LDEV-4866 fix query parser out of bounds

https://luceeserver.atlassian.net/browse/LDEV-4866
zspitzer · Jun 7, 2024 · 6c69d0b · 6c69d0b
1 parent 9b7de85
commit 6c69d0b
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 5 deletions.
diff --git a/core/src/main/java/lucee/runtime/db/SQLImpl.java b/core/src/main/java/lucee/runtime/db/SQLImpl.java
@@ -106,7 +106,7 @@ public String toString() {
 		int index = 0;
 		for (int i = 0; i < sqlLen; i++) {
 			c = strSQL.charAt(i);
-			if (!inQuotes && sqlLen + 1 > i) {
+			if (!inQuotes && i < (sqlLen - 1)) {
 				// read multi line
 				if (c == '/' && strSQL.charAt(i + 1) == '*') {
 					int end = strSQL.indexOf("*/", i + 2);
@@ -118,7 +118,7 @@ public String toString() {
 				}
 
 				// read single line
-				if (c == '-' && strSQL.charAt(i + 1) == '-') {
+				if (c == '-' && i < (sqlLen - 1) && strSQL.charAt(i + 1) == '-') {
 					int end = strSQL.indexOf('\n', i + 1);
 					if (end != -1) {
 						i = end + 1;

diff --git a/core/src/main/java/lucee/runtime/tag/util/QueryParamConverter.java b/core/src/main/java/lucee/runtime/tag/util/QueryParamConverter.java
@@ -114,7 +114,7 @@ public static Struct toStruct(SQLItem item, boolean fns) {
 			NamedSQLItem nsi = (NamedSQLItem) item;
 			sct.setEL(KeyConstants._name, nsi.getName());
 		}
-		if (fns || item.getValue() != null) sct.setEL(KeyConstants._value, item.getValue());
+		if (fns || item.getValue() != null) sct.setEL(KeyConstants._value, item.getValue() );
 		else sct.setEL(KeyConstants._value, "");
 		sct.setEL(KeyConstants._type, SQLCaster.toStringType(item.getType(), null));
 		sct.setEL(KeyConstants._scale, item.getScale());
@@ -146,7 +146,7 @@ private static SQL convert(String sql, List<SQLItems<SQLItem>> items, List<SQLIt
 
 		for (int i = 0; i < sqlLen; i++) {
 			c = sql.charAt(i);
-			if (!inQuotes && sqlLen + 1 > i) {
+			if (!inQuotes && i < (sqlLen - 1)) {
 				// read multi line
 				if (c == '/' && sql.charAt(i + 1) == '*') {
 					int end = sql.indexOf("*/", i + 2);
@@ -158,7 +158,7 @@ private static SQL convert(String sql, List<SQLItems<SQLItem>> items, List<SQLIt
 				}
 
 				// read single line
-				if (c == '-' && sql.charAt(i + 1) == '-') {
+				if (c == '-' && i < (sqlLen - 1) && sql.charAt(i + 1) == '-') {
 					int end = sql.indexOf('\n', i + 1);
 					if (end != -1) {
 						i = end + 1;

diff --git a/test/tickets/LDEV4866.cfc b/test/tickets/LDEV4866.cfc
@@ -0,0 +1,41 @@
+component extends="org.lucee.cfml.test.LuceeTestCase" labels="query" {
+
+	variables.ds = server.getDatasource( service="h2", dbFile=server._getTempDir( "LDEV4866" ) );
+	variables.params = { a:1, b:2 };
+
+	function run( testResults , testBox ) {
+		describe( title='LDEV-4866' , body=function(){
+			it( title='test query parsing, /* */-' , body=function() {
+				doQuery("#chr(13)# /* */- ");
+				doQuery("#chr(13)# /* */- ");
+				doQuery("/* */-");
+			});
+			it( title='test query parsing, just a - whitespace' , body=function() {
+				doQuery("#chr(9)# - #chr(13)# ");
+			});
+
+			it( title='test query parsing, just a -' , body=function() {
+				doQuery("-");
+			});
+
+			it( title='test query parsing, just a / whitespace' , body=function() {
+				doQuery("#chr(9)# / #chr(13)# ");
+			});
+			it( title='test query parsing, just a /' , body=function() {
+				doQuery("/");
+			});
+		});
+	}
+
+	private function doQuery(sql){
+		try {
+			query name="test" datasource="#ds#" params="#params#" {
+				echo( sql );
+			}
+		} catch (e) {
+			 if ( e.stackTrace.indexOf("lucee.runtime.exp.DatabaseException:") neq 0 )
+				rethrow;
+		}
+	}
+
+}