Upgrading HSQLDB from 2.7.0 to 2.7.1 breaks tests.

huangapple go评论60阅读模式
英文:

Upgrading HSQLDB from 2.7.0 to 2.7.1 breaks tests

问题

I'm trying to upgrade HSQLDB from 2.7.0 to 2.7.1 but it breaks the tests. The test can be whatever, the error is always the same.

Test class:

@RunWith( SpringJUnit4ClassRunner.class )
@Transactional( transactionManager = "txManager" )
@Rollback
@ContextConfiguration( "classpath:applicationContext-test.xml" )
public class JdbcOrdersDaoImplTest {

@Autowired
private OrdersAdminDao hsqlOrdersDao;

@Test
public void setUp() {
}

applicationContext-test.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
       xsi:schemaLocation="http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-4.3.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">

    <import resource="classpath:applicationContext-Order-SQL.xml"/>
    <import resource="classpath:applicationContext-OrderEvent-SQL.xml"/>
    <import resource="classpath:applicationContext-Message-SQL.xml"/>

    <bean id="hsqlDataSource" class="org.apache.commons.dbcp2.BasicDataSource" destroy-method="close">
        <property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
        <property name="url" value="jdbc:hsqldb:mem:test;sql.syntax_pgs=true;hsqldb.sqllog=3;hsqldb.applog=3"/>
        <property name="username" value="Foo"/>
        <property name="password" value=""/>
    </bean>

    <jdbc:initialize-database data-source="hsqlDataSource">
        <jdbc:script location="file:src/main/sql/archive/5.0/init_core_structure.sql"/>
        <jdbc:script location="classpath:hsqldb-create-sequence.sql"/>
        <jdbc:script location="classpath:create-date-function.sql"/>
    </jdbc:initialize-database>

    <bean id="hsqlOrdersDao" class="com.source.fix.gateway.data.impl.JdbcOrdersDaoImpl">
        <property name="dataSource" ref="hsqlDataSource"/>
    </bean>

    <bean id="txManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
        <property name="dataSource" ref="hsqlDataSource"/>
    </bean>


</beans>

Stack trace:

Failed to load ApplicationContext
java.lang.IllegalStateException: Failed to load ApplicationContext
(...)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.jdbc.datasource.init.DataSourceInitializer#0': Invocation of init method failed; nested exception is org.springframework.jdbc.datasource.init.ScriptStatementFailedException: Failed to execute SQL script statement #1 of class path resource [create-date-function.sql]: CREATE FUNCTION DATE(v TIMESTAMP) RETURNS DATE LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME 'CLASSPATH:com.source.fix.PostgresDate.date'; nested exception is java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: com.source.fix.PostgresDate
(...)
Caused by: org.springframework.jdbc.datasource.init.ScriptStatementFailedException: Failed to execute SQL script statement #1 of class path resource [create-date-function.sql]: CREATE FUNCTION DATE(v TIMESTAMP) RETURNS DATE LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME 'CLASSPATH:com.source.fix.PostgresDate.date'; nested exception is java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: com.source.fix.PostgresDate
(...)
Caused by: java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: com.source.fix.PostgresDate
(...)
Caused by: org.hsqldb.HsqlException: user lacks privilege or object not found: com.source.fix.PostgresDate

For context here's the changelist for 2.7.1:
20 Oct 2022 - version 2.7.1
-- version 2.7.1 jar requires JRE 11 or later - tested up to Java 17
-- version 2.7.1 alternative jar requires JRE 8 or later
-- CVE-2022-41853 disallow calling java methods - setting the hsqldb.method_class_names is required for accessing java methods
-- enhancements to RECURSIVE CTE's

and a description of CVE-2022-41853 from NIST:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

If I understand correctly (maybe I'm wrong), the problem lies in the fact that application context is not loaded automatically and I have to enable it manually. I'm not sure how to do that, though.

英文:

I'm trying to upgrade HSQLDB from 2.7.0 to 2.7.1 but it breaks the tests. The test can be whatever, the error is always the same.

Test class:

@RunWith( SpringJUnit4ClassRunner.class )
@Transactional( transactionManager = &quot;txManager&quot; )
@Rollback
@ContextConfiguration( &quot;classpath:applicationContext-test.xml&quot; )
public class JdbcOrdersDaoImplTest {

@Autowired
private OrdersAdminDao hsqlOrdersDao;

@Test
public void setUp() {
}

applicationContext-test.xml:

&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;beans xmlns=&quot;http://www.springframework.org/schema/beans&quot;
       xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:jdbc=&quot;http://www.springframework.org/schema/jdbc&quot;
       xsi:schemaLocation=&quot;http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-4.3.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd&quot;&gt;

    &lt;import resource=&quot;classpath:applicationContext-Order-SQL.xml&quot;/&gt;
    &lt;import resource=&quot;classpath:applicationContext-OrderEvent-SQL.xml&quot;/&gt;
    &lt;import resource=&quot;classpath:applicationContext-Message-SQL.xml&quot;/&gt;

    &lt;bean id=&quot;hsqlDataSource&quot; class=&quot;org.apache.commons.dbcp2.BasicDataSource&quot; destroy-method=&quot;close&quot;&gt;
        &lt;property name=&quot;driverClassName&quot; value=&quot;org.hsqldb.jdbcDriver&quot;/&gt;
        &lt;property name=&quot;url&quot; value=&quot;jdbc:hsqldb:mem:test;sql.syntax_pgs=true;hsqldb.sqllog=3;hsqldb.applog=3&quot;/&gt;
        &lt;property name=&quot;username&quot; value=&quot;Foo&quot;/&gt;
        &lt;property name=&quot;password&quot; value=&quot;&quot;/&gt;
    &lt;/bean&gt;

    &lt;jdbc:initialize-database data-source=&quot;hsqlDataSource&quot;&gt;
        &lt;jdbc:script location=&quot;file:src/main/sql/archive/5.0/init_core_structure.sql&quot;/&gt;
        &lt;jdbc:script location=&quot;classpath:hsqldb-create-sequence.sql&quot;/&gt;
        &lt;jdbc:script location=&quot;classpath:create-date-function.sql&quot;/&gt;
    &lt;/jdbc:initialize-database&gt;

    &lt;bean id=&quot;hsqlOrdersDao&quot; class=&quot;com.source.fix.gateway.data.impl.JdbcOrdersDaoImpl&quot;&gt;
        &lt;property name=&quot;dataSource&quot; ref=&quot;hsqlDataSource&quot;/&gt;
    &lt;/bean&gt;

    &lt;bean id=&quot;txManager&quot; class=&quot;org.springframework.jdbc.datasource.DataSourceTransactionManager&quot;&gt;
        &lt;property name=&quot;dataSource&quot; ref=&quot;hsqlDataSource&quot;/&gt;
    &lt;/bean&gt;


&lt;/beans&gt;

Stack trace:

Failed to load ApplicationContext
java.lang.IllegalStateException: Failed to load ApplicationContext
(...)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name &#39;org.springframework.jdbc.datasource.init.DataSourceInitializer#0&#39;: Invocation of init method failed; nested exception is org.springframework.jdbc.datasource.init.ScriptStatementFailedException: Failed to execute SQL script statement #1 of class path resource [create-date-function.sql]: CREATE FUNCTION DATE(v TIMESTAMP) RETURNS DATE LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME &#39;CLASSPATH:com.source.fix.PostgresDate.date&#39;; nested exception is java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: com.source.fix.PostgresDate
(...)
Caused by: org.springframework.jdbc.datasource.init.ScriptStatementFailedException: Failed to execute SQL script statement #1 of class path resource [create-date-function.sql]: CREATE FUNCTION DATE(v TIMESTAMP) RETURNS DATE LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME &#39;CLASSPATH:com.source.fix.PostgresDate.date&#39;; nested exception is java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: com.source.fix.PostgresDate
(...)
Caused by: java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: com.source.fix.PostgresDate
(...)
Caused by: org.hsqldb.HsqlException: user lacks privilege or object not found: com.source.fix.PostgresDate

For context here's the changelist for 2.7.1:
20 Oct 2022 - version 2.7.1
-- version 2.7.1 jar requires JRE 11 or later - tested up to Java 17
-- version 2.7.1 alternative jar requires JRE 8 or later
-- CVE-2022-41853 disallow calling java methods - setting the hsqldb.method_class_names is required for accessing java methods
-- enhancements to RECURSIVE CTE's

and a description of CVE-2022-41853 from NIST:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

If I understand correctly (maybe I'm wrong), the problem lies in the fact that application context is not loaded automatically and I have to enable it manually. I'm not sure how to do that, though.

答案1

得分: 0

The Java command to run the application must include the class names for external methods. For example:

java -Dhsqldb.method_class_names="com.source.fix.PostgresDate.date" ...

You should be able to set this system property by adding it to the Spring framework configuring.

英文:

The Java command to run the application must include the class names for external methods. For example:

java -Dhsqldb.method_class_names=&quot;com.source.fix.PostgresDate.date&quot; ...

You should be able to set this system property by adding it to the Spring framework configuring.

huangapple
  • 本文由 发表于 2023年3月15日 18:15:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/75743314.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定