File fix-SQL-Injection-CVE-2022-31197.patch of Package postgresql-jdbc.32826

Overview Repositories Revisions Requests Users Attributes Meta

File fix-SQL-Injection-CVE-2022-31197.patch of Package postgresql-jdbc.32826

From 739e599d52ad80f8dcd6efedc6157859b1a9d637 Mon Sep 17 00:00:00 2001
From: Sehrope Sarkuni <sehrope@jackdb.com>
Date: Mon, 1 Aug 2022 12:46:26 -0400
Subject: [PATCH] Merge pull request from GHSA-r38f-c4h4-hqq2

Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.

Previously, the column names for both key and data columns in the table were copied as-is into the generated
SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
executed as multiple separate commands.

Also adds a new test class ResultSetRefreshTest to verify this change.
---
 .../java/org/postgresql/jdbc/PgResultSet.java |  5 +-
 .../postgresql/test/jdbc2/Jdbc2TestSuite.java |  1 +
 .../test/jdbc2/ResultSetRefreshTest.java      | 54 +++++++++++++++++++
 3 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java

Index: postgresql-42.2.25-jdbc-src/src/main/java/org/postgresql/jdbc/PgResultSet.java
===================================================================
--- postgresql-42.2.25-jdbc-src.orig/src/main/java/org/postgresql/jdbc/PgResultSet.java
+++ postgresql-42.2.25-jdbc-src/src/main/java/org/postgresql/jdbc/PgResultSet.java
@@ -1323,7 +1323,7 @@ public class PgResultSet implements Resu
       if (i > 1) {
         selectSQL.append(", ");
       }
-      selectSQL.append(pgmd.getBaseColumnName(i));
+      Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
     }
     selectSQL.append(" from ").append(onlyTable).append(tableName).append(" where ");
 
@@ -1333,7 +1333,8 @@ public class PgResultSet implements Resu
     for (int i = 0; i < numKeys; i++) {
 
       PrimaryKey primaryKey = primaryKeys.get(i);
-      selectSQL.append(primaryKey.name).append(" = ?");
+      Utils.escapeIdentifier(selectSQL, primaryKey.name);
+      selectSQL.append(" = ?");
 
       if (i < numKeys - 1) {
         selectSQL.append(" and ");
Index: postgresql-42.2.25-jdbc-src/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
===================================================================
--- /dev/null
+++ postgresql-42.2.25-jdbc-src/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2022, PostgreSQL Global Development Group
+ * See the LICENSE file in the project root for more information.
+ */
+
+package org.postgresql.test.jdbc2;
+
+import static org.junit.Assert.assertTrue;
+
+import org.postgresql.test.TestUtil;
+
+import org.junit.Test;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+public class ResultSetRefreshTest extends BaseTest4 {
+  @Test
+  public void testWithDataColumnThatRequiresEscaping() throws Exception {
+    TestUtil.dropTable(con, "refresh_row_bad_ident");
+    TestUtil.execute(con, "CREATE TABLE refresh_row_bad_ident (id int PRIMARY KEY, \"1 FROM refresh_row_bad_ident; SELECT 2; SELECT *\" int)");
+    TestUtil.execute(con, "INSERT INTO refresh_row_bad_ident (id) VALUES (1), (2), (3)");
+
+    Statement stmt = con.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
+    ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
+    assertTrue(rs.next());
+    try {
+      rs.refreshRow();
+    } catch (SQLException ex) {
+      throw new RuntimeException("ResultSet.refreshRow() did not handle escaping data column identifiers", ex);
+    }
+    rs.close();
+    stmt.close();
+  }
+
+  @Test
+  public void testWithKeyColumnThatRequiresEscaping() throws Exception {
+    TestUtil.dropTable(con, "refresh_row_bad_ident");
+    TestUtil.execute(con, "CREATE TABLE refresh_row_bad_ident (\"my key\" int PRIMARY KEY)");
+    TestUtil.execute(con, "INSERT INTO refresh_row_bad_ident VALUES (1), (2), (3)");
+
+    Statement stmt = con.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
+    ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
+    assertTrue(rs.next());
+    try {
+      rs.refreshRow();
+    } catch (SQLException ex) {
+      throw new RuntimeException("ResultSet.refreshRow() did not handle escaping key column identifiers", ex);
+    }
+    rs.close();
+    stmt.close();
+  }
+}

Places

File fix-SQL-Injection-CVE-2022-31197.patch of Package postgresql-jdbc.32826

Places