REPORT-113277 Hibernate组件修复CVE漏洞

9 months ago · 73e22ef7fc
10 changed files with 47 additions and 16 deletions
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/dialect/Dialect.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/dialect/Dialect.java
@ -24,6 +24,7 @@ import java.util.Locale;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
+import java.util.regex.Pattern;

 import com.fr.third.org.hibernate.HibernateException;
 import com.fr.third.org.hibernate.LockMode;
@ -140,6 +141,9 @@ public abstract class Dialect implements ConversionContext {
 	 */
 	public static final String CLOSED_QUOTE = "`\"]";

+	private static final Pattern ESCAPE_CLOSING_COMMENT_PATTERN = Pattern.compile("\\*/");
+	private static final Pattern ESCAPE_OPENING_COMMENT_PATTERN = Pattern.compile("/\\*");
+
 	private final TypeNames typeNames = new TypeNames();
 	private final TypeNames hibernateTypeNames = new TypeNames();

@ -2738,6 +2742,14 @@ public abstract class Dialect implements ConversionContext {
 		return StandardCallableStatementSupport.NO_REF_CURSOR_INSTANCE;
 	}

+	public static String escapeComment(String comment) {
+		if (StringHelper.isNotEmpty(comment)) {
+			final String escaped = ESCAPE_CLOSING_COMMENT_PATTERN.matcher(comment).replaceAll("*\\\\/");
+			return ESCAPE_OPENING_COMMENT_PATTERN.matcher(escaped).replaceAll("/\\\\*");
+		}
+		return comment;
+	}
+
 	/**
 	 * By default interpret this based on DatabaseMetaData.
 	 *
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/jpa/criteria/expression/LiteralExpression.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/jpa/criteria/expression/LiteralExpression.java
@ -58,17 +58,34 @@ public class LiteralExpression<T> extends ExpressionImpl<T> implements Serializa
 		return ':' + parameterName;
 	}

-	@SuppressWarnings({ "unchecked" })
+	/**
+	 * Inline String literal.
+	 *
+	 * @return escaped String
+	 */
+	private String inlineLiteral(String literal) {
+		return String.format("\'%s\'", escapeLiteral(literal));
+	}
+
+	/**
+	 * Escape String literal.
+	 *
+	 * @return escaped String
+	 */
+	private String escapeLiteral(String literal) {
+		return literal.replace("'", "''");
+	}
+
+	@SuppressWarnings({"unchecked"})
 	public String renderProjection(RenderingContext renderingContext) {
+		if (ValueHandlerFactory.isCharacter(literal)) {
+			// In case literal is a Character, pass literal.toString() as the argument.
+			return inlineLiteral(literal.toString());
+		}
 		// some drivers/servers do not like parameters in the select clause
 		final ValueHandlerFactory.ValueHandler handler =
-				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
-			return '\'' + handler.render( literal ) + '\'';
-		}
-		else {
-			return handler.render( literal );
-		}
+				ValueHandlerFactory.determineAppropriateHandler(literal.getClass());
+		return handler.render(literal);
 	}

 	@Override
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java
@ -187,7 +187,7 @@ public class SelectStatementBuilder {
 		StringBuilder buf = new StringBuilder( guesstimatedBufferSize );

 		if ( StringHelper.isNotEmpty( comment ) ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
 		}

 		buf.append( "select " )
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Delete.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Delete.java
@ -5,6 +5,8 @@
 * See the lgpl.txt file in the root directory or <http://www.gnu.org/licenses/lgpl-2.1.html>.
 */
 package com.fr.third.org.hibernate.sql;
+import com.fr.third.org.hibernate.dialect.Dialect;
+
 import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.Map;
@ -36,7 +38,7 @@ public class Delete {
 	public String toStatementString() {
 		StringBuilder buf = new StringBuilder( tableName.length() + 10 );
 		if ( comment!=null ) {
-			buf.append( "/* " ).append(comment).append( " */ " );
+			buf.append( "/* " ).append(Dialect.escapeComment(comment)).append( " */ " );
 		}
 		buf.append( "delete from " ).append(tableName);
 		if ( where != null || !primaryKeyColumns.isEmpty() || versionColumnName != null ) {
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Insert.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Insert.java
@ -90,7 +90,7 @@ public class Insert {
 	public String toStatementString() {
 		StringBuilder buf = new StringBuilder( columns.size()*15 + tableName.length() + 10 );
 		if ( comment != null ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
 		}
 		buf.append("insert into ")
 			.append(tableName);
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/InsertSelect.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/InsertSelect.java
@ -65,7 +65,7 @@ public class InsertSelect {

 		StringBuilder buf = new StringBuilder( (columnNames.size() * 15) + tableName.length() + 10 );
 		if ( comment!=null ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
 		}
 		buf.append( "insert into " ).append( tableName );
 		if ( !columnNames.isEmpty() ) {
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/QuerySelect.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/QuerySelect.java
@ -126,7 +126,7 @@ public class QuerySelect {
 	public String toQueryString() {
 		StringBuilder buf = new StringBuilder( 50 );
 		if ( comment != null ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
 		}
 		buf.append( "select " );
 		if ( distinct ) {
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Select.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Select.java
@ -40,7 +40,7 @@ public class Select {
 	public String toStatementString() {
 		StringBuilder buf = new StringBuilder(guesstimatedBufferSize);
 		if ( StringHelper.isNotEmpty(comment) ) {
-			buf.append("/* ").append(comment).append(" */ ");
+			buf.append("/* ").append(Dialect.escapeComment(comment)).append(" */ ");
 		}
 		
 		buf.append("select ").append(selectClause)
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/SimpleSelect.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/SimpleSelect.java
@ -143,7 +143,7 @@ public class SimpleSelect {
 		);

 		if ( comment != null ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
 		}

 		buf.append( "select " );
--- a/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Update.java
+++ b/fine-hibernate/src/main/java/com/fr/third/org/hibernate/sql/Update.java
@ -166,7 +166,7 @@ public class Update {
 	public String toStatementString() {
 		StringBuilder buf = new StringBuilder( (columns.size() * 15) + tableName.length() + 10 );
 		if ( comment!=null ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment(comment) ).append( " */ " );
 		}
 		buf.append( "update " ).append( tableName ).append( " set " );
 		boolean assignmentsAppended = false;