Sanitize untrusted text before using in Hibernate (!119) · Merge requests · OSDU Software / OSDU Data Platform / System / Lib / core / OS Core Common

Robert Chadwick [Schlumberger] requested to merge hibernate-interpolator-rce-fix into master Sep 21, 2021

Escape untrusted text so a malicious user is unable to trigger remote code execution exploits by sending special text within the JSON body.

Hibernate will interpolate text surrounded by ${} which can include arbitrary Java. Untrusted data must be escaped to prevent these values from being interpolated during the call to ConstraintValidatorContext.buildConstraintViolationWithTemplate().

Linked Gitlab issue: https://community.opengroup.org/osdu/platform/system/home/-/issues/90

Edited Oct 14, 2021 by Chris Zhang

Sanitize untrusted text before using in Hibernate

Merge request reports