Skip to content

Sanitize untrusted text before using in Hibernate

Escape untrusted text so a malicious user is unable to trigger remote code execution exploits by sending special text within the JSON body.

Hibernate will interpolate text surrounded by ${} which can include arbitrary Java. Untrusted data must be escaped to prevent these values from being interpolated during the call to ConstraintValidatorContext.buildConstraintViolationWithTemplate().

Linked Gitlab issue: https://community.opengroup.org/osdu/platform/system/home/-/issues/90

Edited by Chris Zhang

Merge request reports

Loading