This is an automated email from the ASF dual-hosted git repository. borinquenkid pushed a commit to branch 7.1.x-hibernate6 in repository https://gitbox.apache.org/repos/asf/grails-core.git
commit 6869691a96b33e6a93d59f04bf700dccb64f6fd0 Author: Walter Duque de Estrada <[email protected]> AuthorDate: Tue Oct 21 20:58:20 2025 -0500 Fix DataServiceSpec --- .../orm/hibernate/HibernateGormStaticApi.groovy | 19 ++++--------------- .../grails/gorm/specs/services/DataServiceSpec.groovy | 19 ++++++++----------- .../orm/hibernate/HibernateGormStaticApiSpec.groovy | 8 ++++---- 3 files changed, 16 insertions(+), 30 deletions(-) diff --git a/grails-data-hibernate6/core/src/main/groovy/org/grails/orm/hibernate/HibernateGormStaticApi.groovy b/grails-data-hibernate6/core/src/main/groovy/org/grails/orm/hibernate/HibernateGormStaticApi.groovy index 8aa1ad0435..32513ab5af 100644 --- a/grails-data-hibernate6/core/src/main/groovy/org/grails/orm/hibernate/HibernateGormStaticApi.groovy +++ b/grails-data-hibernate6/core/src/main/groovy/org/grails/orm/hibernate/HibernateGormStaticApi.groovy @@ -289,21 +289,10 @@ class HibernateGormStaticApi<D> extends GormStaticApi<D> { Collection _positionalParams, Map args , boolean isNative) { - Map namedParams - String queryString - if (queryCharseq instanceof GString && !isNative) { - if(!_namedParams) { - throw new GrailsQueryException("Unsafe query [$queryCharseq]. GORM cannot automatically escape a GString value when combined with both named and ordinal parameters, so this query is potentially vulnerable to HQL injection attacks. Please embed the parameters within the GString so they can be safely escaped."); - } - namedParams = new HashMap(_namedParams) - queryString = buildNamedParameterQueryFromGString((GString)queryCharseq,namedParams) - } else { - if(queryCharseq instanceof GString) { - throw new GrailsQueryException("Unsafe query [$queryCharseq]. GORM cannot automatically escape a GString value when combined with both named and ordinal parameters, so this query is potentially vulnerable to HQL injection attacks. Please embed the parameters within the GString so they can be safely escaped."); - } - queryString = queryCharseq?.toString() - namedParams = _namedParams ? new HashMap(_namedParams) : new HashMap() - } + Map namedParams = _namedParams ? new HashMap(_namedParams) : new HashMap() + String queryString = queryCharseq instanceof GString ? + buildNamedParameterQueryFromGString((GString) queryCharseq, namedParams) + : queryCharseq?.toString() List positionalParams = _positionalParams ? new ArrayList(_positionalParams) : new ArrayList() String hql = normalizeMultiLineQueryString(queryString?.toString()) Map argCopy = args != null ? new HashMap(args) : Collections.emptyMap() diff --git a/grails-data-hibernate6/core/src/test/groovy/grails/gorm/specs/services/DataServiceSpec.groovy b/grails-data-hibernate6/core/src/test/groovy/grails/gorm/specs/services/DataServiceSpec.groovy index b7953fe7e1..ca5e236313 100644 --- a/grails-data-hibernate6/core/src/test/groovy/grails/gorm/specs/services/DataServiceSpec.groovy +++ b/grails-data-hibernate6/core/src/test/groovy/grails/gorm/specs/services/DataServiceSpec.groovy @@ -294,7 +294,6 @@ class DataServiceSpec extends Specification { } - @Ignore("Query is an Unsafe GString") void "test @query annotation"() { given: ProductService productService = datastore.getService(ProductService) @@ -305,15 +304,15 @@ class DataServiceSpec extends Specification { when: - Product product = productService.searchWithQuery("Carr%") + Product product = productService.searchWithQuery([pattern:"Carr%"]) then: product != null product.name == "Carrot" - productService.searchProductType("Carr%") == "Vegetable" + productService.searchProductType("Carr%") == ["Vegetable"] when: - List<Product> results = productService.searchAllWithQuery("Veg%") + List<Product> results = productService.searchAllWithQuery([pattern:"Veg%"]) then: results.size() == 2 @@ -327,7 +326,6 @@ class DataServiceSpec extends Specification { } - @Ignore("Query is an Unsafe GString") void "test interface projection"() { given: ProductService productService = datastore.getService(ProductService) @@ -368,7 +366,6 @@ class DataServiceSpec extends Specification { } - @Ignore("Query is an Unsafe GString") void "test join query on attributes with @Query"() { given: ProductService productService = datastore.getService(ProductService) @@ -479,14 +476,14 @@ interface ProductService { @Where({ name ==~ pattern }) ProductInfo searchProductInfoByName(String pattern) - @Query("from ${Product p} where $p.name like $pattern") - Product searchWithQuery(String pattern) + @Query("from ${Product p} where $p.name like :pattern") + Product searchWithQuery(Map args) @Query("select ${p.type} from ${Product p} where $p.name like $pattern") - String searchProductType(String pattern) + List<String> searchProductType(String pattern) - @Query("from ${Product p} where $p.type like $pattern") - List<Product> searchAllWithQuery(String pattern) + @Query("from ${Product p} where $p.type like :pattern") + List<Product> searchAllWithQuery(Map args) @Query("select $p.name from ${Product p} where $p.type like $pattern") List<String> searchProductNames(String pattern) diff --git a/grails-data-hibernate6/core/src/test/groovy/org/grails/orm/hibernate/HibernateGormStaticApiSpec.groovy b/grails-data-hibernate6/core/src/test/groovy/org/grails/orm/hibernate/HibernateGormStaticApiSpec.groovy index 7c18328c2b..2b422d1168 100644 --- a/grails-data-hibernate6/core/src/test/groovy/org/grails/orm/hibernate/HibernateGormStaticApiSpec.groovy +++ b/grails-data-hibernate6/core/src/test/groovy/org/grails/orm/hibernate/HibernateGormStaticApiSpec.groovy @@ -461,7 +461,7 @@ class HibernateGormStaticApiSpec extends HibernateGormDatastoreSpec { List<Club> results = Club.findAll("from Club c where c.name like $p order by c.name") then:"Exception is thrown" - thrown(GrailsQueryException) + results.size() == 2 when:"A query that passes arguments is used" results = Club.findAll("from Club c where c.name like $p and c.name like :test order by c.name", [test:'%e%']) @@ -481,14 +481,14 @@ class HibernateGormStaticApiSpec extends HibernateGormDatastoreSpec { List<Club> results = Club.executeQuery("from Club c where c.name like $p order by c.name") then:"The results are correct" - thrown(GrailsQueryException) + results.size() == 2 when:"A query that passes arguments is used" - results = Club.executeQuery("from Club c where c.name like $p and c.name like :test order by c.name", [test:'%e%']) + results = Club.executeQuery("from Club c where c.name like $p and c.name like :test order by c.name", [test:'%e%'],[:]) then:"The results are correct" - thrown(GrailsQueryException) + results.size() == 2 } void "test escape HQL in find with gstring"() {
