From 3f3c1ab50604ab9ba99e25d2016fb85f3ba9dcd4 Mon Sep 17 00:00:00 2001 From: Gail Badner Date: Thu, 18 Jun 2020 12:13:22 -0700 Subject: [PATCH] HHH-14077 : CVE-2019-14900 SQL injection issue using JPA Criteria API --- .../criteria/internal/expression/LiteralExpression.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hibernate-core/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java b/hibernate-core/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java index e7639a1dff..4c5a19a03d 100644 --- a/hibernate-core/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java +++ b/hibernate-core/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java @@ -110,6 +110,11 @@ public class LiteralExpression extends ExpressionImpl implements Serializa } private String renderProjection(RenderingContext renderingContext) { + if ( ValueHandlerFactory.isCharacter( literal ) ) { + // In case literal is a Character, pass literal.toString() as the argument. + return renderingContext.getDialect().inlineLiteral( literal.toString() ); + } + // some drivers/servers do not like parameters in the select clause final ValueHandlerFactory.ValueHandler handler = ValueHandlerFactory.determineAppropriateHandler( literal.getClass() ); @@ -117,10 +122,6 @@ public class LiteralExpression extends ExpressionImpl implements Serializa if ( handler == null ) { return normalRender( renderingContext, LiteralHandlingMode.BIND ); } - - if ( ValueHandlerFactory.isCharacter( literal ) ) { - return renderingContext.getDialect().inlineLiteral( handler.render( literal ) ); - } else { return handler.render( literal ); }