From b9acc4e8c888a0d3adeece2e3766bce339c839f4 Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Mon, 14 Dec 2020 09:17:39 +0800 Subject: [PATCH] fix CVE-2020-25638 --- CVE-2020-25638.patch | 389 +++++++++++++++++++++++++++++++++++++++++++ hibernate4.spec | 7 +- 2 files changed, 395 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-25638.patch diff --git a/CVE-2020-25638.patch b/CVE-2020-25638.patch new file mode 100644 index 0000000..711ae7d --- /dev/null +++ b/CVE-2020-25638.patch @@ -0,0 +1,389 @@ +From 59fede7acaaa1579b561407aefa582311f7ebe78 Mon Sep 17 00:00:00 2001 +From: Andrea Boriero +Date: Tue, 29 Sep 2020 20:56:30 +0100 +Subject: [PATCH] HHH-14225 CVE-2020-25638 Potential for SQL injection on + use_sql_comments logging enabled + +--- + .../java/org/hibernate/dialect/Dialect.java | 12 ++ + .../internal/SelectStatementBuilder.java | 2 +- + .../main/java/org/hibernate/sql/Delete.java | 4 +- + .../main/java/org/hibernate/sql/Insert.java | 2 +- + .../java/org/hibernate/sql/InsertSelect.java | 2 +- + .../java/org/hibernate/sql/QuerySelect.java | 4 +- + .../main/java/org/hibernate/sql/Select.java | 2 +- + .../java/org/hibernate/sql/SimpleSelect.java | 2 +- + .../main/java/org/hibernate/sql/Update.java | 2 +- + .../hibernate/test/comments/TestEntity.java | 46 ++++++++ + .../hibernate/test/comments/TestEntity2.java | 37 ++++++ + .../test/comments/UseSqlCommentTest.java | 111 ++++++++++++++++++ + 12 files changed, 218 insertions(+), 8 deletions(-) + create mode 100644 hibernate-core/src/test/java/org/hibernate/test/comments/TestEntity.java + create mode 100644 hibernate-core/src/test/java/org/hibernate/test/comments/TestEntity2.java + create mode 100644 hibernate-core/src/test/java/org/hibernate/test/comments/UseSqlCommentTest.java + +diff --git a/hibernate-core/src/main/java/org/hibernate/dialect/Dialect.java b/hibernate-core/src/main/java/org/hibernate/dialect/Dialect.java +index 77fced7..1d42347 100644 +--- a/hibernate-core/src/main/java/org/hibernate/dialect/Dialect.java ++++ b/hibernate-core/src/main/java/org/hibernate/dialect/Dialect.java +@@ -94,6 +94,7 @@ import java.util.Locale; + import java.util.Map; + import java.util.Properties; + import java.util.Set; ++import java.util.regex.Pattern; + + /** + * Represents a dialect of SQL implemented by a particular RDBMS. Subclasses implement Hibernate compatibility +@@ -129,6 +130,9 @@ public abstract class Dialect implements ConversionContext { + */ + public static final String CLOSED_QUOTE = "`\"]"; + ++ private static final Pattern ESCAPE_CLOSING_COMMENT_PATTERN = Pattern.compile( "\\*/" ); ++ private static final Pattern ESCAPE_OPENING_COMMENT_PATTERN = Pattern.compile( "/\\*" ); ++ + private final TypeNames typeNames = new TypeNames(); + private final TypeNames hibernateTypeNames = new TypeNames(); + +@@ -2723,4 +2727,12 @@ public abstract class Dialect implements ConversionContext { + return StandardCallableStatementSupport.NO_REF_CURSOR_INSTANCE; + } + ++ public static String escapeComment(String comment) { ++ if ( StringHelper.isNotEmpty( comment ) ) { ++ final String escaped = ESCAPE_CLOSING_COMMENT_PATTERN.matcher( comment ).replaceAll( "*\\\\/" ); ++ return ESCAPE_OPENING_COMMENT_PATTERN.matcher( escaped ).replaceAll( "/\\\\*" ); ++ } ++ return comment; ++ } ++ + } +diff --git a/hibernate-core/src/main/java/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java b/hibernate-core/src/main/java/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java +index cbddf7c..b0c02bf 100644 +--- a/hibernate-core/src/main/java/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java ++++ b/hibernate-core/src/main/java/org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java +@@ -204,7 +204,7 @@ public class SelectStatementBuilder { + final StringBuilder buf = new StringBuilder( guesstimatedBufferSize ); + + if ( StringHelper.isNotEmpty( comment ) ) { +- buf.append( "/* " ).append( comment ).append( " */ " ); ++ buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " ); + } + + buf.append( "select " ) +diff --git a/hibernate-core/src/main/java/org/hibernate/sql/Delete.java b/hibernate-core/src/main/java/org/hibernate/sql/Delete.java +index faec336..f03ce52 100644 +--- a/hibernate-core/src/main/java/org/hibernate/sql/Delete.java ++++ b/hibernate-core/src/main/java/org/hibernate/sql/Delete.java +@@ -27,6 +27,8 @@ import java.util.Iterator; + import java.util.LinkedHashMap; + import java.util.Map; + ++import org.hibernate.dialect.Dialect; ++ + /** + * An SQL DELETE statement + * +@@ -54,7 +56,7 @@ public class Delete { + public String toStatementString() { + StringBuilder buf = new StringBuilder( tableName.length() + 10 ); + if ( comment!=null ) { +- buf.append( "/* " ).append(comment).append( " */ " ); ++ buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " ); + } + buf.append( "delete from " ).append(tableName); + if ( where != null || !primaryKeyColumns.isEmpty() || versionColumnName != null ) { +diff --git a/hibernate-core/src/main/java/org/hibernate/sql/Insert.java b/hibernate-core/src/main/java/org/hibernate/sql/Insert.java +index 90788e2..aef545f 100644 +--- a/hibernate-core/src/main/java/org/hibernate/sql/Insert.java ++++ b/hibernate-core/src/main/java/org/hibernate/sql/Insert.java +@@ -108,7 +108,7 @@ public class Insert { + public String toStatementString() { + StringBuilder buf = new StringBuilder( columns.size()*15 + tableName.length() + 10 ); + if ( comment != null ) { +- buf.append( "/* " ).append( comment ).append( " */ " ); ++ buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " ); + } + buf.append("insert into ") + .append(tableName); +diff --git a/hibernate-core/src/main/java/org/hibernate/sql/InsertSelect.java b/hibernate-core/src/main/java/org/hibernate/sql/InsertSelect.java +index 37bda69..992595b 100644 +--- a/hibernate-core/src/main/java/org/hibernate/sql/InsertSelect.java ++++ b/hibernate-core/src/main/java/org/hibernate/sql/InsertSelect.java +@@ -80,7 +80,7 @@ public class InsertSelect { + + StringBuilder buf = new StringBuilder( (columnNames.size() * 15) + tableName.length() + 10 ); + if ( comment!=null ) { +- buf.append( "/* " ).append( comment ).append( " */ " ); ++ buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " ); + } + buf.append( "insert into " ).append( tableName ); + if ( !columnNames.isEmpty() ) { +diff --git a/hibernate-core/src/main/java/org/hibernate/sql/QuerySelect.java b/hibernate-core/src/main/java/org/hibernate/sql/QuerySelect.java +index 9e25025..8237329 100644 +--- a/hibernate-core/src/main/java/org/hibernate/sql/QuerySelect.java ++++ b/hibernate-core/src/main/java/org/hibernate/sql/QuerySelect.java +@@ -134,7 +134,9 @@ public class QuerySelect { + + public String toQueryString() { + StringBuilder buf = new StringBuilder(50); +- if (comment!=null) buf.append("/* ").append(comment).append(" */ "); ++ if (comment!=null) { ++ buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " ); ++ } + buf.append("select "); + if (distinct) buf.append("distinct "); + String from = joins.toFromFragmentString(); +diff --git a/hibernate-core/src/main/java/org/hibernate/sql/Select.java b/hibernate-core/src/main/java/org/hibernate/sql/Select.java +index 2b67c9b..88868ab 100644 +--- a/hibernate-core/src/main/java/org/hibernate/sql/Select.java ++++ b/hibernate-core/src/main/java/org/hibernate/sql/Select.java +@@ -58,7 +58,7 @@ public class Select { + public String toStatementString() { + StringBuilder buf = new StringBuilder(guesstimatedBufferSize); + if ( StringHelper.isNotEmpty(comment) ) { +- buf.append("/* ").append(comment).append(" */ "); ++ buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " ); + } + + buf.append("select ").append(selectClause) +diff --git a/hibernate-core/src/main/java/org/hibernate/sql/SimpleSelect.java b/hibernate-core/src/main/java/org/hibernate/sql/SimpleSelect.java +index d8d49aa..ab5dafa 100644 +--- a/hibernate-core/src/main/java/org/hibernate/sql/SimpleSelect.java ++++ b/hibernate-core/src/main/java/org/hibernate/sql/SimpleSelect.java +@@ -155,7 +155,7 @@ public class SimpleSelect { + ); + + if ( comment!=null ) { +- buf.append("/* ").append(comment).append(" */ "); ++ buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " ); + } + + buf.append("select "); +diff --git a/hibernate-core/src/main/java/org/hibernate/sql/Update.java b/hibernate-core/src/main/java/org/hibernate/sql/Update.java +index d49eb5e..8d6d159 100644 +--- a/hibernate-core/src/main/java/org/hibernate/sql/Update.java ++++ b/hibernate-core/src/main/java/org/hibernate/sql/Update.java +@@ -180,7 +180,7 @@ public class Update { + public String toStatementString() { + StringBuilder buf = new StringBuilder( (columns.size() * 15) + tableName.length() + 10 ); + if ( comment!=null ) { +- buf.append( "/* " ).append( comment ).append( " */ " ); ++ buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " ); + } + buf.append( "update " ).append( tableName ).append( " set " ); + boolean assignmentsAppended = false; +diff --git a/hibernate-core/src/test/java/org/hibernate/test/comments/TestEntity.java b/hibernate-core/src/test/java/org/hibernate/test/comments/TestEntity.java +new file mode 100644 +index 0000000..7c425be +--- /dev/null ++++ b/hibernate-core/src/test/java/org/hibernate/test/comments/TestEntity.java +@@ -0,0 +1,46 @@ ++/* ++ * Hibernate, Relational Persistence for Idiomatic Java ++ * ++ * License: GNU Lesser General Public License (LGPL), version 2.1 or later. ++ * See the lgpl.txt file in the root directory or . ++ */ ++package org.hibernate.test.comments; ++ ++import javax.persistence.Entity; ++import javax.persistence.Id; ++ ++/** ++ * @author Andrea Boriero ++ */ ++@Entity ++public class TestEntity { ++ @Id ++ private String id; ++ ++ private String value; ++ ++ public TestEntity() { ++ ++ } ++ ++ public TestEntity(String id, String value) { ++ this.id = id; ++ this.value = value; ++ } ++ ++ public String getId() { ++ return id; ++ } ++ ++ public void setId(String id) { ++ this.id = id; ++ } ++ ++ public String getValue() { ++ return value; ++ } ++ ++ public void setValue(String value) { ++ this.value = value; ++ } ++} +diff --git a/hibernate-core/src/test/java/org/hibernate/test/comments/TestEntity2.java b/hibernate-core/src/test/java/org/hibernate/test/comments/TestEntity2.java +new file mode 100644 +index 0000000..58b626d +--- /dev/null ++++ b/hibernate-core/src/test/java/org/hibernate/test/comments/TestEntity2.java +@@ -0,0 +1,37 @@ ++/* ++ * Hibernate, Relational Persistence for Idiomatic Java ++ * ++ * License: GNU Lesser General Public License (LGPL), version 2.1 or later. ++ * See the lgpl.txt file in the root directory or . ++ */ ++package org.hibernate.test.comments; ++ ++import javax.persistence.Entity; ++import javax.persistence.Id; ++ ++/** ++ * @author Andrea Boriero ++ */ ++@Entity ++public class TestEntity2 { ++ @Id ++ private String id; ++ ++ private String value; ++ ++ public String getId() { ++ return id; ++ } ++ ++ public void setId(String id) { ++ this.id = id; ++ } ++ ++ public String getValue() { ++ return value; ++ } ++ ++ public void setValue(String value) { ++ this.value = value; ++ } ++} +diff --git a/hibernate-core/src/test/java/org/hibernate/test/comments/UseSqlCommentTest.java b/hibernate-core/src/test/java/org/hibernate/test/comments/UseSqlCommentTest.java +new file mode 100644 +index 0000000..2bd6adf +--- /dev/null ++++ b/hibernate-core/src/test/java/org/hibernate/test/comments/UseSqlCommentTest.java +@@ -0,0 +1,111 @@ ++/* ++ * Hibernate, Relational Persistence for Idiomatic Java ++ * ++ * License: GNU Lesser General Public License (LGPL), version 2.1 or later. ++ * See the lgpl.txt file in the root directory or . ++ */ ++package org.hibernate.test.comments; ++ ++import java.util.List; ++import java.util.Map; ++import javax.persistence.EntityManager; ++import javax.persistence.TypedQuery; ++import javax.persistence.criteria.CompoundSelection; ++import javax.persistence.criteria.CriteriaBuilder; ++import javax.persistence.criteria.CriteriaQuery; ++import javax.persistence.criteria.Path; ++import javax.persistence.criteria.Root; ++ ++import org.hibernate.cfg.AvailableSettings; ++import org.hibernate.jpa.test.BaseEntityManagerFunctionalTestCase; ++ ++import org.junit.Before; ++import org.junit.Test; ++ ++import static org.hamcrest.CoreMatchers.is; ++import static org.hibernate.testing.transaction.TransactionUtil.doInJPA; ++import static org.junit.Assert.assertThat; ++ ++/** ++ * @author Andrea Boriero ++ */ ++public class UseSqlCommentTest extends BaseEntityManagerFunctionalTestCase { ++ ++ @Override ++ protected Class[] getAnnotatedClasses() { ++ return new Class[] { TestEntity.class, TestEntity2.class }; ++ } ++ ++ @Override ++ protected void addMappings(Map settings) { ++ settings.put( AvailableSettings.USE_SQL_COMMENTS, "true" ); ++ settings.put( AvailableSettings.FORMAT_SQL, "false" ); ++ } ++ ++ @Before ++ public void setUp() { ++ doInJPA( this::entityManagerFactory, entityManager -> { ++ TestEntity testEntity = new TestEntity(); ++ testEntity.setId( "test1" ); ++ testEntity.setValue( "value1" ); ++ entityManager.persist( testEntity ); ++ ++ TestEntity2 testEntity2 = new TestEntity2(); ++ testEntity2.setId( "test2" ); ++ testEntity2.setValue( "value2" ); ++ entityManager.persist( testEntity2 ); ++ } ); ++ } ++ ++ @Test ++ public void testIt() { ++ String appendLiteral = "*/select id as col_0_0_,value as col_1_0_ from testEntity2 where 1=1 or id=?--/*"; ++ doInJPA( this::entityManagerFactory, entityManager -> { ++ ++ List result = findUsingQuery( "test1", appendLiteral, entityManager ); ++ ++ TestEntity test1 = result.get( 0 ); ++ assertThat( test1.getValue(), is( appendLiteral ) ); ++ } ); ++ ++ doInJPA( this::entityManagerFactory, entityManager -> { ++ ++ List result = findUsingCriteria( "test1", appendLiteral, entityManager ); ++ ++ TestEntity test1 = result.get( 0 ); ++ assertThat( test1.getValue(), is( appendLiteral ) ); ++ } ); ++ } ++ ++ public List findUsingCriteria(String id, String appendLiteral, EntityManager entityManager) { ++ CriteriaBuilder builder = entityManager.getCriteriaBuilder(); ++ CriteriaQuery criteria = builder.createQuery( TestEntity.class ); ++ Root root = criteria.from( TestEntity.class ); ++ ++ Path idPath = root.get( "id" ); ++ CompoundSelection selection = builder.construct( ++ TestEntity.class, ++ idPath, ++ builder.literal( appendLiteral ) ++ ); ++ criteria.select( selection ); ++ ++ criteria.where( builder.equal( idPath, builder.parameter( String.class, "where_id" ) ) ); ++ ++ TypedQuery query = entityManager.createQuery( criteria ); ++ query.setParameter( "where_id", id ); ++ return query.getResultList(); ++ } ++ ++ public List findUsingQuery(String id, String appendLiteral, EntityManager entityManager) { ++ TypedQuery query = ++ entityManager.createQuery( ++ "select new org.hibernate.test.comments.TestEntity(id, '" ++ + appendLiteral.replace( "'", "''" ) ++ + "') from TestEntity where id=:where_id", ++ TestEntity.class ++ ); ++ query.setParameter( "where_id", id ); ++ return query.getResultList(); ++ } ++} +-- +2.23.0 + diff --git a/hibernate4.spec b/hibernate4.spec index 12e4326..d8edd2c 100644 --- a/hibernate4.spec +++ b/hibernate4.spec @@ -3,7 +3,7 @@ %global pom_url http://repo1.maven.org/maven2/org/hibernate Name: hibernate4 Version: 4.3.11 -Release: 1 +Release: 2 Summary: Relational persistence and query service License: LGPLv2+ and ASL 2.0 URL: http://www.hibernate.org/ @@ -22,6 +22,7 @@ Source50: hibernate-parent-%{namedversion}.pom Source60: http://www.apache.org/licenses/LICENSE-2.0.txt Patch0: hibernate-4.3.11.Final-hibernate-commons-annotations5.patch Patch1: hibernate-4.3.11.Final-infinispan8.patch +Patch2: CVE-2020-25638.patch BuildRequires: maven-local mvn(antlr:antlr) mvn(com.experlog:xapool) BuildRequires: mvn(com.fasterxml:classmate) mvn(com.mchange:c3p0) mvn(com.zaxxer:HikariCP) BuildRequires: mvn(dom4j:dom4j) mvn(java_cup:java_cup) mvn(javax.enterprise:cdi-api) @@ -126,6 +127,7 @@ find . -name "*.class" -delete rm -r documentation/* %patch0 -p1 %patch1 -p1 +%patch2 -p1 cp -p %{SOURCE1} hibernate-c3p0/pom.xml cp -p %{SOURCE2} hibernate-core/pom.xml cp -p %{SOURCE3} hibernate-ehcache/pom.xml @@ -372,5 +374,8 @@ sed -i.jandex1.2.2 "s|classDotName, superName, access_flag, interfaces, map|clas %license lgpl.txt LICENSE-2.0.txt %changelog +* Wed Oct 28 2020 wangxiao65 - 4.3.11-2 +- fix CVE-2020-25638 + * Wed Oct 28 2020 shaoqiang kang - 4.3.11-1 - Package init -- Gitee