From 676a156dc8c3c25466d2441cc239da4265a904f8 Mon Sep 17 00:00:00 2001 From: lidongy <1879087903@qq.com> Date: Tue, 5 Mar 2024 17:42:49 +0800 Subject: [PATCH 1/2] =?UTF-8?q?REPORT-115463=20springframework=20CVE-2024-?= =?UTF-8?q?22243=20=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../fr/third/springframework/web/util/UriComponentsBuilder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fine-spring/src/main/java/com/fr/third/springframework/web/util/UriComponentsBuilder.java b/fine-spring/src/main/java/com/fr/third/springframework/web/util/UriComponentsBuilder.java index 659955479..46b90704d 100644 --- a/fine-spring/src/main/java/com/fr/third/springframework/web/util/UriComponentsBuilder.java +++ b/fine-spring/src/main/java/com/fr/third/springframework/web/util/UriComponentsBuilder.java @@ -66,7 +66,7 @@ public class UriComponentsBuilder implements Cloneable { private static final String HTTP_PATTERN = "(?i)(http|https):"; - private static final String USERINFO_PATTERN = "([^@\\[/?#]*)"; + private static final String USERINFO_PATTERN = "([^@/?#]*)"; private static final String HOST_IPV4_PATTERN = "[^\\[/?#:]*"; From 73e22ef7fcb37cd54342a8ae1bde46e335e597a0 Mon Sep 17 00:00:00 2001 From: lidongy <1879087903@qq.com> Date: Thu, 7 Mar 2024 09:49:49 +0800 Subject: [PATCH 2/2] =?UTF-8?q?REPORT-113277=20Hibernate=E7=BB=84=E4=BB=B6?= =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../third/org/hibernate/dialect/Dialect.java | 12 +++++++ .../expression/LiteralExpression.java | 33 ++++++++++++++----- .../internal/SelectStatementBuilder.java | 2 +- .../fr/third/org/hibernate/sql/Delete.java | 4 ++- .../fr/third/org/hibernate/sql/Insert.java | 2 +- .../third/org/hibernate/sql/InsertSelect.java | 2 +- .../third/org/hibernate/sql/QuerySelect.java | 2 +- .../fr/third/org/hibernate/sql/Select.java | 2 +- .../third/org/hibernate/sql/SimpleSelect.java | 2 +- .../fr/third/org/hibernate/sql/Update.java | 2 +- 10 files changed, 47 insertions(+), 16 deletions(-) diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/dialect/Dialect.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/dialect/Dialect.java index c86f19177..5c94966c9 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/dialect/Dialect.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/dialect/Dialect.java @@ -24,6 +24,7 @@ import java.util.Locale; import java.util.Map; import java.util.Properties; import java.util.Set; +import java.util.regex.Pattern; import com.fr.third.org.hibernate.HibernateException; import com.fr.third.org.hibernate.LockMode; @@ -140,6 +141,9 @@ public abstract class Dialect implements ConversionContext { */ public static final String CLOSED_QUOTE = "`\"]"; + private static final Pattern ESCAPE_CLOSING_COMMENT_PATTERN = Pattern.compile("\\*/"); + private static final Pattern ESCAPE_OPENING_COMMENT_PATTERN = Pattern.compile("/\\*"); + private final TypeNames typeNames = new TypeNames(); private final TypeNames hibernateTypeNames = new TypeNames(); @@ -2738,6 +2742,14 @@ public abstract class Dialect implements ConversionContext { return StandardCallableStatementSupport.NO_REF_CURSOR_INSTANCE; } + public static String escapeComment(String comment) { + if (StringHelper.isNotEmpty(comment)) { + final String escaped = ESCAPE_CLOSING_COMMENT_PATTERN.matcher(comment).replaceAll("*\\\\/"); + return ESCAPE_OPENING_COMMENT_PATTERN.matcher(escaped).replaceAll("/\\\\*"); + } + return comment; + } + /** * By default interpret this based on DatabaseMetaData. * diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/jpa/criteria/expression/LiteralExpression.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/jpa/criteria/expression/LiteralExpression.java index 5a7958c45..a7a288679 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/jpa/criteria/expression/LiteralExpression.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/jpa/criteria/expression/LiteralExpression.java @@ -58,17 +58,34 @@ public class LiteralExpression extends ExpressionImpl implements Serializa return ':' + parameterName; } - @SuppressWarnings({ "unchecked" }) + /** + * Inline String literal. + * + * @return escaped String + */ + private String inlineLiteral(String literal) { + return String.format("\'%s\'", escapeLiteral(literal)); + } + + /** + * Escape String literal. + * + * @return escaped String + */ + private String escapeLiteral(String literal) { + return literal.replace("'", "''"); + } + + @SuppressWarnings({"unchecked"}) public String renderProjection(RenderingContext renderingContext) { + if (ValueHandlerFactory.isCharacter(literal)) { + // In case literal is a Character, pass literal.toString() as the argument. + return inlineLiteral(literal.toString()); + } // some drivers/servers do not like parameters in the select clause final ValueHandlerFactory.ValueHandler handler = - ValueHandlerFactory.determineAppropriateHandler( literal.getClass() ); - if ( ValueHandlerFactory.isCharacter( literal ) ) { - return '\'' + handler.render( literal ) + '\''; - } - else { - return handler.render( literal ); - } + ValueHandlerFactory.determineAppropriateHandler(literal.getClass()); + return handler.render(literal); } @Override diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java index 5af5c1608..d61e84bed 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java @@ -187,7 +187,7 @@ public class SelectStatementBuilder { StringBuilder buf = new StringBuilder( guesstimatedBufferSize ); if ( StringHelper.isNotEmpty( comment ) ) { - buf.append( "/* " ).append( comment ).append( " */ " ); + buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " ); } buf.append( "select " ) diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Delete.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Delete.java index 9146a1be8..0fba094dc 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Delete.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Delete.java @@ -5,6 +5,8 @@ * See the lgpl.txt file in the root directory or . */ package com.fr.third.org.hibernate.sql; +import com.fr.third.org.hibernate.dialect.Dialect; + import java.util.Iterator; import java.util.LinkedHashMap; import java.util.Map; @@ -36,7 +38,7 @@ public class Delete { public String toStatementString() { StringBuilder buf = new StringBuilder( tableName.length() + 10 ); if ( comment!=null ) { - buf.append( "/* " ).append(comment).append( " */ " ); + buf.append( "/* " ).append(Dialect.escapeComment(comment)).append( " */ " ); } buf.append( "delete from " ).append(tableName); if ( where != null || !primaryKeyColumns.isEmpty() || versionColumnName != null ) { diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Insert.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Insert.java index b646fe591..4361d64ca 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Insert.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Insert.java @@ -90,7 +90,7 @@ public class Insert { public String toStatementString() { StringBuilder buf = new StringBuilder( columns.size()*15 + tableName.length() + 10 ); if ( comment != null ) { - buf.append( "/* " ).append( comment ).append( " */ " ); + buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " ); } buf.append("insert into ") .append(tableName); diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/InsertSelect.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/InsertSelect.java index e7174124a..c585a992b 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/InsertSelect.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/InsertSelect.java @@ -65,7 +65,7 @@ public class InsertSelect { StringBuilder buf = new StringBuilder( (columnNames.size() * 15) + tableName.length() + 10 ); if ( comment!=null ) { - buf.append( "/* " ).append( comment ).append( " */ " ); + buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " ); } buf.append( "insert into " ).append( tableName ); if ( !columnNames.isEmpty() ) { diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/QuerySelect.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/QuerySelect.java index 2f7cc1ed2..d3b36b1b3 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/QuerySelect.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/QuerySelect.java @@ -126,7 +126,7 @@ public class QuerySelect { public String toQueryString() { StringBuilder buf = new StringBuilder( 50 ); if ( comment != null ) { - buf.append( "/* " ).append( comment ).append( " */ " ); + buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " ); } buf.append( "select " ); if ( distinct ) { diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Select.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Select.java index 9d392244a..787fab6b3 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Select.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Select.java @@ -40,7 +40,7 @@ public class Select { public String toStatementString() { StringBuilder buf = new StringBuilder(guesstimatedBufferSize); if ( StringHelper.isNotEmpty(comment) ) { - buf.append("/* ").append(comment).append(" */ "); + buf.append("/* ").append(Dialect.escapeComment(comment)).append(" */ "); } buf.append("select ").append(selectClause) diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/SimpleSelect.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/SimpleSelect.java index 706dd690b..cce3611c1 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/SimpleSelect.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/SimpleSelect.java @@ -143,7 +143,7 @@ public class SimpleSelect { ); if ( comment != null ) { - buf.append( "/* " ).append( comment ).append( " */ " ); + buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " ); } buf.append( "select " ); diff --git a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Update.java b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Update.java index 34dbbaaf3..ede04cad3 100644 --- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Update.java +++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Update.java @@ -166,7 +166,7 @@ public class Update { public String toStatementString() { StringBuilder buf = new StringBuilder( (columns.size() * 15) + tableName.length() + 10 ); if ( comment!=null ) { - buf.append( "/* " ).append( comment ).append( " */ " ); + buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " ); } buf.append( "update " ).append( tableName ).append( " set " ); boolean assignmentsAppended = false;