Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obsolete vulnerable literal AddColumn #3517

Merged
merged 1 commit into from
May 11, 2024
Merged

Obsolete vulnerable literal AddColumn #3517

merged 1 commit into from
May 11, 2024

Conversation

fredericDelaporte
Copy link
Member

SqlInsert/UpdateBuilder AddColumn overloads taking a value have a SQL injection vulnerability, and have no usage.

@fredericDelaporte fredericDelaporte added this to the 5.6 milestone Apr 2, 2024
@fredericDelaporte
Copy link
Member Author

fredericDelaporte commented May 5, 2024
edited
Loading

If we do that for mitigating some of the issues raised in #3516, it should target the currently released minor instead, I realized. Even if obsoleting members in a patch release is not a normal practice with SemVer, when that is a security issue mitigation, it seems reasonable.

If instead the trouble is fixed at its root in the minor release, then we could keep on targeting the next minor, with another obsolete message.

@hazzik
Copy link
Member

hazzik commented May 6, 2024

Let's do 5.4.x and 5.5.x

@fredericDelaporte
Obsolete literal AddColumn
6bd6bd4 
SqlInsert/UpdateBuilder AddColumn overloads taking a value have a SQL injection vulnerability, and have no usage.
@fredericDelaporte fredericDelaporte changed the base branch from master to 5.4.x May 9, 2024 12:46
@fredericDelaporte fredericDelaporte modified the milestones: 5.6, 5.4.9 May 9, 2024
@fredericDelaporte fredericDelaporte merged commit fdd7fcf into nhibernate:5.4.x May 11, 2024
22 of 23 checks passed
@fredericDelaporte fredericDelaporte deleted the obsolete-add-literal-column branch May 11, 2024 20:00
@fredericDelaporte fredericDelaporte changed the title Obsolete literal AddColumn Obsolete vulnerable literal AddColumn Jun 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leifjones leifjones leifjones left review comments

@hazzik hazzik hazzik approved these changes

Assignees
No one assigned
Labels
c: Core p: Minor r: Fixed t: Task
Projects
None yet
Milestone
5.4.9
Development

Successfully merging this pull request may close these issues.
3 participants
@fredericDelaporte @hazzik @leifjones