Bug #118688 com.mysql.cj.protocol.a.StringValueEncoder#getString does not handle string escaping
Submitted: 21 Jul 8:42 Modified: 19 Oct 16:21
Reporter: feng shen (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / J Severity:S3 (Non-critical)
Version:8.4.0, 9.3.0 OS:Any
Assigned to: CPU Architecture:Any

[21 Jul 8:42] feng shen 
Description:
The method com.mysql.cj.protocol.a.StringValueEncoder#getString does not escape string values properly, which causes com.mysql.cj.ClientPreparedQuery#asSql to generate incorrect SQL. This may lead to invalid SQL syntax or potential security issues.

How to repeat:
 Connection connection = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/test", "root", "123456");

        ClientPreparedStatement preparedStatement = (ClientPreparedStatement) connection.prepareStatement("select * from test where id = ?");
        preparedStatement.setString(1, "'a'");
        for (BindValue bindValue : preparedStatement.getQueryBindings().getBindValues()) {
            byte[] byteValue = bindValue.getByteValue();
//            right
            System.out.println(new String(byteValue, StandardCharsets.UTF_8));
        }
        String sql = ((ClientPreparedQuery) preparedStatement.getQuery()).asSql();
        //error
        System.out.println(sql);
[21 Jul 8:57] feng shen 
Although this issue does not affect the actual execution of SQL statements, developers who rely on ClientPreparedQuery#asSql to log or reconstruct SQL queries may unknowingly introduce SQL injection risks, depending on how the resulting SQL string is used. This potential vulnerability should be further evaluated.
[22 Jul 8:21] MySQL Verification Team 
Hello feng shen,

Thank you for the report and feedback.

regards,
Umesh
[22 Jul 11:06] feng shen 
I have sent a PR for this issue:
https://github.com/mysql/mysql-connector-j/pull/118
[22 Jul 20:39] OCA Admin 
Contribution submitted via Github - Fix Bug #118688	com.mysql.cj.protocol.a.StringValueEncoder#getString does not ha 
(*) Contribution by feng shen (Github ShenFeng312, mysql-connector-j/pull/118#issuecomment-3101958597): I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: git_patch_2681390127.txt (text/plain), 3.59 KiB.
[19 Oct 16:21] Edward Gilmore 
Posted by developer:
 
Added the following note to the Connector/J 9.5.0 release notes:

Rendering of PreparedStatement queries, by replacing placeholders with 
the given parameters, failed to properly escape string values containing 
quote characters, resulting in syntactically incorrect SQL. 

Our thanks to Feng Shen for the contribution.