will follow our guidelines for code reviews.

[meonkeys]

Please

1. create an issue in JIRA and update the PR title
2. look into failing tests

[terencemo]

Hi Adam, thanks for the review!

Please

1. create an issue in JIRA and update the PR title
2. look into failing tests

On the failing tests — I looked into both. The failures in SmsApiResourceIntegrationTest and CampaignsTest are both 403 Forbidden where 200 is expected. My changes are confined to the stretchy reporting/runreports path and have no overlap with the SMS or Campaigns modules. The 403 pattern is typical of test ordering sensitivity in the sharded CI — a prior test leaving the auth state dirty. SmsApiResourceIntegrationTest is also relatively new (FINERACT-2315, July 2025) and likely has pre-existing flakiness here.

On the Jira ticket — following up separately with you and @jdailey via email

[meonkeys]

closed in favor of #5916