Notable Changes

Security

• fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
  • Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands.
  • Also adds a new test class ResultSetRefreshTest to verify this change.
  • Reported by Sho Kato

Changed

• chore: skip publishing pgjdbc-osgi-test to Central
• chore: bump Gradle to 7.5
• test: update JUnit to 5.8.2

Added

• chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar
• chore: added “permissions: contents: read” for GitHub Actions to avoid unintentional modifications by the CI
• chore: support building pgjdbc with Java 17

Commits by author

Dave Cramer (9):

  bump gradle to version 3 to fix compile errors with jdk17 [PR 2550](https://github.com/pgjdbc/pgjdbc/pull/2550)
  update the website content [PR 2578](https://github.com/pgjdbc/pgjdbc/pull/2578)

Sehrope Sarkuni (1):

Fix SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.

Vladimir Sitnikov (34):

bump system-stubs-jupiter to 2.0.1 to support Java 16+
update JUnit to 5.8.2
migrate DriverTest to JUnit5
bump Gradle to 7.5