File fix-SQL-Injection-CVE-2022-31197.patch of Package postgresql-jdbc.27335

Overview Repositories Revisions Requests Users Attributes Meta

File fix-SQL-Injection-CVE-2022-31197.patch of Package postgresql-jdbc.27335

From 739e599d52ad80f8dcd6efedc6157859b1a9d637 Mon Sep 17 00:00:00 2001
From: Sehrope Sarkuni <sehrope@jackdb.com>
Date: Mon, 1 Aug 2022 12:46:26 -0400
Subject: [PATCH] Merge pull request from GHSA-r38f-c4h4-hqq2

Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.

Previously, the column names for both key and data columns in the table were copied as-is into the generated
SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
executed as multiple separate commands.

Also adds a new test class ResultSetRefreshTest to verify this change.
---
 .../java/org/postgresql/jdbc/PgResultSet.java |  5 +-
 .../postgresql/test/jdbc2/Jdbc2TestSuite.java |  1 +
 .../test/jdbc2/ResultSetRefreshTest.java      | 54 +++++++++++++++++++
 3 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java

Index: postgresql-jdbc-9.4-1201.src/org/postgresql/jdbc2/AbstractJdbc2ResultSet.java
===================================================================
--- postgresql-jdbc-9.4-1201.src.orig/org/postgresql/jdbc2/AbstractJdbc2ResultSet.java
+++ postgresql-jdbc-9.4-1201.src/org/postgresql/jdbc2/AbstractJdbc2ResultSet.java
@@ -1277,7 +1277,7 @@ public abstract class AbstractJdbc2Resul
             if (i > 1) {
                 selectSQL.append(", ");
             }
-            selectSQL.append( pgmd.getBaseColumnName(i) );
+	     Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
         }
         selectSQL.append(" from " ).append(onlyTable).append(tableName).append(" where ");
 
@@ -1287,7 +1287,8 @@ public abstract class AbstractJdbc2Resul
         {
 
             PrimaryKey primaryKey = ((PrimaryKey) primaryKeys.get(i));
-            selectSQL.append(primaryKey.name).append("= ?");
+            Utils.escapeIdentifier(selectSQL, primaryKey.name);
+            selectSQL.append(" = ?");
 
             if ( i < numKeys - 1 )
             {

Places

File fix-SQL-Injection-CVE-2022-31197.patch of Package postgresql-jdbc.27335

Places