File fix-SQL-Injection-CVE-2022-31197.patch of Package postgresql-jdbc.32827
From 739e599d52ad80f8dcd6efedc6157859b1a9d637 Mon Sep 17 00:00:00 2001
From: Sehrope Sarkuni <sehrope@jackdb.com>
Date: Mon, 1 Aug 2022 12:46:26 -0400
Subject: [PATCH] Merge pull request from GHSA-r38f-c4h4-hqq2
Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
Previously, the column names for both key and data columns in the table were copied as-is into the generated
SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
executed as multiple separate commands.
Also adds a new test class ResultSetRefreshTest to verify this change.
---
.../java/org/postgresql/jdbc/PgResultSet.java | 5 +-
.../postgresql/test/jdbc2/Jdbc2TestSuite.java | 1 +
.../test/jdbc2/ResultSetRefreshTest.java | 54 +++++++++++++++++++
3 files changed, 58 insertions(+), 2 deletions(-)
create mode 100644 pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
Index: postgresql-jdbc-9.4-1201.src/org/postgresql/jdbc2/AbstractJdbc2ResultSet.java
===================================================================
--- postgresql-jdbc-9.4-1201.src.orig/org/postgresql/jdbc2/AbstractJdbc2ResultSet.java
+++ postgresql-jdbc-9.4-1201.src/org/postgresql/jdbc2/AbstractJdbc2ResultSet.java
@@ -1277,7 +1277,7 @@ public abstract class AbstractJdbc2Resul
if (i > 1) {
selectSQL.append(", ");
}
- selectSQL.append( pgmd.getBaseColumnName(i) );
+ Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
}
selectSQL.append(" from " ).append(onlyTable).append(tableName).append(" where ");
@@ -1287,7 +1287,8 @@ public abstract class AbstractJdbc2Resul
{
PrimaryKey primaryKey = ((PrimaryKey) primaryKeys.get(i));
- selectSQL.append(primaryKey.name).append("= ?");
+ Utils.escapeIdentifier(selectSQL, primaryKey.name);
+ selectSQL.append(" = ?");
if ( i < numKeys - 1 )
{
