
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

    <head> 

        <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 

        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0"> 

        <base href="https://hibernate.atlassian.net"> 

        <title>Message Title</title> 

    </head> 

    <body class="jira" style="color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 1.429"> 

        <table id="background-table" cellpadding="0" cellspacing="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0; background-color: #f5f5f5; border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0" bgcolor="#f5f5f5"> 

            <!-- header here --> 

            <tbody>

                <tr> 

                    <td id="header-pattern-container" style="padding: 0; border-collapse: collapse; padding: 10px 20px"> 

                        <table id="header-pattern" cellspacing="0" cellpadding="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0"> 

                            <tbody>

                                <tr> 

                                    <td id="header-avatar-image-container" valign="top" style="padding: 0; border-collapse: collapse; vertical-align: top; width: 32px; padding-right: 8px" width="32"> <img id="header-avatar-image" class="image_fix" src="https://secure.gravatar.com/avatar/e990c7cdac81e570939c4d5b17303b42?d=mm&amp;s=48" height="32" width="32" border="0" style="border-radius: 3px; vertical-align: top"> </td> 

                                    <td id="header-text-container" valign="middle" style="padding: 0; border-collapse: collapse; vertical-align: middle; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 1px"> <a class="user-hover" rel="xenoterracide" id="email_xenoterracide" href="https://hibernate.atlassian.net/secure/ViewProfile.jspa?name=xenoterracide" style="color:#6c797f;; color: #3b73af; text-decoration: none">Caleb Cushing</a> <strong>updated</strong> an issue </td> 

                                </tr> 

                            </tbody>

                        </table> </td> 

                </tr> 

                <tr> 

                    <td id="email-content-container" style="padding: 0; border-collapse: collapse; padding: 0 20px"> 

                        <table id="email-content-table" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0; border-spacing: 0; border-collapse: separate"> 

                            <tbody>

                                <tr> 

                                    <!-- there needs to be content in the cell for it to render in some clients --> 

                                    <td class="email-content-rounded-top mobile-expand" style="padding: 0; border-collapse: collapse; color: #ffffff; padding: 0 15px 0 16px; height: 15px; background-color: #ffffff; border-left: 1px solid #cccccc; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-bottom: 0; border-top-right-radius: 5px; border-top-left-radius: 5px; height: 10px; line-height: 10px; padding: 0 15px 0 16px; mso-line-height-rule: exactly" height="10" bgcolor="#ffffff">&nbsp;</td> 

                                </tr> 

                                <tr> 

                                    <td class="email-content-main mobile-expand " style="padding: 0; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff" bgcolor="#ffffff"> 

                                        <table class="page-title-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0"> 

                                            <tbody>

                                                <tr> 

                                                    <td class="page-title-pattern-first-line " style="padding: 0; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; padding-top: 10px"> <a href="https://hibernate.atlassian.net/browse/HHH" style="color: #3b73af; text-decoration: none">Hibernate ORM</a> / <a href="https://hibernate.atlassian.net/browse/HHH-11590" style="color: #3b73af; text-decoration: none"><img src="cid:jira-generated-image-avatar-65c0b920-7bba-4472-a9a1-6e7e69d80b01" height="16" width="16" border="0" align="absmiddle" alt="Bug" style="vertical-align: text-bottom"></a> <a href="https://hibernate.atlassian.net/browse/HHH-11590" style="color: #3b73af; text-decoration: none">HHH-11590</a> </td> 

                                                </tr> 

                                                <tr> 

                                                    <td style="vertical-align: top;; padding: 0; border-collapse: collapse; padding-right: 5px; font-size: 20px; line-height: 30px; mso-line-height-rule: exactly" class="page-title-pattern-header-container"> <span class="page-title-pattern-header" style="font-family: Arial, sans-serif; padding: 0; font-size: 20px; line-height: 30px; mso-text-raise: 2px; mso-line-height-rule: exactly; vertical-align: middle"> <a href="https://hibernate.atlassian.net/browse/HHH-11590" style="color: #3b73af; text-decoration: none">sequence (and other?) identifiers injectable</a> </span> </td> 

                                                </tr> 

                                            </tbody>

                                        </table> </td> 

                                </tr> 

                                <tr> 

                                    <td class="email-content-main mobile-expand  wrapper-special-margin" style="padding: 0; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff; padding-top: 10px; padding-bottom: 5px" bgcolor="#ffffff"> 

                                        <table class="keyvalue-table" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0"> 

                                            <tbody>

                                                <tr> 

                                                    <th style="color: #707070; font: normal 14px/20px Arial, sans-serif; text-align: left; vertical-align: top; padding: 2px 0">Change By:</th> 

                                                    <td style="padding: 0; border-collapse: collapse; font: normal 14px/20px Arial, sans-serif; padding: 2px 0 2px 5px; vertical-align: top"> <a class="user-hover" rel="xenoterracide" id="email_xenoterracide" href="https://hibernate.atlassian.net/secure/ViewProfile.jspa?name=xenoterracide" style="color:#6c797f;; color: #3b73af; text-decoration: none">Caleb Cushing</a> </td> 

                                                </tr> 

                                            </tbody>

                                        </table> </td> 

                                </tr> 

                                <tr> 

                                    <td class="email-content-main mobile-expand  issue-description-container" style="padding: 0; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff; padding-top: 5px; padding-bottom: 10px" bgcolor="#ffffff"> 

                                        <table class="text-paragraph-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 2px"> 

                                            <tbody>

                                                <tr> 

                                                    <td class="text-paragraph-pattern-container mobile-resize-text " style="padding: 0; border-collapse: collapse; padding: 0 0 10px"> <span class="diffcontext">from {{Oracle8iDialect}}:374<br><br>{code}<br> @Override<br> public String getSelectSequenceNextValString(String sequenceName) {<br>&nbsp;&nbsp;return sequenceName + ".nextval";<br> }<br>{code}<br><br>this means that if you write code like [this|http://stackoverflow.com/a/23267212/206466] if your sequence name comes from user input it's vulnerable to sql injection. Here's a partial proof of concept (from our code) I can write a full one if necessary.<br><br>{code:java}<br>int getNextCodeIntegerFromSequence( final TestClassification classification )<br>{<br> Long next = entityManager.getSession()<br>&nbsp;&nbsp;.doReturningWork( conn -&gt;<br>&nbsp;&nbsp;{<br>&nbsp;&nbsp;&nbsp;DatabaseMetaDataDialectResolutionInfoAdapter info<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;= new DatabaseMetaDataDialectResolutionInfoAdapter( conn.getMetaData() );<br>&nbsp;&nbsp;&nbsp;Dialect dialect = new StandardDialectResolver().resolveDialect( info );<br>&nbsp;&nbsp;&nbsp;String seq = classification.getCodeSequence();<br>&nbsp;&nbsp;&nbsp;/*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if ( StringUtils.containsAny( seq, dialect.openQuote(), dialect.closeQuote() )) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;String msg = String.format( "classification is being nefarious: '%s'", classification );<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw new IllegalArgumentException( msg );<br>&nbsp;&nbsp;&nbsp;}<br>&nbsp;&nbsp;&nbsp;*/<br>&nbsp;&nbsp;&nbsp;String quoted = dialect.quote( "`" + seq + "`" );<br>&nbsp;&nbsp;&nbsp;String sql = dialect.getSequenceNextValString( quoted );<br><br>&nbsp;&nbsp;&nbsp;try ( PreparedStatement stmt = conn.prepareStatement( sql );<br>&nbsp;&nbsp;&nbsp;&nbsp;ResultSet res = stmt.executeQuery() )<br>&nbsp;&nbsp;&nbsp;{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;while ( res.next() )<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return res.getLong( 1 );<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<br>&nbsp;&nbsp;&nbsp;}<br>&nbsp;&nbsp;&nbsp;String fmt = "something went wrong, you shouldn't reach this, here's the "<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;+ "classifcation: %s";<br>&nbsp;&nbsp;&nbsp;throw new NoResultException( String.format( fmt, classification ) );<br>&nbsp;&nbsp;} );<br><br> return next.intValue();<br>}<br>{code}<br>and a test<br>{code:java}<br> @Test( expected = IllegalArgumentException.class )<br> public void</span> <span class="diffremovedchars" style="background-color: #ffe7e7; text-decoration:line-through;"> getNextCodeIntegerFromSequenceExploit</span> <span class="diffaddedchars" style="background-color:#ddfade;"> getNextZCodeIntegerFromSequenceExploit</span> <span class="diffcontext">() {<br></span> <span class="diffremovedchars" style="background-color: #ffe7e7; text-decoration:line-through;">&nbsp;&nbsp;TestClassification</span> <span class="diffaddedchars" style="background-color:#ddfade;"> LabTestClassification</span> <span class="diffcontext"> classification =</span> <span class="diffremovedchars" style="background-color: #ffe7e7; text-decoration:line-through;"> testClassificationRepo</span> <span class="diffaddedchars" style="background-color:#ddfade;"> labTestClassificationRepo</span> <span class="diffcontext">.findOne( 1L );<br>&nbsp;&nbsp;classification.</span> <span class="diffremovedchars" style="background-color: #ffe7e7; text-decoration:line-through;">setCodeSequence</span> <span class="diffaddedchars" style="background-color:#ddfade;">setzCodeSequence</span> <span class="diffcontext">( classification.</span> <span class="diffremovedchars" style="background-color: #ffe7e7; text-decoration:line-through;">getCodeSequence</span> <span class="diffaddedchars" style="background-color:#ddfade;">getzCodeSequence</span> <span class="diffcontext">() + "\"; drop table site_user; --" );<br><br></span> <span class="diffremovedchars" style="background-color: #ffe7e7; text-decoration:line-through;">&nbsp;&nbsp;codeDao</span> <span class="diffaddedchars" style="background-color:#ddfade;"> zCodeDao</span> <span class="diffcontext">.</span> <span class="diffremovedchars" style="background-color: #ffe7e7; text-decoration:line-through;">getNextCodeIntegerFromSequence</span> <span class="diffaddedchars" style="background-color:#ddfade;">getNextZCodeIntegerFromSequence</span> <span class="diffcontext">( classification ); // throws, code below never reached but left for<br>&nbsp;&nbsp;// proof of concept testing<br><br>&nbsp;&nbsp;Integer siteUserTables =</span> <span class="diffremovedchars" style="background-color: #ffe7e7; text-decoration:line-through;"> codeDao</span> <span class="diffaddedchars" style="background-color:#ddfade;"> zCodeDao</span> <span class="diffcontext">.getEntityManager().getSession()<br>&nbsp;&nbsp;&nbsp;.doReturningWork( conn -&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;String sql<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;= " SELECT COUNT (TABLE_NAME ) from information_schema.tables "<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;+ " WHERE table_name = ? ";<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;try ( PreparedStatement stmt = conn.prepareStatement( sql ) )<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;stmt.setString( 1, "SITE_USER" );<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;try ( ResultSet res = stmt.executeQuery() )<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;while ( res.next() )<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return res.getInt( 1 );<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return null;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;} );<br>&nbsp;&nbsp;assertThat( siteUserTables, greaterThan( 0 ) );<br> }<br>{code}<br><br><br>it should probably be implemented as<br>{code}<br> @Override<br> public String getSelectSequenceNextValString(String sequenceName) {<br>&nbsp;&nbsp;return quote( sequenceName ) + ".nextval";<br> }<br>{code}<br><br>of course then looking at the implementation of {{Dialect.quote}}, it wouldn't actually do anything.&nbsp;&nbsp;After reviewing, oracle, h2, and postgres docs (pg says this)<br><br>{quote}Note that dollar signs are not allowed in identifiers according to the letter of the SQL standard, so their use might render applications less portable.<br>{quote}<br><br>I think that the quoting character for an identifier is never allowed in an identifier. So I think this can be added to the beginning of quote. {{StringUtils}} is from apache commons lang3<br><br>{code}<br>if ( StringUtils.containsAny( name, this.openQuote(), this.closeQuote() )) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;String msg = String.format( "illegal characters in: '%s'", name );<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw new IllegalArgumentException( msg );<br>}<br>{code}<br><br>If this plan is approved I can write a patch, including one that doesn't use commons lang 3</span> </td> 

                                                </tr> 

                                            </tbody>

                                        </table> </td> 

                                </tr> 

                                <tr> 

                                    <td class="email-content-main mobile-expand " style="padding: 0; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff" bgcolor="#ffffff"> <script type="application/ld+json">

{

  "@context": "http://schema.org",

  "@type": "EmailMessage",

  "description": "View Issue",

  "potentialAction": {

    "@type": "ViewAction",

        "target": "https://hibernate.atlassian.net/browse/HHH-11590?inbox=true&",

    "name": "View Issue"

      },

  "publisher": {

    "@type": "Organization",

    "name": "Atlassian",

    "url": "https://www.atlassian.com"

  }

}

</script> 

                                        <table id="actions-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 1px"> 

                                            <tbody>

                                                <tr> 

                                                    <td id="actions-pattern-container" valign="middle" style="padding: 0; border-collapse: collapse; padding: 10px 0 10px 24px; vertical-align: middle; padding-left: 0"> 

                                                        <table align="left" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0"> 

                                                            <tbody>

                                                                <tr> 

                                                                    <td class="actions-pattern-action-icon-container" style="padding: 0; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 0; vertical-align: middle"> <a href="https://hibernate.atlassian.net/browse/HHH-11590#add-comment" target="_blank" title="Add Comment" style="color: #3b73af; text-decoration: none"> <img class="actions-pattern-action-icon-image" src="cid:jira-generated-image-static-comment-icon-96d73031-a20b-4fc0-8fda-12fa037b0770" alt="Add Comment" title="Add Comment" height="16" width="16" border="0" style="vertical-align: middle"> </a> </td> 

                                                                    <td class="actions-pattern-action-text-container" style="padding: 0; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 4px; padding-left: 5px"> <a href="https://hibernate.atlassian.net/browse/HHH-11590#add-comment" target="_blank" title="Add Comment" style="color: #3b73af; text-decoration: none">Add Comment</a> </td> 

                                                                </tr> 

                                                            </tbody>

                                                        </table> </td> 

                                                </tr> 

                                            </tbody>

                                        </table> </td> 

                                </tr> 

                                <!-- there needs to be content in the cell for it to render in some clients --> 

                                <tr> 

                                    <td class="email-content-rounded-bottom mobile-expand" style="padding: 0; border-collapse: collapse; color: #ffffff; padding: 0 15px 0 16px; height: 5px; line-height: 5px; background-color: #ffffff; border-top: 0; border-left: 1px solid #cccccc; border-bottom: 1px solid #cccccc; border-right: 1px solid #cccccc; border-bottom-right-radius: 5px; border-bottom-left-radius: 5px; mso-line-height-rule: exactly" height="5" bgcolor="#ffffff">&nbsp;</td> 

                                </tr> 

                            </tbody>

                        </table> </td> 

                </tr> 

                <tr> 

                    <td id="footer-pattern" style="padding: 0; border-collapse: collapse; padding: 12px 20px"> 

                        <table id="footer-pattern-container" cellspacing="0" cellpadding="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0"> 

                            <tbody>

                                <tr> 

                                    <td id="footer-pattern-text" class="mobile-resize-text" width="100%" style="padding: 0; border-collapse: collapse; color: #999999; font-size: 12px; line-height: 18px; font-family: Arial, sans-serif; mso-line-height-rule: exactly; mso-text-raise: 2px"> This message was sent by Atlassian JIRA <span id="footer-build-information">(v1000.844.1#100035-<span title="ca7c2ca47ad02c2098e956fffbf89820cc12f6d8" data-commit-id="ca7c2ca47ad02c2098e956fffbf89820cc12f6d8}">sha1:ca7c2ca</span>)</span> </td> 

                                    <td id="footer-pattern-logo-desktop-container" valign="top" style="padding: 0; border-collapse: collapse; padding-left: 20px; vertical-align: top"> 

                                        <table style="border-collapse: collapse; mso-table-lspace: 0; mso-table-rspace: 0"> 

                                            <tbody>

                                                <tr> 

                                                    <td id="footer-pattern-logo-desktop-padding" style="padding: 0; border-collapse: collapse; padding-top: 3px"> <img id="footer-pattern-logo-desktop" src="cid:jira-generated-image-static-footer-desktop-logo-388d3909-6d44-4677-8d26-9a0142ae0dbc" alt="Atlassian logo" title="Atlassian logo" width="169" height="36" class="image_fix"> </td> 

                                                </tr> 

                                            </tbody>

                                        </table> </td> 

                                </tr> 

                            </tbody>

                        </table> </td> 

                </tr> 

            </tbody>

        </table>   

    </body>

</html>