Skip to content
Permalink
Browse files

[OLINGO-1228] Fix to filter value having 2 single quotes in JPA

  • Loading branch information...
ramya vasanth
ramya vasanth committed Aug 2, 2019
1 parent 6f2083a commit ce414cc7ae44eae7aa4f8ffd4f4b124679d7623f
@@ -517,7 +517,6 @@ private static String evaluateComparingExpression(String uriLiteral, final EdmSi
Class<?> edmMappedType, Map<Integer, Object> positionalParameters, int index) throws ODataJPARuntimeException {
if (EdmSimpleTypeKind.String.getEdmSimpleTypeInstance().isCompatible(edmSimpleType)
|| EdmSimpleTypeKind.Guid.getEdmSimpleTypeInstance().isCompatible(edmSimpleType)) {
uriLiteral = uriLiteral.replaceAll("'", "''");
uriLiteral = updateValueIfWildcards(uriLiteral);
if (!positionalParameters.containsKey(index)) {
if(edmMappedType != null){
@@ -51,7 +51,7 @@
private static final String[] EXPRESSION_EQ = { "id eq '123'", "(E1.id LIKE '123' ESCAPE '\\')" };
private static final String[] EXPRESSION_NE = { "id ne '123'", "(E1.id NOT LIKE '123' ESCAPE '\\')" };
private static final String[] EXPRESSION_NE_SPECIAL = { "id ne '1_3'", "(E1.id NOT LIKE '1_3' ESCAPE '\\')" };
private static final String[] EXPRESSION_ESCAPE = { "id ne '123''22'", "(E1.id NOT LIKE '123''22' ESCAPE '\\')" };
private static final String[] EXPRESSION_ESCAPE = { "id ne '123''22'", "(E1.id NOT LIKE '123'22' ESCAPE '\\')" };
private static final String[] EXPRESSION_BINARY_AND =
{
"id le '123' and soId eq 123L and not (substringof(id,'123') eq false) eq true",
@@ -81,21 +81,21 @@
"(SUBSTRING(E1.oValue.Currency, 1 + 1 , 3) LIKE 'INR' ESCAPE '\\')" };
private static final String[] EXPRESSION_SUBSTRINGOF_INJECTION1 = {
"substringof('a'' OR 1=1 OR E1.id LIKE ''b',id) eq true",
"((CASE WHEN (E1.id LIKE CONCAT('%',CONCAT('a'' OR 1=1 OR E1.id LIKE ''b','%')) ESCAPE '\\') "
"((CASE WHEN (E1.id LIKE CONCAT('%',CONCAT('a' OR 1=1 OR E1.id LIKE 'b','%')) ESCAPE '\\') "
+ "THEN TRUE ELSE FALSE END) = true)" };
private static final String[] EXPRESSION_SUBSTRINGOF_INJECTION2 =
{
"substringof('substringof(''a'' OR 1=1 OR E1.id LIKE ''b'',id)',id) eq true",
"((CASE WHEN (E1.id LIKE CONCAT('%',CONCAT('substringof(''a'' OR 1=1 OR E1.id LIKE ''b'',id)','%')) ESCAPE '\\') "
"((CASE WHEN (E1.id LIKE CONCAT('%',CONCAT('substringof('a' OR 1=1 OR E1.id LIKE 'b',id)','%')) ESCAPE '\\') "
+ "THEN TRUE ELSE FALSE END) = true)" };
private static final String[] EXPRESSION_SUBSTRINGOF_INJECTION3 =
{
"substringof( substring(' ) OR execute_my_sql OR '' LIKE ',3),'de''') eq true",
"((CASE WHEN ('de''' LIKE CONCAT('%',CONCAT(SUBSTRING(' ) OR execute_my_sql OR '' LIKE ', 3 + 1 ),'%')"
"((CASE WHEN ('de'' LIKE CONCAT('%',CONCAT(SUBSTRING(' ) OR execute_my_sql OR ' LIKE ', 3 + 1 ),'%')"
+ ") ESCAPE '\\') "
+ "THEN TRUE ELSE FALSE END) = true)" };
private static final String[] EXPRESSION_ENDSWITH_INJECTION1 = { "endswith(id,'Str''eet') eq true",
"(E1.id LIKE CONCAT('%','Str''eet') ESCAPE '\\' )" };
"(E1.id LIKE CONCAT('%','Str'eet') ESCAPE '\\' )" };
private static final String[] EXPRESSION_PRECEDENCE = {
"id eq '123' and id ne '123' or (id eq '123' and id ne '123')",
"(((E1.id LIKE '123' ESCAPE '\\') AND (E1.id NOT LIKE '123' ESCAPE '\\')) OR ((E1.id LIKE '123' ESCAPE '\\') "

0 comments on commit ce414cc

Please sign in to comment.
You can’t perform that action at this time.