- fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
- Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands.
- Also adds a new test class ResultSetRefreshTest to verify this change.
- Reported by Sho Kato
- chore: skip publishing pgjdbc-osgi-test to Central
- chore: bump Gradle to 7.5
- test: update JUnit to 5.8.2
- chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar
- chore: added “permissions: contents: read” for GitHub Actions to avoid unintentional modifications by the CI
- chore: support building pgjdbc with Java 17
Commits by author
Dave Cramer (9):
bump gradle to version 3 to fix compile errors with jdk17 [PR 2550](https://github.com/pgjdbc/pgjdbc/pull/2550) update the website content [PR 2578](https://github.com/pgjdbc/pgjdbc/pull/2578)
Sehrope Sarkuni (1):
Fix SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
Vladimir Sitnikov (34):
bump system-stubs-jupiter to 2.0.1 to support Java 16+ update JUnit to 5.8.2 migrate DriverTest to JUnit5 bump Gradle to 7.5