HHH-14077 CVE-2019-14900 SQL injection issue using JPA Criteria API

hibernate · Jun 23, 2020 · eebf01f · eebf01f
1 parent d9a33bf
commit eebf01f
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/...in/java/org/hibernate/type/descriptor/sql/internal/JdbcLiteralFormatterCharacterData.java b/...in/java/org/hibernate/type/descriptor/sql/internal/JdbcLiteralFormatterCharacterData.java
@@ -19,6 +19,8 @@
  * @author Steve Ebersole
  */
 public class JdbcLiteralFormatterCharacterData extends BasicJdbcLiteralFormatter {
+	public static final String NATIONALIZED_PREFIX = "n";
+
 	private final boolean isNationalized;
 
 	public JdbcLiteralFormatterCharacterData(JavaTypeDescriptor javaTypeDescriptor) {
@@ -34,12 +36,13 @@ public JdbcLiteralFormatterCharacterData(JavaTypeDescriptor javaTypeDescriptor,
 	public String toJdbcLiteral(Object value, Dialect dialect, SharedSessionContractImplementor session) {
 		final String literalValue = unwrap( value, String.class, session );
 
+		final String inlineLiteral = dialect.inlineLiteral( literalValue );
+
 		if ( isNationalized ) {
 			// is there a standardized form for n-string literals?  This is the SQL Server syntax for sure
-			return String.format( Locale.ROOT, "n'%s'", literalValue );
-		}
-		else {
-			return String.format( Locale.ROOT, "'%s'", literalValue );
+			return NATIONALIZED_PREFIX.concat( inlineLiteral );
 		}
+
+		return inlineLiteral;
 	}
 }