Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-r38f-c4h4-hqq2
Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.

Previously, the column names for both key and data columns in the table were copied as-is into the generated
SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
executed as multiple separate commands.

Also adds a new test class ResultSetRefreshTest to verify this change.
  • Loading branch information
sehrope committed Aug 1, 2022
1 parent 736f959 commit 739e599
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 2 deletions.
5 changes: 3 additions & 2 deletions pgjdbc/src/main/java/org/postgresql/jdbc/PgResultSet.java
Expand Up @@ -1418,7 +1418,7 @@ public void refreshRow() throws SQLException {
if (i > 1) {
selectSQL.append(", ");
}
selectSQL.append(pgmd.getBaseColumnName(i));
Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
}
selectSQL.append(" from ").append(onlyTable).append(tableName).append(" where ");

Expand All @@ -1428,7 +1428,8 @@ public void refreshRow() throws SQLException {
for (int i = 0; i < numKeys; i++) {

PrimaryKey primaryKey = primaryKeys.get(i);
selectSQL.append(primaryKey.name).append(" = ?");
Utils.escapeIdentifier(selectSQL, primaryKey.name);
selectSQL.append(" = ?");

if (i < numKeys - 1) {
selectSQL.append(" and ");
Expand Down
Expand Up @@ -118,6 +118,7 @@
ReplaceProcessingTest.class,
ResultSetMetaDataTest.class,
ResultSetTest.class,
ResultSetRefreshTest.class,
ReturningParserTest.class,
SearchPathLookupTest.class,
ServerCursorTest.class,
Expand Down
@@ -0,0 +1,54 @@
/*
* Copyright (c) 2022, PostgreSQL Global Development Group
* See the LICENSE file in the project root for more information.
*/

package org.postgresql.test.jdbc2;

import static org.junit.Assert.assertTrue;

import org.postgresql.test.TestUtil;

import org.junit.Test;

import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class ResultSetRefreshTest extends BaseTest4 {
@Test
public void testWithDataColumnThatRequiresEscaping() throws Exception {
TestUtil.dropTable(con, "refresh_row_bad_ident");
TestUtil.execute(con, "CREATE TABLE refresh_row_bad_ident (id int PRIMARY KEY, \"1 FROM refresh_row_bad_ident; SELECT 2; SELECT *\" int)");
TestUtil.execute(con, "INSERT INTO refresh_row_bad_ident (id) VALUES (1), (2), (3)");

Statement stmt = con.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
assertTrue(rs.next());
try {
rs.refreshRow();
} catch (SQLException ex) {
throw new RuntimeException("ResultSet.refreshRow() did not handle escaping data column identifiers", ex);
}
rs.close();
stmt.close();
}

@Test
public void testWithKeyColumnThatRequiresEscaping() throws Exception {
TestUtil.dropTable(con, "refresh_row_bad_ident");
TestUtil.execute(con, "CREATE TABLE refresh_row_bad_ident (\"my key\" int PRIMARY KEY)");
TestUtil.execute(con, "INSERT INTO refresh_row_bad_ident VALUES (1), (2), (3)");

Statement stmt = con.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
assertTrue(rs.next());
try {
rs.refreshRow();
} catch (SQLException ex) {
throw new RuntimeException("ResultSet.refreshRow() did not handle escaping key column identifiers", ex);
}
rs.close();
stmt.close();
}
}

0 comments on commit 739e599

Please sign in to comment.