Sanitize untrusted text before using in Hibernate

Merged Robert Chadwick [Schlumberger] requested to merge hibernate-interpolator-rce-fix into master

Escape untrusted text so a malicious user is unable to trigger remote code execution exploits by sending special text within the JSON body.

Hibernate will interpolate text surrounded by ${} which can include arbitrary Java. Untrusted data must be escaped to prevent these values from being interpolated during the call to ConstraintValidatorContext.buildConstraintViolationWithTemplate().

Linked Gitlab issue:

Edited by Chris Zhang

Merge request reports