[Hibernate-JIRA] Created: (HHH-7257) PersistentSet is initialized by criteria query with incomplete data
by Peter Fodor (JIRA)
PersistentSet is initialized by criteria query with incomplete data
-------------------------------------------------------------------
Key: HHH-7257
URL: https://hibernate.onjira.com/browse/HHH-7257
Project: Hibernate ORM
Issue Type: Bug
Components: query-criteria
Affects Versions: 4.1.2, 3.5.5
Environment: Hibernate 4.1.2 and 3.5.5
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode)
Ubuntu Linux 11.10
PostgreSQL 9.1, HSQLDB 2.2.8
Reporter: Peter Fodor
Attachments: hibernate-criteria-testcase.zip
A criteria query with a filter (to the elements of a one-to-many relation) can initialize the persistent set with so that it returns not all items.
More detailed description:
1a. A bean is a simple entity
1b. A bean has multiple B beans
2. Query A bean with a filter to B
3a. The returns good result in the terms of A
3b. The set of returned A bean (which contains B instances) does not contains every referenced B item
4. After querying A items again with session.get() the returned A instances neither have the full set (with every B reference)
Expected behavior:
1. The Set of A instances should contain every referenced B item. (I know it can not be done with one query in general case)
2. If I query the same items with session.get() it shouldn't be affected by previous query and its set should contain every item. (I think this is the most serious problem)
3. The PersistentSet shouldn't marked with initialized=true, if its content can not be guaranteed that it contains every item.
Note:
The set of the same query is different (and contains every item), if its PersistentSet is initialized in the same session by an other query. (e.g. with a previous session.get().toString())
For more detailed description please check the test case.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months
[Hibernate-JIRA] Created: (HHH-3811) Bug: No ability to escape SQL keywords in HQL queries.
by John Roberts (JIRA)
Bug: No ability to escape SQL keywords in HQL queries.
------------------------------------------------------
Key: HHH-3811
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-3811
Project: Hibernate Core
Issue Type: Bug
Components: core
Affects Versions: 3.3.0.CR1
Environment: 3.3.0.CR1, MS SQL Server 2005 Express
Reporter: John Roberts
Priority: Critical
There appears to be no way to escape property names that are SQL keywords in HQL queries. For example, if you have a property named "key", which is a reasonable name for a property, and you are constructing an HQL query, e.g.:
session.createQuery("select from Entities where key=?");
That will fail on MS SQL Server, because "key" is a reserved T-SQL keyword. However, there is no way to make it succeed, as either an absent-minded developer appears to have forgotten to add the ability to escape keywords to HQL (oops), or it's the secret of the millennium and was left out of the documentation on purpose (it has certainly boggled the minds of the folks on FreeNode #java, #hibernate, and the hibernate forum). Note that none of the following will succeed (this is what I have tried so far):
session.createQuery("select from Entities where key=?");
session.createQuery("select from Entities where [key]=?"); // <-- mssql style still fails to be parsed
session.createQuery("select from Entities where `key`=?");
session.createQuery("select from Entities where 'key'=?");
session.createQuery("select from Entities where \"key\"=?");
session.createQuery("select from Entities where ''key''=?");
session.createQuery("select from Entities where {key}=?");
session.createQuery("select from Entities where <key>=?");
session.createQuery("select from Entities where (key)=?");
session.createQuery("select from Entities where $key$=?");
session.createQuery("select from Entities where $key=?");
Note that using the underlying DBMS's escape method *does* work for column names in the entity mappings, but does not work in actual HQL.
Since most DBMS's have their own dialects of SQL, the inability to escape keywords in HQL means that it is generally impossible to guarantee that any given HQL query will work unless you specifically design your application around the underlying DBMS (which is precisely one of the things you were hoping to avoid with Hibernate -- although on the other hand you're already tied to the DBMS with escaped keywords in the entity mapping anyways).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months
[Hibernate-JIRA] Created: (HHH-6672) Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.
by Peter Schuler (JIRA)
Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.
------------------------------------------------------------------------------------------------------------------------------
Key: HHH-6672
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-6672
Project: Hibernate Core
Issue Type: Bug
Components: query-hql
Affects Versions: 4.0.0.CR3, 3.6.7
Environment: Mysql Database
Reporter: Peter Schuler
Inserting the word 'union' anywhere in a HQL or JP-QL query truncates the query string. I consider this a security issue because it makes exploiting HQL of JP-QL injections easier.
For example:
from Persoon p where p.persoonId = '1' --> returns just 1 entry.
But:
from Persoon p union where p.persoonId = '1' --> ignores the part after union and returns the whole table.
However:
from Persoon p unionS where p.persoonId = '1' --> or any other word results in a QuerySyntaxException as is expected.
This behaviour is documented in HHH-1050. It looks like this in a halfway implemented feature.
This undocumented behaviour is a security risk because it makes exploiting JP-QL or HQL injections a lot easier. If you can inject into the query string you can easily truncate the remainder of the query. Even if the remainder will somehow restrict the the query result.
This can be fixed changing the behaviour of the query parser by throwing a QuerySyntaxException.
ps: I'll try to add a test case but I hope I've provided enough information.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months
[Hibernate-JIRA] Created: (HHH-7293) Change index name to meet Oracle 30 chars limit
by Samuel Fung (JIRA)
Change index name to meet Oracle 30 chars limit
-----------------------------------------------
Key: HHH-7293
URL: https://hibernate.onjira.com/browse/HHH-7293
Project: Hibernate ORM
Issue Type: Patch
Components: core
Affects Versions: 4.1.1
Environment: Oracle 11g
Reporter: Samuel Fung
Priority: Minor
Attachments: diff.txt
I have an entity class that use table-per-class inheritance. One property in the base class is annotated with @org.hibernate.annotations.Index(name="..."). When Hibernate creates DB schema, the index name is prepended with the concrete class name. The final name exceeds Oracle limit of names <30 chars.
I changed org.hibernate.mapping.DenormalizedTable, the index name is the hex string of hashcode of the original name. This comply the Oracle limit while (very likely) maintains uniqueness of the name.
Sorry that the submitted patch is not exactly a svn diff (made by diff -u).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months
[Hibernate-JIRA] Created: (HHH-3818) Hibernate/JBC integration doesn't property handle Entity/CollectionRegionAccessStrategy evict
by Brian Stansberry (JIRA)
Hibernate/JBC integration doesn't property handle Entity/CollectionRegionAccessStrategy evict
---------------------------------------------------------------------------------------------
Key: HHH-3818
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-3818
Project: Hibernate Core
Issue Type: Bug
Components: caching (L2)
Affects Versions: 3.3.1
Reporter: Brian Stansberry
Assignee: Brian Stansberry
Fix For: 3.3.x
EntityRegionAccessStrategy and CollectionRegionAccessStrategy have evict(Object key) and evictAll() that say they must cause removal of items from the cache "immediately without regard for transaction isolation." The Hibernate/JBC integration is not properly handling this as the JBC removeNode calls it makes are not dealing with transactional issues. The integration needs to:
1) Perhaps suspend any ongoing tx (particularly since these calls are typically made from a tx Synchronization's afterCompletion() callback, when the tx is Status.COMMITTED and it isn't appropriate to call into the cache expecting the cache to incorporate the call into the transaction. (Alhthough I believe JBC handles this correctly by ignoring the tx, since it isn't ACTIVE).
2) Deal with the fact that the tx that is being committed is likely holding locks in JBC. This is the big issue. I believe dealing with this will a) require keeping state in the Hib/JBC integration layer's Region to track that an eviction has occurred but may not be reflected in JBC b) using JBC as a notification bus to propagate the fact of the eviction to other nodes c) attempting to evict the data from JBC locally, failing promptly in the face of lock conflicts d) including in any get() or putFromLoad() calls logic to check the state from a), again attempting to evict locally (with a very short timeout) if not yet evicted and not allowing calls to proceed into JBC until successful.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 11 months