(grails-core) 11/25: partial fix HibernateGormStaticApi

Tue, 26 Aug 2025 02:28:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

borinquenkid pushed a commit to branch merge-hibernate6
in repository https://gitbox.apache.org/repos/asf/grails-core.git

commit bc2ef37067718f7f69fb3bd6a284c93835a79e63
Author: Walter Duque de Estrada <wbdu...@mac.com>
AuthorDate: Sun Aug 17 16:17:04 2025 -0500

    partial fix HibernateGormStaticApi
---
 .../orm/hibernate/HibernateGormStaticApi.groovy    | 28 +++-------------------
 .../hibernate/HibernateGormStaticApiSpec.groovy    |  2 +-
 2 files changed, 4 insertions(+), 26 deletions(-)

diff --git 
a/grails-data-hibernate6/core/src/main/groovy/org/grails/orm/hibernate/HibernateGormStaticApi.groovy
 
b/grails-data-hibernate6/core/src/main/groovy/org/grails/orm/hibernate/HibernateGormStaticApi.groovy
index 57d8900e99..42828e74b5 100644
--- 
a/grails-data-hibernate6/core/src/main/groovy/org/grails/orm/hibernate/HibernateGormStaticApi.groovy
+++ 
b/grails-data-hibernate6/core/src/main/groovy/org/grails/orm/hibernate/HibernateGormStaticApi.groovy
@@ -259,30 +259,8 @@ class HibernateGormStaticApi<D> extends GormStaticApi<D> {
 
     @Override
     D find(CharSequence query, Collection params, Map args) {
-        if(query instanceof GString) {
-            throw new GrailsQueryException("Unsafe query [$query]. GORM cannot 
automatically escape a GString value when combined with ordinal parameters, so 
this query is potentially vulnerable to HQL injection attacks. Please embed the 
parameters within the GString so they can be safely escaped.");
-        }
-
-        String queryString = query.toString()
-        queryString = normalizeMultiLineQueryString(queryString)
-
-        args = new HashMap(args)
-        def template = hibernateTemplate
-        return (D) template.execute { Session session ->
-            Query q = (Query) session.createQuery(queryString, 
persistentEntity.javaClass)
-            template.applySettings(q)
-
-            params.eachWithIndex { val, int i ->
-                if (val instanceof CharSequence) {
-                    q.setParameter i, val.toString()
-                }
-                else {
-                    q.setParameter i, val
-                }
-            }
-            populateQueryArguments(q, args)
-            createHqlQuery(session, q).singleResult()
-        }
+        def result = numberedParameterQuery(query, args, params)
+        result ? result.first() : null
     }
 
     @Override
@@ -355,7 +333,7 @@ class HibernateGormStaticApi<D> extends GormStaticApi<D> {
                 sql = buildOrdinalParameterQueryFromGString((GString)sql, 
params)
             }
 
-            NativeQuery q = 
(NativeQuery)session.createNativeQuery(sql.toString())
+            NativeQuery q = 
(NativeQuery)session.createNativeQuery(sql.toString(),persistentEntity.javaClass)
 
             template.applySettings(q)
 
diff --git 
a/grails-data-hibernate6/core/src/test/groovy/org/grails/orm/hibernate/HibernateGormStaticApiSpec.groovy
 
b/grails-data-hibernate6/core/src/test/groovy/org/grails/orm/hibernate/HibernateGormStaticApiSpec.groovy
index 51d5a293a7..e281c126ca 100644
--- 
a/grails-data-hibernate6/core/src/test/groovy/org/grails/orm/hibernate/HibernateGormStaticApiSpec.groovy
+++ 
b/grails-data-hibernate6/core/src/test/groovy/org/grails/orm/hibernate/HibernateGormStaticApiSpec.groovy
@@ -356,7 +356,7 @@ class HibernateGormStaticApiSpec extends 
HibernateGormDatastoreSpec {
         new HibernateGormStaticApiEntity(name: "test2").save(flush: true, 
failOnError: true)
 
         when:
-        def instance = HibernateGormStaticApiEntity.find("from 
HibernateGormStaticApiEntity where name = ?", ['test2'])
+        def instance = HibernateGormStaticApiEntity.find("from 
HibernateGormStaticApiEntity where name = ?1", ['test2'])
 
         then:
         instance.name == 'test2'

Reply via email to