Fix for CVE-2024-49203 (#743)

Signed-off-by: Marvin Froeder <[email protected]>

Author: velo

querydsl-libraries/querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java

@@ -19,6 +19,7 @@
 import java.io.Serializable;
 import java.util.Collection;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 /** {@code PathBuilderValidator} validates {@link PathBuilder} properties at creation time */
 public interface PathBuilderValidator extends Serializable {
@@ -35,8 +36,14 @@ public interface PathBuilderValidator extends Serializable {
 
   PathBuilderValidator DEFAULT =
       new PathBuilderValidator() {
+
+        private Pattern SPACES = Pattern.compile("\\s");
+
         @Override
         public Class<?> validate(Class<?> parent, String property, Class<?> propertyType) {
+          if (SPACES.matcher(property).find()) {
+            throw new IllegalStateException("Unsafe due to CVE-2024-49203");
+          }
           return propertyType;
         }
       };

querydsl-libraries/querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java

@@ -14,8 +14,13 @@
 package com.querydsl.core.types.dsl;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import com.querydsl.core.BooleanBuilder;
+import com.querydsl.core.domain.Cat;
+import com.querydsl.core.types.Order;
+import com.querydsl.core.types.OrderSpecifier;
 import com.querydsl.core.util.BeanMap;
 import java.sql.Time;
 import java.util.Date;
@@ -128,4 +133,25 @@ public void calling_get_with_the_same_name_and_different_types_returns_correct_t
     assertThat(entity.get(pathName, Comparable.class).getType()).isEqualTo(String.class);
     assertThat(entity.get(pathName, Object.class).getType()).isEqualTo(String.class);
   }
+
+  @Test
+  public void order_HQL_injection() {
+    var orderBy = "breed";
+    var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
+    assertDoesNotThrow(() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
+  }
+
+  @Test
+  // CVE-2024-49203
+  // https://github.com/OpenFeign/querydsl/security/advisories/GHSA-6q3q-6v5j-h6vg
+  public void unsafe_order_HQL_injection() {
+    var orderBy =
+        "test.name INTERSECT SELECT t FROM Test t WHERE (SELECT cast(pg_sleep(10) AS text))='2' ORDER BY t.id";
+    var pathBuilder = new PathBuilder<Cat>(Cat.class, "entity");
+    var error =
+        assertThrows(
+            IllegalStateException.class,
+            () -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy)));
+    assertThat(error).hasMessageContaining("CVE-2024-49203");
+  }
 }