Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/master' into querydsl-7.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@velo
velo committed Dec 23, 2024
2 parents d25175f + 30bd68a commit 9076fde
Show file tree
Hide file tree
Showing 10 changed files with 49 additions and 13 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/dependency-submission.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,6 @@ jobs:
java-version: '21'

- name: Submit Dependency Snapshot
uses: advanced-security/maven-dependency-submission-action@v3
uses: advanced-security/maven-dependency-submission-action@v4.1.1
with:
maven-args: -Dtoolchain.skip=true
2 changes: 1 addition & 1 deletion pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@
<h2.version>2.3.232</h2.version>
<postgresql.version>42.7.4</postgresql.version>
<oracle.version>23.6.0.24.10</oracle.version>
<mysql.version>8.0.30</mysql.version>
<mysql.version>9.1.0</mysql.version>
<mssql.version>12.9.0.jre8-preview</mssql.version>
<cubrid.version>9.3.9.0002</cubrid.version>
<sqlite.version>3.47.1.0</sqlite.version>
Expand Down
7 changes: 7 additions & 0 deletions ...braries/querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import java.io.Serializable;
import java.util.Collection;
import java.util.Map;
import java.util.regex.Pattern;

/** {@code PathBuilderValidator} validates {@link PathBuilder} properties at creation time */
public interface PathBuilderValidator extends Serializable {
Expand All @@ -35,8 +36,14 @@ public interface PathBuilderValidator extends Serializable {

PathBuilderValidator DEFAULT =
new PathBuilderValidator() {

private Pattern SPACES = Pattern.compile("\\s");

@Override
public Class<?> validate(Class<?> parent, String property, Class<?> propertyType) {
if (SPACES.matcher(property).find()) {
throw new IllegalStateException("Unsafe due to CVE-2024-49203");
}
return propertyType;
}
};
Expand Down
26 changes: 26 additions & 0 deletions ...sl-libraries/querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,13 @@
package com.querydsl.core.types.dsl;

import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
import static org.junit.jupiter.api.Assertions.assertThrows;

import com.querydsl.core.BooleanBuilder;
import com.querydsl.core.domain.Cat;
import com.querydsl.core.types.Order;
import com.querydsl.core.types.OrderSpecifier;
import com.querydsl.core.util.BeanMap;
import java.sql.Time;
import java.util.Date;
Expand Down Expand Up @@ -128,4 +133,25 @@ public void calling_get_with_the_same_name_and_different_types_returns_correct_t
assertThat(entity.get(pathName, Comparable.class).getType()).isEqualTo(String.class);
assertThat(entity.get(pathName, Object.class).getType()).isEqualTo(String.class);
}

@Test
public void order_HQL_injection() {
var orderBy = "breed";
var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
assertDoesNotThrow(() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
}

@Test
// CVE-2024-49203
// https://github.com/OpenFeign/querydsl/security/advisories/GHSA-6q3q-6v5j-h6vg
public void unsafe_order_HQL_injection() {
var orderBy =
"test.name INTERSECT SELECT t FROM Test t WHERE (SELECT cast(pg_sleep(10) AS text))='2' ORDER BY t.id";
var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
var error =
assertThrows(
IllegalStateException.class,
() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
assertThat(error).hasMessageContaining("CVE-2024-49203");
}
}
6 changes: 3 additions & 3 deletions querydsl-libraries/querydsl-jpa/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,8 +140,8 @@
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>${mysql.version}</version>
<scope>test</scope>
</dependency>
Expand Down Expand Up @@ -314,7 +314,7 @@
<version>${project.version}</version>
<configuration>
<jdbcDriver>org.apache.derby.jdbc.EmbeddedDriver</jdbcDriver>
<jdbcUrl>jdbc:derby:target/derbydb;create=true</jdbcUrl>
<jdbcUrl>jdbc:derby:${project.build.directory}/derbydb;create=true</jdbcUrl>
<packageName>com.querydsl.jpa.domain.sql</packageName>
<targetFolder>src/test/java</targetFolder>
<sourceFolder>src/test/java</sourceFolder>
Expand Down
4 changes: 2 additions & 2 deletions querydsl-libraries/querydsl-sql-json/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,8 @@
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>${mysql.version}</version>
<scope>test</scope>
</dependency>
Expand Down
4 changes: 2 additions & 2 deletions querydsl-libraries/querydsl-sql-spatial/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,8 @@
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>${mysql.version}</version>
<scope>test</scope>
</dependency>
Expand Down
4 changes: 2 additions & 2 deletions querydsl-libraries/querydsl-sql/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>${mysql.version}</version>
<scope>test</scope>
</dependency>
Expand Down
3 changes: 3 additions & 0 deletions querydsl-libraries/querydsl-sql/src/main/resources/keywords/mysql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@ LONGBLOB
LONGTEXT
LOOP
LOW_PRIORITY
MANUAL
MASTER_BIND
MASTER_SSL_VERIFY_SERVER_CERT
MATCH
Expand Down Expand Up @@ -160,12 +161,14 @@ ORDER
OUT
OUTER
OUTFILE
PARALLEL
PERSIST
PERSIST_ONLY
PRECISION
PRIMARY
PROCEDURE
PURGE
QUALIFY
RANGE
READ
READ_WRITE
Expand Down
4 changes: 2 additions & 2 deletions querydsl-tooling/querydsl-sql-codegen/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,8 @@
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>${mysql.version}</version>
<scope>test</scope>
</dependency>
Expand Down

0 comments on commit 9076fde

Please sign in to comment.