HHH-14077 : CVE-2019-14900 SQL injection issue in Hibernate ORM

hibernate · Aug 4, 2020 · 646b383 · 646b383
1 parent d7400b5
commit 646b383
Show file tree

Hide file tree

Showing 2 changed files with 139 additions and 6 deletions.
diff --git a/...ore/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java b/...ore/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java
@@ -78,15 +78,15 @@ private String bindLiteral(RenderingContext renderingContext) {
 
 	@SuppressWarnings({ "unchecked" })
 	public String renderProjection(RenderingContext renderingContext) {
+		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+			// In case literal is a Character, pass literal.toString() as the argument.
+			return renderingContext.getDialect().inlineLiteral( literal.toString() );
+		}
+
 		// some drivers/servers do not like parameters in the select clause
 		final ValueHandlerFactory.ValueHandler handler =
 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
-			return '\'' + handler.render( literal ) + '\'';
-		}
-		else {
-			return handler.render( literal );
-		}
+		return handler.render( literal );
 	}
 
 	@Override

diff --git a/...test/java/org/hibernate/jpa/test/criteria/literal/CriteriaLiteralWithSingleQuoteTest.java b/...test/java/org/hibernate/jpa/test/criteria/literal/CriteriaLiteralWithSingleQuoteTest.java
@@ -0,0 +1,133 @@
+/*
+ * Hibernate, Relational Persistence for Idiomatic Java
+ *
+ * License: GNU Lesser General Public License (LGPL), version 2.1 or later.
+ * See the lgpl.txt file in the root directory or <http://www.gnu.org/licenses/lgpl-2.1.html>.
+ */
+package org.hibernate.jpa.test.criteria.literal;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import javax.persistence.criteria.CriteriaBuilder;
+import javax.persistence.criteria.CriteriaQuery;
+
+import org.hibernate.jpa.test.BaseEntityManagerFunctionalTestCase;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.hibernate.testing.transaction.TransactionUtil.doInJPA;
+import static org.junit.Assert.assertEquals;
+
+public class CriteriaLiteralWithSingleQuoteTest extends BaseEntityManagerFunctionalTestCase {
+
+	@Test
+	public void literalSingleQuoteTest() throws Exception {
+
+		doInJPA(
+				this::entityManagerFactory,
+				entityManager -> {
+					CriteriaBuilder cb = entityManager.getCriteriaBuilder();
+					CriteriaQuery<Object> query = cb.createQuery();
+					query.select( cb.literal( '\'' ) ).from( Student.class );
+					Object object = entityManager.createQuery( query ).getSingleResult();
+					assertEquals( "'", object );
+				}
+		);
+	}
+
+	@Test
+	public void literalProjectionTest() throws Exception {
+
+		doInJPA(
+				this::entityManagerFactory,
+				entityManager -> {
+					CriteriaBuilder cb = entityManager.getCriteriaBuilder();
+					CriteriaQuery<Object> query = cb.createQuery();
+					query.multiselect( cb.literal( "' || aValue || '" ) ).from( Student.class );
+					Object object = entityManager.createQuery( query ).getSingleResult();
+					assertEquals( "' || aValue || '", object );
+				}
+		);
+	}
+
+	@Test
+	public void testLiteralProjectionAndGroupBy() throws Exception {
+		doInJPA(
+				this::entityManagerFactory,
+				entityManager -> {
+
+					final String literal = "' || aValue || '";
+
+					CriteriaBuilder cb = entityManager.getCriteriaBuilder();
+					CriteriaQuery<Object> query = cb.createQuery();
+					query.multiselect( cb.literal( literal ) )
+							.from( Student.class );
+					query.groupBy( cb.literal( literal ) );
+
+					Object object = entityManager.createQuery( query ).getSingleResult();
+					assertEquals( literal, object );
+				}
+		);
+	}
+
+	@Before
+	public void setupData() {
+		doInJPA(
+				this::entityManagerFactory,
+				entityManager -> {
+					Student student = new Student();
+					student.setAValue( "A Value" );
+					entityManager.persist( student );
+				}
+		);
+	}
+
+	@After
+	public void cleanupData() {
+		doInJPA(
+				this::entityManagerFactory,
+				entityManager -> {
+					entityManager.createQuery( "delete from Student" );
+				}
+		);
+	}
+
+	@Override
+	protected Class<?>[] getAnnotatedClasses() {
+		return new Class[] { Student.class };
+	}
+
+	@Entity(name = "Student")
+	@Table(name = "Students")
+	public static class Student {
+
+		@Id
+		@GeneratedValue
+		private Long id;
+
+		@Column
+		private String aValue;
+
+		public Long getId() {
+			return id;
+		}
+
+		public void setId(Long id) {
+			this.id = id;
+			this.id = id;
+		}
+
+		public String getAValue() {
+			return aValue;
+		}
+
+		public void setAValue(String value) {
+			this.aValue = value;
+		}
+	}
+}