Skip to content

Commit

Permalink
HHH-14077 : CVE-2019-14900 SQL injection issue using JPA Criteria API
Browse files Browse the repository at this point in the history
  • Loading branch information
gbadner committed Jun 18, 2020
1 parent c177104 commit 3f3c1ab
Showing 1 changed file with 5 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -110,17 +110,18 @@ private String normalRender(RenderingContext renderingContext, LiteralHandlingMo
}

private String renderProjection(RenderingContext renderingContext) {
if ( ValueHandlerFactory.isCharacter( literal ) ) {
// In case literal is a Character, pass literal.toString() as the argument.
return renderingContext.getDialect().inlineLiteral( literal.toString() );
}

// some drivers/servers do not like parameters in the select clause
final ValueHandlerFactory.ValueHandler handler =
ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );

if ( handler == null ) {
return normalRender( renderingContext, LiteralHandlingMode.BIND );
}

if ( ValueHandlerFactory.isCharacter( literal ) ) {
return renderingContext.getDialect().inlineLiteral( handler.render( literal ) );
}
else {
return handler.render( literal );
}
Expand Down

0 comments on commit 3f3c1ab

Please sign in to comment.