HHH-14077 : CVE-2019-14900 SQL injection issue using JPA Criteria API

hibernate · Jun 22, 2020 · e0e22ea · e0e22ea
1 parent b038e24
commit e0e22ea
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/...ore/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java b/...ore/src/main/java/org/hibernate/query/criteria/internal/expression/LiteralExpression.java
@@ -110,17 +110,18 @@ private String normalRender(RenderingContext renderingContext, LiteralHandlingMo
 	}
 
 	private String renderProjection(RenderingContext renderingContext) {
+		if ( ValueHandlerFactory.isCharacter( literal ) ) {
+			// In case literal is a Character, pass literal.toString() as the argument.
+			return renderingContext.getDialect().inlineLiteral( literal.toString() );
+		}
+
 		// some drivers/servers do not like parameters in the select clause
 		final ValueHandlerFactory.ValueHandler handler =
 				ValueHandlerFactory.determineAppropriateHandler( literal.getClass() );
 
 		if ( handler == null ) {
 			return normalRender( renderingContext, LiteralHandlingMode.BIND );
 		}
-
-		if ( ValueHandlerFactory.isCharacter( literal ) ) {
-			return renderingContext.getDialect().inlineLiteral( handler.render( literal ) );
-		}
 		else {
 			return handler.render( literal );
 		}