Browse Source

Merge pull request #10486 in CORE/base-third from persist/10.0 to persist/jsy

* commit '1d11cb1b9f49f1c02d632eaaf689c54c87a5e338':
  REPORT-113277 Hibernate组件修复CVE漏洞
  REPORT-115463 springframework CVE-2024-22243 漏洞
persist/jsy
superman 8 months ago
parent
commit
6df4c4458e
  1. 12
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/dialect/Dialect.java
  2. 27
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/jpa/criteria/expression/LiteralExpression.java
  3. 2
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java
  4. 4
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Delete.java
  5. 2
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Insert.java
  6. 2
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/InsertSelect.java
  7. 2
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/QuerySelect.java
  8. 2
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Select.java
  9. 2
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/SimpleSelect.java
  10. 2
      fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Update.java
  11. 2
      fine-spring/src/main/java/com/fr/third/springframework/web/util/UriComponentsBuilder.java

12
fine-hibernate/src/main/java/com/fr/third/org/hibernate/dialect/Dialect.java

@ -24,6 +24,7 @@ import java.util.Locale;
import java.util.Map; import java.util.Map;
import java.util.Properties; import java.util.Properties;
import java.util.Set; import java.util.Set;
import java.util.regex.Pattern;
import com.fr.third.org.hibernate.HibernateException; import com.fr.third.org.hibernate.HibernateException;
import com.fr.third.org.hibernate.LockMode; import com.fr.third.org.hibernate.LockMode;
@ -140,6 +141,9 @@ public abstract class Dialect implements ConversionContext {
*/ */
public static final String CLOSED_QUOTE = "`\"]"; public static final String CLOSED_QUOTE = "`\"]";
private static final Pattern ESCAPE_CLOSING_COMMENT_PATTERN = Pattern.compile("\\*/");
private static final Pattern ESCAPE_OPENING_COMMENT_PATTERN = Pattern.compile("/\\*");
private final TypeNames typeNames = new TypeNames(); private final TypeNames typeNames = new TypeNames();
private final TypeNames hibernateTypeNames = new TypeNames(); private final TypeNames hibernateTypeNames = new TypeNames();
@ -2738,6 +2742,14 @@ public abstract class Dialect implements ConversionContext {
return StandardCallableStatementSupport.NO_REF_CURSOR_INSTANCE; return StandardCallableStatementSupport.NO_REF_CURSOR_INSTANCE;
} }
public static String escapeComment(String comment) {
if (StringHelper.isNotEmpty(comment)) {
final String escaped = ESCAPE_CLOSING_COMMENT_PATTERN.matcher(comment).replaceAll("*\\\\/");
return ESCAPE_OPENING_COMMENT_PATTERN.matcher(escaped).replaceAll("/\\\\*");
}
return comment;
}
/** /**
* By default interpret this based on DatabaseMetaData. * By default interpret this based on DatabaseMetaData.
* *

27
fine-hibernate/src/main/java/com/fr/third/org/hibernate/jpa/criteria/expression/LiteralExpression.java

@ -58,18 +58,35 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
return ':' + parameterName; return ':' + parameterName;
} }
/**
* Inline String literal.
*
* @return escaped String
*/
private String inlineLiteral(String literal) {
return String.format("\'%s\'", escapeLiteral(literal));
}
/**
* Escape String literal.
*
* @return escaped String
*/
private String escapeLiteral(String literal) {
return literal.replace("'", "''");
}
@SuppressWarnings({"unchecked"}) @SuppressWarnings({"unchecked"})
public String renderProjection(RenderingContext renderingContext) { public String renderProjection(RenderingContext renderingContext) {
if (ValueHandlerFactory.isCharacter(literal)) {
// In case literal is a Character, pass literal.toString() as the argument.
return inlineLiteral(literal.toString());
}
// some drivers/servers do not like parameters in the select clause // some drivers/servers do not like parameters in the select clause
final ValueHandlerFactory.ValueHandler handler = final ValueHandlerFactory.ValueHandler handler =
ValueHandlerFactory.determineAppropriateHandler(literal.getClass()); ValueHandlerFactory.determineAppropriateHandler(literal.getClass());
if ( ValueHandlerFactory.isCharacter( literal ) ) {
return '\'' + handler.render( literal ) + '\'';
}
else {
return handler.render(literal); return handler.render(literal);
} }
}
@Override @Override
@SuppressWarnings({ "unchecked" }) @SuppressWarnings({ "unchecked" })

2
fine-hibernate/src/main/java/com/fr/third/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java

@ -187,7 +187,7 @@ public class SelectStatementBuilder {
StringBuilder buf = new StringBuilder( guesstimatedBufferSize ); StringBuilder buf = new StringBuilder( guesstimatedBufferSize );
if ( StringHelper.isNotEmpty( comment ) ) { if ( StringHelper.isNotEmpty( comment ) ) {
buf.append( "/* " ).append( comment ).append( " */ " ); buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
} }
buf.append( "select " ) buf.append( "select " )

4
fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Delete.java

@ -5,6 +5,8 @@
* See the lgpl.txt file in the root directory or <http://www.gnu.org/licenses/lgpl-2.1.html>. * See the lgpl.txt file in the root directory or <http://www.gnu.org/licenses/lgpl-2.1.html>.
*/ */
package com.fr.third.org.hibernate.sql; package com.fr.third.org.hibernate.sql;
import com.fr.third.org.hibernate.dialect.Dialect;
import java.util.Iterator; import java.util.Iterator;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.Map; import java.util.Map;
@ -36,7 +38,7 @@ public class Delete {
public String toStatementString() { public String toStatementString() {
StringBuilder buf = new StringBuilder( tableName.length() + 10 ); StringBuilder buf = new StringBuilder( tableName.length() + 10 );
if ( comment!=null ) { if ( comment!=null ) {
buf.append( "/* " ).append(comment).append( " */ " ); buf.append( "/* " ).append(Dialect.escapeComment(comment)).append( " */ " );
} }
buf.append( "delete from " ).append(tableName); buf.append( "delete from " ).append(tableName);
if ( where != null || !primaryKeyColumns.isEmpty() || versionColumnName != null ) { if ( where != null || !primaryKeyColumns.isEmpty() || versionColumnName != null ) {

2
fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Insert.java

@ -90,7 +90,7 @@ public class Insert {
public String toStatementString() { public String toStatementString() {
StringBuilder buf = new StringBuilder( columns.size()*15 + tableName.length() + 10 ); StringBuilder buf = new StringBuilder( columns.size()*15 + tableName.length() + 10 );
if ( comment != null ) { if ( comment != null ) {
buf.append( "/* " ).append( comment ).append( " */ " ); buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
} }
buf.append("insert into ") buf.append("insert into ")
.append(tableName); .append(tableName);

2
fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/InsertSelect.java

@ -65,7 +65,7 @@ public class InsertSelect {
StringBuilder buf = new StringBuilder( (columnNames.size() * 15) + tableName.length() + 10 ); StringBuilder buf = new StringBuilder( (columnNames.size() * 15) + tableName.length() + 10 );
if ( comment!=null ) { if ( comment!=null ) {
buf.append( "/* " ).append( comment ).append( " */ " ); buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
} }
buf.append( "insert into " ).append( tableName ); buf.append( "insert into " ).append( tableName );
if ( !columnNames.isEmpty() ) { if ( !columnNames.isEmpty() ) {

2
fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/QuerySelect.java

@ -126,7 +126,7 @@ public class QuerySelect {
public String toQueryString() { public String toQueryString() {
StringBuilder buf = new StringBuilder( 50 ); StringBuilder buf = new StringBuilder( 50 );
if ( comment != null ) { if ( comment != null ) {
buf.append( "/* " ).append( comment ).append( " */ " ); buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
} }
buf.append( "select " ); buf.append( "select " );
if ( distinct ) { if ( distinct ) {

2
fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Select.java

@ -40,7 +40,7 @@ public class Select {
public String toStatementString() { public String toStatementString() {
StringBuilder buf = new StringBuilder(guesstimatedBufferSize); StringBuilder buf = new StringBuilder(guesstimatedBufferSize);
if ( StringHelper.isNotEmpty(comment) ) { if ( StringHelper.isNotEmpty(comment) ) {
buf.append("/* ").append(comment).append(" */ "); buf.append("/* ").append(Dialect.escapeComment(comment)).append(" */ ");
} }
buf.append("select ").append(selectClause) buf.append("select ").append(selectClause)

2
fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/SimpleSelect.java

@ -143,7 +143,7 @@ public class SimpleSelect {
); );
if ( comment != null ) { if ( comment != null ) {
buf.append( "/* " ).append( comment ).append( " */ " ); buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
} }
buf.append( "select " ); buf.append( "select " );

2
fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Update.java

@ -166,7 +166,7 @@ public class Update {
public String toStatementString() { public String toStatementString() {
StringBuilder buf = new StringBuilder( (columns.size() * 15) + tableName.length() + 10 ); StringBuilder buf = new StringBuilder( (columns.size() * 15) + tableName.length() + 10 );
if ( comment!=null ) { if ( comment!=null ) {
buf.append( "/* " ).append( comment ).append( " */ " ); buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
} }
buf.append( "update " ).append( tableName ).append( " set " ); buf.append( "update " ).append( tableName ).append( " set " );
boolean assignmentsAppended = false; boolean assignmentsAppended = false;

2
fine-spring/src/main/java/com/fr/third/springframework/web/util/UriComponentsBuilder.java

@ -66,7 +66,7 @@ public class UriComponentsBuilder implements Cloneable {
private static final String HTTP_PATTERN = "(?i)(http|https):"; private static final String HTTP_PATTERN = "(?i)(http|https):";
private static final String USERINFO_PATTERN = "([^@\\[/?#]*)"; private static final String USERINFO_PATTERN = "([^@/?#]*)";
private static final String HOST_IPV4_PATTERN = "[^\\[/?#:]*"; private static final String HOST_IPV4_PATTERN = "[^\\[/?#:]*";

Loading…
Cancel
Save