From 1978c6c830249a82aa7555da8c4d5a801d6a0a9c Mon Sep 17 00:00:00 2001 From: Emre Date: Thu, 23 Nov 2023 15:50:40 +0300 Subject: [PATCH 1/4] feat: increase raw query length limit --- src/main/java/com/topcoder/dal/util/QueryHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/topcoder/dal/util/QueryHelper.java b/src/main/java/com/topcoder/dal/util/QueryHelper.java index 74a2456..e02843f 100644 --- a/src/main/java/com/topcoder/dal/util/QueryHelper.java +++ b/src/main/java/com/topcoder/dal/util/QueryHelper.java @@ -192,7 +192,7 @@ public static String sanitizeSQLStatement(String sql) { } // Limit the length of the SQL statement to prevent very long strings - if (sql.length() > 1000) { + if (sql.length() > 2000) { throw new IllegalArgumentException("SQL statement length exceeds the allowed limit"); } From b068aa9bddcd97eb35d617017e1abacfe4247c46 Mon Sep 17 00:00:00 2001 From: Emre Date: Thu, 23 Nov 2023 16:19:54 +0300 Subject: [PATCH 2/4] feat: do not replace single quote --- src/main/java/com/topcoder/dal/util/QueryHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/topcoder/dal/util/QueryHelper.java b/src/main/java/com/topcoder/dal/util/QueryHelper.java index e02843f..2ed8192 100644 --- a/src/main/java/com/topcoder/dal/util/QueryHelper.java +++ b/src/main/java/com/topcoder/dal/util/QueryHelper.java @@ -208,7 +208,7 @@ public static String sanitizeSQLStatement(String sql) { // replace single quotes with two single quotes to prevent SQL injection through // strings - sql = sql.replace("'", "''"); + // sql = sql.replace("'", "''"); return sql; } From 267e923e1470e4238d22a647499b49b70ee95756 Mon Sep 17 00:00:00 2001 From: Emre Date: Thu, 23 Nov 2023 16:48:04 +0300 Subject: [PATCH 3/4] feat: add char type to row mapper --- src/main/java/com/topcoder/dal/DBAccessor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/topcoder/dal/DBAccessor.java b/src/main/java/com/topcoder/dal/DBAccessor.java index 240bf52..a6ca450 100644 --- a/src/main/java/com/topcoder/dal/DBAccessor.java +++ b/src/main/java/com/topcoder/dal/DBAccessor.java @@ -126,7 +126,7 @@ private Row rawQueryMapper(ResultSet rs, int rowNum) throws SQLException { case java.sql.Types.BIGINT -> valueBuilder.setLongValue(rs.getLong(i + 1)); case java.sql.Types.FLOAT -> valueBuilder.setFloatValue(rs.getFloat(i + 1)); case java.sql.Types.DOUBLE -> valueBuilder.setDoubleValue(rs.getDouble(i + 1)); - case java.sql.Types.VARCHAR -> + case java.sql.Types.VARCHAR, java.sql.Types.CHAR -> valueBuilder.setStringValue(Objects.requireNonNullElse(rs.getString(i + 1), "")); case java.sql.Types.BOOLEAN -> valueBuilder.setBooleanValue(rs.getBoolean(i + 1)); case java.sql.Types.DATE, java.sql.Types.TIMESTAMP -> valueBuilder From f752f23648204c0846cc56eeb2ba25009fa8a79c Mon Sep 17 00:00:00 2001 From: Emre Date: Mon, 27 Nov 2023 17:06:23 +0300 Subject: [PATCH 4/4] feat: update safe sql characters --- src/main/java/com/topcoder/dal/util/QueryHelper.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/topcoder/dal/util/QueryHelper.java b/src/main/java/com/topcoder/dal/util/QueryHelper.java index 2ed8192..99cee51 100644 --- a/src/main/java/com/topcoder/dal/util/QueryHelper.java +++ b/src/main/java/com/topcoder/dal/util/QueryHelper.java @@ -200,7 +200,8 @@ public static String sanitizeSQLStatement(String sql) { StringBuilder safeSQL = new StringBuilder(); for (char c : sql.toCharArray()) { if (Character.isLetterOrDigit(c) || c == ' ' || c == ',' || c == '(' || c == ')' || c == '=' || c == '<' - || c == '>' || c == '_' || c == ':' || c == '.' || c == '-' || c == '+' || c == '*' || c == '\'') { + || c == '>' || c == '_' || c == ':' || c == '.' || c == '-' || c == '+' || c == '*' || c == '\'' + || c == '!') { safeSQL.append(c); } }