backpatch changes from GHSA-r38f-c4h4-hqq2 security advisory for CVE-2022-31197 (#2607)

davecramer · web-flow · commit 0afaa71d5254 · 2022-09-06T08:35:12.000-04:00
* backpatch changes from GHSA-r38f-c4h4-hqq2 security advisory for CVE-2022-31197 * add missing file
diff --git a/gradle.properties b/gradle.properties
@@ -14,7 +14,7 @@ kotlin.parallel.tasks.in.project=true
 # This is version for PgJdbc itself
 # Note: it should not include "-SNAPSHOT" as it is automatically added by build.gradle.kts
 # Release version can be generated by using -Prelease or -Prc=<int> arguments
-pgjdbc.version=42.3.6
+pgjdbc.version=42.3.7
 
 # The options below configures the use of local clone (e.g. testing development versions)
 # You can pass un-comment it, or pass option -PlocalReleasePlugins, or -PlocalReleasePlugins=<path>
diff --git a/pgjdbc/src/main/java/org/postgresql/jdbc/PgResultSet.java b/pgjdbc/src/main/java/org/postgresql/jdbc/PgResultSet.java
@@ -1418,7 +1418,7 @@ public void refreshRow() throws SQLException {
       if (i > 1) {
         selectSQL.append(", ");
       }
-      selectSQL.append(pgmd.getBaseColumnName(i));
+      Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
     }
     selectSQL.append(" from ").append(onlyTable).append(tableName).append(" where ");
 
@@ -1428,7 +1428,8 @@ public void refreshRow() throws SQLException {
     for (int i = 0; i < numKeys; i++) {
 
       PrimaryKey primaryKey = primaryKeys.get(i);
-      selectSQL.append(primaryKey.name).append(" = ?");
+      Utils.escapeIdentifier(selectSQL, primaryKey.name);
+      selectSQL.append(" = ?");
 
       if (i < numKeys - 1) {
         selectSQL.append(" and ");
diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java
@@ -118,6 +118,7 @@
     ReplaceProcessingTest.class,
     ResultSetMetaDataTest.class,
     ResultSetTest.class,
+    ResultSetRefreshTest.class,
     ReturningParserTest.class,
     SearchPathLookupTest.class,
     ServerCursorTest.class,
diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2022, PostgreSQL Global Development Group
+ * See the LICENSE file in the project root for more information.
+ */
+
+package org.postgresql.test.jdbc2;
+
+import static org.junit.Assert.assertTrue;
+
+import org.postgresql.test.TestUtil;
+
+import org.junit.Test;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+public class ResultSetRefreshTest extends BaseTest4 {
+  @Test
+  public void testWithDataColumnThatRequiresEscaping() throws Exception {
+    TestUtil.dropTable(con, "refresh_row_bad_ident");
+    TestUtil.execute(con, "CREATE TABLE refresh_row_bad_ident (id int PRIMARY KEY, \"1 FROM refresh_row_bad_ident; SELECT 2; SELECT *\" int)");
+    TestUtil.execute(con, "INSERT INTO refresh_row_bad_ident (id) VALUES (1), (2), (3)");
+
+    Statement stmt = con.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
+    ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
+    assertTrue(rs.next());
+    try {
+      rs.refreshRow();
+    } catch (SQLException ex) {
+      throw new RuntimeException("ResultSet.refreshRow() did not handle escaping data column identifiers", ex);
+    }
+    rs.close();
+    stmt.close();
+  }
+
+  @Test
+  public void testWithKeyColumnThatRequiresEscaping() throws Exception {
+    TestUtil.dropTable(con, "refresh_row_bad_ident");
+    TestUtil.execute(con, "CREATE TABLE refresh_row_bad_ident (\"my key\" int PRIMARY KEY)");
+    TestUtil.execute(con, "INSERT INTO refresh_row_bad_ident VALUES (1), (2), (3)");
+
+    Statement stmt = con.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
+    ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
+    assertTrue(rs.next());
+    try {
+      rs.refreshRow();
+    } catch (SQLException ex) {
+      throw new RuntimeException("ResultSet.refreshRow() did not handle escaping key column identifiers", ex);
+    }
+    rs.close();
+    stmt.close();
+  }
+}
