From eebf01fbf3c2550ee70cdc9c1b02b52e330c8c36 Mon Sep 17 00:00:00 2001
From: Andrea Boriero <andrea@hibernate.org>
Date: Fri, 19 Jun 2020 12:38:32 +0100
Subject: [PATCH] HHH-14077 CVE-2019-14900 SQL injection issue using JPA
 Criteria API

---
 .../internal/JdbcLiteralFormatterCharacterData.java   | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/hibernate-core/src/main/java/org/hibernate/type/descriptor/sql/internal/JdbcLiteralFormatterCharacterData.java b/hibernate-core/src/main/java/org/hibernate/type/descriptor/sql/internal/JdbcLiteralFormatterCharacterData.java
index 132d51ac21a8..dfd53099be3e 100644
--- a/hibernate-core/src/main/java/org/hibernate/type/descriptor/sql/internal/JdbcLiteralFormatterCharacterData.java
+++ b/hibernate-core/src/main/java/org/hibernate/type/descriptor/sql/internal/JdbcLiteralFormatterCharacterData.java
@@ -19,6 +19,8 @@
  * @author Steve Ebersole
  */
 public class JdbcLiteralFormatterCharacterData extends BasicJdbcLiteralFormatter {
+	public static final String NATIONALIZED_PREFIX = "n";
+
 	private final boolean isNationalized;
 
 	public JdbcLiteralFormatterCharacterData(JavaTypeDescriptor javaTypeDescriptor) {
@@ -34,12 +36,13 @@ public JdbcLiteralFormatterCharacterData(JavaTypeDescriptor javaTypeDescriptor,
 	public String toJdbcLiteral(Object value, Dialect dialect, SharedSessionContractImplementor session) {
 		final String literalValue = unwrap( value, String.class, session );
 
+		final String inlineLiteral = dialect.inlineLiteral( literalValue );
+
 		if ( isNationalized ) {
 			// is there a standardized form for n-string literals?  This is the SQL Server syntax for sure
-			return String.format( Locale.ROOT, "n'%s'", literalValue );
-		}
-		else {
-			return String.format( Locale.ROOT, "'%s'", literalValue );
+			return NATIONALIZED_PREFIX.concat( inlineLiteral );
 		}
+
+		return inlineLiteral;
 	}
 }