Skip to content

Commit 12e000a

Browse files
velovelo
authored
Signed-off-by: Marvin Froeder <[email protected]>
1 parent 1c6ea5a commit 12e000a

File tree

2 files changed

+30
-0
lines changed

2 files changed

+30
-0
lines changed

querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,9 @@ public interface PathBuilderValidator extends Serializable {
3939
new PathBuilderValidator() {
4040
@Override
4141
public Class<?> validate(Class<?> parent, String property, Class<?> propertyType) {
42+
if (property.contains(" ")) {
43+
throw new IllegalStateException("Unsafe due to CVE-2024-49203");
44+
}
4245
return propertyType;
4346
}
4447
};

querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,13 @@
1414
package com.querydsl.core.types.dsl;
1515

1616
import static org.junit.Assert.*;
17+
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
18+
import static org.junit.jupiter.api.Assertions.assertThrows;
1719

1820
import com.querydsl.core.BooleanBuilder;
21+
import com.querydsl.core.domain.Cat;
22+
import com.querydsl.core.types.Order;
23+
import com.querydsl.core.types.OrderSpecifier;
1924
import com.querydsl.core.util.BeanMap;
2025
import java.sql.Time;
2126
import java.util.Date;
@@ -129,4 +134,26 @@ public void calling_get_with_the_same_name_and_different_types_returns_correct_t
129134
assertEquals(String.class, entity.get(pathName, Comparable.class).getType());
130135
assertEquals(String.class, entity.get(pathName, Object.class).getType());
131136
}
137+
138+
@Test
139+
public void order_HQL_injection() {
140+
var orderBy = "breed";
141+
var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
142+
assertDoesNotThrow(() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
143+
}
144+
145+
@Test
146+
// CVE-2024-49203
147+
// https://github.com/OpenFeign/querydsl/security/advisories/GHSA-6q3q-6v5j-h6vg
148+
public void unsafe_order_HQL_injection() {
149+
var orderBy =
150+
"test.name INTERSECT SELECT t FROM Test t WHERE (SELECT cast(pg_sleep(10) AS text))='2'"
151+
+ " ORDER BY t.id";
152+
var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
153+
var error =
154+
assertThrows(
155+
IllegalStateException.class,
156+
() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
157+
assertTrue(error.getMessage().contains("CVE-2024-49203"));
158+
}
132159
}

0 commit comments

Comments
 (0)