Hibernate
/
hibernate-orm
mirror of https://github.com/hibernate/hibernate-orm
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HHH-14077 CVE-2019-14900 SQL injection issue using JPA Criteria API

This commit is contained in:
Andrea Boriero 2020-06-19 12:38:32 +01:00 committed by Steve Ebersole
parent d9a33bf405
commit eebf01fbf3
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
hibernate-core/src/main/java/org/hibernate/type/descriptor/sql/internal/JdbcLiteralFormatterCharacterData.java
View File

@ -19,6 +19,8 @@ import org.hibernate.type.descriptor.sql.spi.BasicJdbcLiteralFormatter;
* @author Steve Ebersole
*/
public class JdbcLiteralFormatterCharacterData extends BasicJdbcLiteralFormatter {
public static final String NATIONALIZED_PREFIX = "n";
private final boolean isNationalized;
public JdbcLiteralFormatterCharacterData(JavaTypeDescriptor javaTypeDescriptor) {
@ -34,12 +36,13 @@ public class JdbcLiteralFormatterCharacterData extends BasicJdbcLiteralFormatter
public String toJdbcLiteral(Object value, Dialect dialect, SharedSessionContractImplementor session) {
final String literalValue = unwrap( value, String.class, session );
final String inlineLiteral = dialect.inlineLiteral( literalValue );
if ( isNationalized ) {
// is there a standardized form for n-string literals? This is the SQL Server syntax for sure
return String.format( Locale.ROOT, "n'%s'", literalValue );
}
else {
return String.format( Locale.ROOT, "'%s'", literalValue );
return NATIONALIZED_PREFIX.concat( inlineLiteral );
}
return inlineLiteral;
}
}