Headline
CVE-2023-25158: Merge pull request from GHSA-99c3-qc2q-p94m · geotools/geotools@64fb4c4
GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable encode functions for PostGIS DataStores or enable prepared statements for JDBCDataStores as a partial mitigation.
@@ -187,29 +187,37 @@ public void setUp() throws SchemaException { @Test public void testLikeToSQL() { Assert.assertEquals( "BroadWay%", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “BroadWay*”)); "BroadWay%", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "BroadWay*", true)); Assert.assertEquals( "broad#ay", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broad#ay”)); "broad#ay", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broad#ay", true)); Assert.assertEquals( "broadway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broadway”)); "broadway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broadway", true));
Assert.assertEquals( "broad_ay", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broad.ay”)); "broad_ay", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broad.ay", true)); Assert.assertEquals( "broad.ay", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broad!.ay”)); "broad.ay", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broad!.ay", true));
Assert.assertEquals( "broa’’dway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broa’dway”)); "broa’’dway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broa’dway", true)); Assert.assertEquals( "broa’’’’dway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broa” + “’’dway”)); LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broa” + "’’dway", true)); Assert.assertEquals( "broa’dway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broa’dway", false)); Assert.assertEquals( "broa’’dway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broa” + "’’dway", false));
Assert.assertEquals( "broadway_", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broadway.”)); "broadway_", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broadway.", true)); Assert.assertEquals( "broadway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broadway!”)); "broadway", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broadway!", true)); Assert.assertEquals( "broadway!", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, “broadway!!”)); "broadway!", LikeFilterImpl.convertToSQL92('!’, '*’, '.’, true, "broadway!!", true)); }
/**
Related news
### Impact GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations: 1. ``PropertyIsLike`` filter * Requires PostGIS DataStore with "encode functions" enabled * Or any JDBCDataStore (all relational databases) with String field (no mitigation) 3. ``strEndsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 5. ``strStartsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 6. ``FeatureId`` filter * Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does) 7. ``jsonArrayContains`` function * Requires PostGIS and Oracle DataStore with String or JSON field 8. ``DWithin`` filter * Happe...