validates resultset parameters (#3167)

* validates resultset parameters * adds tests for invalid resultset params in createStatement, prepareStatement, prepareCall
pgjdbc · Mar 20, 2024 · 3b7daa9 · 3b7daa9
1 parent 24f2c7e
commit 3b7daa9
Show file tree

Hide file tree

Showing 2 changed files with 116 additions and 5 deletions.
diff --git a/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java b/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java
@@ -1397,27 +1397,48 @@ private static int integerPart(String dirtyString) {
     return Integer.parseInt(dirtyString.substring(start, end));
   }
 
+  // Validation check for integer values that need to be positive
+  // mainly added to check resultSetType, resultSetConcurrency and resultSetHoldability
+  private static boolean isPositive(int value) {
+    if (value < 0) {
+      return false;
+    }
+    return true;
+  }
+
   @Override
   public Statement createStatement(int resultSetType, int resultSetConcurrency,
       int resultSetHoldability) throws SQLException {
     checkClosed();
-    return new PgStatement(this, resultSetType, resultSetConcurrency, resultSetHoldability);
+    if (isPositive(resultSetType) && isPositive(resultSetConcurrency) && isPositive(resultSetHoldability)) {
+      return new PgStatement(this, resultSetType, resultSetConcurrency, resultSetHoldability);
+    } else {
+      throw new IllegalArgumentException("Value must be positive");
+    }
   }
 
   @Override
   public PreparedStatement prepareStatement(String sql, int resultSetType, int resultSetConcurrency,
       int resultSetHoldability) throws SQLException {
     checkClosed();
-    return new PgPreparedStatement(this, sql, resultSetType, resultSetConcurrency,
-        resultSetHoldability);
+    if (isPositive(resultSetType) && isPositive(resultSetConcurrency) && isPositive(resultSetHoldability)) {
+      return new PgPreparedStatement(this, sql, resultSetType, resultSetConcurrency,
+          resultSetHoldability);
+    } else {
+      throw new IllegalArgumentException("Value must be positive");
+    }
   }
 
   @Override
   public CallableStatement prepareCall(String sql, int resultSetType, int resultSetConcurrency,
       int resultSetHoldability) throws SQLException {
     checkClosed();
-    return new PgCallableStatement(this, sql, resultSetType, resultSetConcurrency,
-        resultSetHoldability);
+    if (isPositive(resultSetType) && isPositive(resultSetConcurrency) && isPositive(resultSetHoldability)) {
+      return new PgCallableStatement(this, sql, resultSetType, resultSetConcurrency,
+          resultSetHoldability);
+    } else {
+      throw new IllegalArgumentException("Value must be positive");
+    }
   }
 
   @Override

diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetTest.java
@@ -943,6 +943,96 @@ public void testParameters() throws SQLException {
     stmt.close();
   }
 
+  @Test
+  public void testCreateStatementWithInvalidResultSetParams() throws SQLException {
+    try {
+      con.createStatement(-1, -1,-1);
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
+  @Test
+  public void testCreateStatementWithInvalidResultSetConcurrency() throws SQLException {
+    try {
+      con.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, -1) ;
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
+  @Test
+  public void testCreateStatementWithInvalidResultSetHoldability() throws SQLException {
+    try {
+      con.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE, -1) ;
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
+  @Test
+  public void testPrepareStatementWithInvalidResultSetParams() throws SQLException {
+    try {
+      con.prepareStatement("SELECT id FROM testrs", -1,-1 ,-1);
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
+  @Test
+  public void testPrepareStatementWithInvalidResultSetConcurrency() throws SQLException {
+    try {
+      con.prepareStatement("SELECT id FROM testrs", ResultSet.TYPE_SCROLL_INSENSITIVE,-1 );
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
+  @Test
+  public void testPrepareStatementWithInvalidResultSetHoldability() throws SQLException {
+    try {
+      con.prepareStatement("SELECT id FROM testrs", ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_UPDATABLE ,-1);
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
+  @Test
+  public void testPrepareCallWithInvalidResultSetParams() throws SQLException {
+    try {
+      con.prepareCall("SELECT id FROM testrs", -1,-1 ,-1);
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
+  @Test
+  public void testPrepareCallWithInvalidResultSetConcurrency() throws SQLException {
+    try {
+      con.prepareCall("SELECT id FROM testrs", ResultSet.TYPE_SCROLL_INSENSITIVE,-1 );
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
+  @Test
+  public void testPrepareCallWithInvalidResultSetHoldability() throws SQLException {
+    try {
+      con.prepareCall("SELECT id FROM testrs", ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_UPDATABLE ,-1);
+      fail("Should have thrown an IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Ok
+    }
+  }
+
   @Test
   public void testZeroRowResultPositioning() throws SQLException {
     Statement stmt =