diff --git a/querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java b/querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java index abc12362cd..1431cba848 100644 --- a/querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java +++ b/querydsl-core/src/main/java/com/querydsl/core/types/dsl/PathBuilderValidator.java @@ -39,6 +39,9 @@ public interface PathBuilderValidator extends Serializable { new PathBuilderValidator() { @Override public Class validate(Class parent, String property, Class propertyType) { + if (property.contains(" ")) { + throw new IllegalStateException("Unsafe due to CVE-2024-49203"); + } return propertyType; } }; diff --git a/querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java b/querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java index 9158b45a6e..09ea3dfceb 100644 --- a/querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java +++ b/querydsl-core/src/test/java/com/querydsl/core/types/dsl/PathBuilderTest.java @@ -14,8 +14,13 @@ package com.querydsl.core.types.dsl; import static org.junit.Assert.*; +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; +import static org.junit.jupiter.api.Assertions.assertThrows; import com.querydsl.core.BooleanBuilder; +import com.querydsl.core.domain.Cat; +import com.querydsl.core.types.Order; +import com.querydsl.core.types.OrderSpecifier; import com.querydsl.core.util.BeanMap; import java.sql.Time; import java.util.Date; @@ -129,4 +134,26 @@ public void calling_get_with_the_same_name_and_different_types_returns_correct_t assertEquals(String.class, entity.get(pathName, Comparable.class).getType()); assertEquals(String.class, entity.get(pathName, Object.class).getType()); } + + @Test + public void order_HQL_injection() { + var orderBy = "breed"; + var pathBuilder = new PathBuilder(Cat.class, "entity"); + assertDoesNotThrow(() -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy))); + } + + @Test + // CVE-2024-49203 + // https://github.com/OpenFeign/querydsl/security/advisories/GHSA-6q3q-6v5j-h6vg + public void unsafe_order_HQL_injection() { + var orderBy = + "test.name INTERSECT SELECT t FROM Test t WHERE (SELECT cast(pg_sleep(10) AS text))='2'" + + " ORDER BY t.id"; + var pathBuilder = new PathBuilder(Cat.class, "entity"); + var error = + assertThrows( + IllegalStateException.class, + () -> new OrderSpecifier(Order.ASC, pathBuilder.get(orderBy))); + assertTrue(error.getMessage().contains("CVE-2024-49203")); + } }