Merge remote-tracking branch 'origin/master' into querydsl-7.0

Author: velo

.github/workflows/dependency-submission.yml

@@ -24,6 +24,6 @@ jobs:
         java-version: '21'
 
     - name: Submit Dependency Snapshot
-      uses: advanced-security/maven-dependency-submission-action@v3
+      uses: advanced-security/maven-dependency-submission-action@v4.1.1
       with:
         maven-args: -Dtoolchain.skip=true

pom.xml

@@ -117,7 +117,7 @@
     <h2.version>2.3.232</h2.version>
     <postgresql.version>42.7.4</postgresql.version>
     <oracle.version>23.6.0.24.10</oracle.version>
-    <mysql.version>8.0.30</mysql.version>
+    <mysql.version>9.1.0</mysql.version>
     <mssql.version>12.9.0.jre8-preview</mssql.version>
     <cubrid.version>9.3.9.0002</cubrid.version>
     <sqlite.version>3.47.1.0</sqlite.version>

querydsl-libraries/querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java

@@ -19,6 +19,7 @@
 import java.io.Serializable;
 import java.util.Collection;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 /** {@code PathBuilderValidator} validates {@link PathBuilder} properties at creation time */
 public interface PathBuilderValidator extends Serializable {
@@ -35,8 +36,14 @@ public interface PathBuilderValidator extends Serializable {
 
   PathBuilderValidator DEFAULT =
       new PathBuilderValidator() {
+
+        private Pattern SPACES = Pattern.compile("\\s");
+
         @Override
         public Class<?> validate(Class<?> parent, String property, Class<?> propertyType) {
+          if (SPACES.matcher(property).find()) {
+            throw new IllegalStateException("Unsafe due to CVE-2024-49203");
+          }
           return propertyType;
         }
       };

querydsl-libraries/querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java

@@ -14,8 +14,13 @@
 package com.querydsl.core.types.dsl;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import com.querydsl.core.BooleanBuilder;
+import com.querydsl.core.domain.Cat;
+import com.querydsl.core.types.Order;
+import com.querydsl.core.types.OrderSpecifier;
 import com.querydsl.core.util.BeanMap;
 import java.sql.Time;
 import java.util.Date;
@@ -128,4 +133,25 @@ public void calling_get_with_the_same_name_and_different_types_returns_correct_t
     assertThat(entity.get(pathName, Comparable.class).getType()).isEqualTo(String.class);
     assertThat(entity.get(pathName, Object.class).getType()).isEqualTo(String.class);
   }
+
+  @Test
+  public void order_HQL_injection() {
+    var orderBy = "breed";
+    var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
+    assertDoesNotThrow(() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
+  }
+
+  @Test
+  // CVE-2024-49203
+  // https://github.com/OpenFeign/querydsl/security/advisories/GHSA-6q3q-6v5j-h6vg
+  public void unsafe_order_HQL_injection() {
+    var orderBy =
+        "test.name INTERSECT SELECT t FROM Test t WHERE (SELECT cast(pg_sleep(10) AS text))='2' ORDER BY t.id";
+    var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
+    var error =
+        assertThrows(
+            IllegalStateException.class,
+            () -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
+    assertThat(error).hasMessageContaining("CVE-2024-49203");
+  }
 }

querydsl-libraries/querydsl-jpa/pom.xml

@@ -140,8 +140,8 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>mysql</groupId>
-      <artifactId>mysql-connector-java</artifactId>
+      <groupId>com.mysql</groupId>
+      <artifactId>mysql-connector-j</artifactId>
       <version>${mysql.version}</version>
       <scope>test</scope>
     </dependency>
@@ -314,7 +314,7 @@
         <version>${project.version}</version>
         <configuration>
           <jdbcDriver>org.apache.derby.jdbc.EmbeddedDriver</jdbcDriver>
-          <jdbcUrl>jdbc:derby:target/derbydb;create=true</jdbcUrl>
+          <jdbcUrl>jdbc:derby:${project.build.directory}/derbydb;create=true</jdbcUrl>
           <packageName>com.querydsl.jpa.domain.sql</packageName>
           <targetFolder>src/test/java</targetFolder>
           <sourceFolder>src/test/java</sourceFolder>

querydsl-libraries/querydsl-sql-json/pom.xml

@@ -83,8 +83,8 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>mysql</groupId>
-      <artifactId>mysql-connector-java</artifactId>
+      <groupId>com.mysql</groupId>
+      <artifactId>mysql-connector-j</artifactId>
       <version>${mysql.version}</version>
       <scope>test</scope>
     </dependency>

querydsl-libraries/querydsl-sql-spatial/pom.xml

@@ -70,8 +70,8 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>mysql</groupId>
-      <artifactId>mysql-connector-java</artifactId>
+      <groupId>com.mysql</groupId>
+      <artifactId>mysql-connector-j</artifactId>
       <version>${mysql.version}</version>
       <scope>test</scope>
     </dependency>

querydsl-libraries/querydsl-sql/pom.xml

@@ -67,8 +67,8 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>mysql</groupId>
-      <artifactId>mysql-connector-java</artifactId>
+      <groupId>com.mysql</groupId>
+      <artifactId>mysql-connector-j</artifactId>
       <version>${mysql.version}</version>
       <scope>test</scope>
     </dependency>

querydsl-libraries/querydsl-sql/src/main/resources/keywords/mysql

@@ -131,6 +131,7 @@ LONGBLOB
 LONGTEXT
 LOOP
 LOW_PRIORITY
+MANUAL
 MASTER_BIND
 MASTER_SSL_VERIFY_SERVER_CERT
 MATCH
@@ -160,12 +161,14 @@ ORDER
 OUT
 OUTER
 OUTFILE
+PARALLEL
 PERSIST
 PERSIST_ONLY
 PRECISION
 PRIMARY
 PROCEDURE
 PURGE
+QUALIFY
 RANGE
 READ
 READ_WRITE

querydsl-tooling/querydsl-sql-codegen/pom.xml

@@ -69,8 +69,8 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>mysql</groupId>
-      <artifactId>mysql-connector-java</artifactId>
+      <groupId>com.mysql</groupId>
+      <artifactId>mysql-connector-j</artifactId>
       <version>${mysql.version}</version>
       <scope>test</scope>
     </dependency>