Switch to OpenFeign QueryDSL (#2050)

because of CVE-2024-49203.

Closes #2409.

Signed-off-by: mikereiche <michael.reiche@couchbase.com>
This commit is contained in:
Michael Reiche
2025-04-23 17:59:16 -07:00
committed by GitHub
parent 1c541acf72
commit 314a8ca48a
2 changed files with 16 additions and 2 deletions

View File

@@ -26,6 +26,7 @@
<jodatime>2.10.13</jodatime>
<jackson-joda>2.13.4</jackson-joda>
<jakarta.el>4.0.0</jakarta.el>
<querydsl_of>6.11</querydsl_of>
</properties>
<dependencyManagement>
@@ -43,10 +44,12 @@
<dependencies>
<dependency>
<!--
<groupId>com.querydsl</groupId>
-->
<groupId>io.github.openfeign.querydsl</groupId>
<artifactId>querydsl-apt</artifactId>
<version>${querydsl}</version>
<classifier>jakarta</classifier>
<version>${querydsl_of}</version>
<scope>provided</scope>
</dependency>

View File

@@ -20,6 +20,7 @@ import static com.couchbase.client.java.query.QueryScanConsistency.REQUEST_PLUS;
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.springframework.data.couchbase.util.Util.comprises;
import static org.springframework.data.couchbase.util.Util.exactly;
@@ -29,6 +30,7 @@ import java.util.Locale;
import java.util.Optional;
import java.util.stream.StreamSupport;
import com.querydsl.core.types.dsl.PathBuilder;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
@@ -43,8 +45,10 @@ import org.springframework.data.couchbase.core.CouchbaseTemplate;
import org.springframework.data.couchbase.core.mapping.event.ValidatingCouchbaseEventListener;
import org.springframework.data.couchbase.core.query.QueryCriteriaDefinition;
import org.springframework.data.couchbase.domain.Airline;
import org.springframework.data.couchbase.domain.AirlineCollectioned;
import org.springframework.data.couchbase.domain.AirlineRepository;
import org.springframework.data.couchbase.domain.QAirline;
import org.springframework.data.couchbase.domain.QAirlineCollectioned;
import org.springframework.data.couchbase.repository.auditing.EnableCouchbaseAuditing;
import org.springframework.data.couchbase.repository.auditing.EnableReactiveCouchbaseAuditing;
import org.springframework.data.couchbase.repository.config.EnableCouchbaseRepositories;
@@ -147,6 +151,13 @@ public class CouchbaseRepositoryQuerydslIntegrationTests extends JavaIntegration
}
}
@Test
void testInjection() {
String userSpecifiedPath = "1 = 1) OR (2";
PathBuilder<QAirline> pathBuilder = new PathBuilder<>(QAirline.class, "xyz");
assertThrows(IllegalStateException.class, () -> pathBuilder.get(userSpecifiedPath).eq("2"));
}
// this gives hqCountry == "" and hqCountry is missing
// @Test
void testStringIsEmpty() {