Skip to content

Commit b7fe845

Browse files
velovelo
committed
1 parent 49d975a commit b7fe845

File tree

2 files changed

+29
-0
lines changed

2 files changed

+29
-0
lines changed

querydsl-libraries/querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,9 @@ public interface PathBuilderValidator extends Serializable {
3737
new PathBuilderValidator() {
3838
@Override
3939
public Class<?> validate(Class<?> parent, String property, Class<?> propertyType) {
40+
if (property.contains(" ")) {
41+
throw new IllegalStateException("Unsafe due to CVE-2024-49203");
42+
}
4043
return propertyType;
4144
}
4245
};

querydsl-libraries/querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,13 @@
1414
package com.querydsl.core.types.dsl;
1515

1616
import static org.assertj.core.api.Assertions.assertThat;
17+
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
18+
import static org.junit.jupiter.api.Assertions.assertThrows;
1719

1820
import com.querydsl.core.BooleanBuilder;
21+
import com.querydsl.core.domain.Cat;
22+
import com.querydsl.core.types.Order;
23+
import com.querydsl.core.types.OrderSpecifier;
1924
import com.querydsl.core.util.BeanMap;
2025
import java.sql.Time;
2126
import java.util.Date;
@@ -128,4 +133,25 @@ public void calling_get_with_the_same_name_and_different_types_returns_correct_t
128133
assertThat(entity.get(pathName, Comparable.class).getType()).isEqualTo(String.class);
129134
assertThat(entity.get(pathName, Object.class).getType()).isEqualTo(String.class);
130135
}
136+
137+
@Test
138+
public void order_HQL_injection() {
139+
var orderBy = "breed";
140+
var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
141+
assertDoesNotThrow(() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
142+
}
143+
144+
@Test
145+
// CVE-2024-49203
146+
// https://github.com/OpenFeign/querydsl/security/advisories/GHSA-6q3q-6v5j-h6vg
147+
public void unsafe_order_HQL_injection() {
148+
var orderBy =
149+
"test.name INTERSECT SELECT t FROM Test t WHERE (SELECT cast(pg_sleep(10) AS text))='2' ORDER BY t.id";
150+
var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
151+
var error =
152+
assertThrows(
153+
IllegalStateException.class,
154+
() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
155+
assertThat(error).hasMessageContaining("CVE-2024-49203");
156+
}
131157
}

0 commit comments

Comments
 (0)