Skip to content

Commit 942a922

Browse files
mikereichemikereiche
committed
Switch to OpenFeign QueryDSL (#2050)
because of CVE-2024-49203. Closes #2409. Signed-off-by: mikereiche <[email protected]>
1 parent 545d886 commit 942a922

File tree

2 files changed

+12
-3
lines changed

2 files changed

+12
-3
lines changed

pom.xml

+3-3
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
<jodatime>2.10.13</jodatime>
2727
<jackson-joda>2.13.4</jackson-joda>
2828
<jakarta.el>4.0.0</jakarta.el>
29+
<querydsl_of>6.11</querydsl_of>
2930
</properties>
3031

3132
<dependencyManagement>
@@ -43,10 +44,9 @@
4344
<dependencies>
4445

4546
<dependency>
46-
<groupId>com.querydsl</groupId>
47+
<groupId>io.github.openfeign.querydsl</groupId>
4748
<artifactId>querydsl-apt</artifactId>
48-
<version>${querydsl}</version>
49-
<classifier>jakarta</classifier>
49+
<version>${querydsl_of}</version>
5050
<scope>provided</scope>
5151
</dependency>
5252

src/test/java/org/springframework/data/couchbase/repository/query/CouchbaseRepositoryQuerydslIntegrationTests.java

+9
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
2121
import static org.junit.jupiter.api.Assertions.assertEquals;
2222
import static org.junit.jupiter.api.Assertions.assertNull;
23+
import static org.junit.jupiter.api.Assertions.assertThrows;
2324
import static org.springframework.data.couchbase.util.Util.comprises;
2425
import static org.springframework.data.couchbase.util.Util.exactly;
2526

@@ -29,6 +30,7 @@
2930
import java.util.Optional;
3031
import java.util.stream.StreamSupport;
3132

33+
import com.querydsl.core.types.dsl.PathBuilder;
3234
import org.junit.jupiter.api.AfterAll;
3335
import org.junit.jupiter.api.BeforeAll;
3436
import org.junit.jupiter.api.BeforeEach;
@@ -147,6 +149,13 @@ void testEq() {
147149
}
148150
}
149151

152+
@Test
153+
void testInjection() {
154+
String userSpecifiedPath = "1 = 1) OR (2";
155+
PathBuilder<QAirline> pathBuilder = new PathBuilder<>(QAirline.class, "xyz");
156+
assertThrows(IllegalStateException.class, () -> pathBuilder.get(userSpecifiedPath).eq("2"));
157+
}
158+
150159
// this gives hqCountry == "" and hqCountry is missing
151160
// @Test
152161
void testStringIsEmpty() {

0 commit comments

Comments
 (0)