Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Query param parsing assumes / or - will never be the last char in the SQL string

Description

These may not be valid SQL, but they highlight the issue. The query param parsing loop that goes char assumes that all / and - chars will always have at least one additional character after them. Some more validation is needed here:

<cfquery name="test" datasource="myDSN"> - </cfquery>

and

<cfquery name="test" datasource="myDSN"> / </cfquery>

The problem code is in the QueryParamConverter.javaclass in Lucee. Here:

if (c == '/' && sql.charAt(i + 1) == '*') {

and here

if (c == '-' && sql.charAt(i + 1) == '-') {

where it runs sql.charAt(i + 1) without checking to see if another char exists in the string,

Environment

None

Activity

Show:

Brad Wood 7 June 2024 at 21:33
Edited

I couldn’t find the example that had rooted out the error, but after reviewing Lucee’s source code, I could tell the lack of validation was basically wrong, so the example in the ticket was just the simplest method of showing its bad assumptions.

Zac Spitzer 7 June 2024 at 00:56

fixed the testcase to repo and addressed the out of bounds https://github.com/lucee/Lucee/pull/2382

out of interest, can you share a valid sql example which triggers this, can’t quite imagine one?

Zac Spitzer 23 May 2024 at 08:17
Edited

with 6.1, the error is coming from the database, rather than the above line

https://github.com/lucee/Lucee/blob/6.1/core/src/main/java/lucee/runtime/tag/util/QueryParamConverter.java#L149

[java] [script] Errored: test.tickets.LDEV4866 [java] [script] test query parsing, just a - [java] [script] Syntax error in SQL statement "[]-"; SQL statement: [java] [script] - [42000-214] [java] [script] /Users/zac/work/Lucee/test/tickets/LDEV4866.cfc:11 [java] [script] /Users/zac/work/Lucee/test/_testRunner.cfc:283 [java] [script] /Users/zac/work/Lucee/test/run-tests.cfm:348 [java] [script] [java] [script] lucee.runtime.exp.DatabaseException: Syntax error in SQL statement "[]-"; SQL statement: [java] [script] - [42000-214] [java] [script] at org.h2.message.DbException.getJdbcSQLException(DbException.java:502) [java] [script] at org.h2.message.DbException.getJdbcSQLException(DbException.java:477) [java] [script] at org.h2.message.DbException.get(DbException.java:223) [java] [script] at org.h2.message.DbException.get(DbException.java:199) [java] [script] at org.h2.message.DbException.getSyntaxError(DbException.java:247) [java] [script] at org.h2.command.Parser.getSyntaxError(Parser.java:898) [java] [script] at org.h2.command.Parser.parsePrepared(Parser.java:866) [java] [script] at org.h2.command.Parser.parse(Parser.java:689) [java] [script] at org.h2.command.Parser.parse(Parser.java:666) [java] [script] at org.h2.command.Parser.prepareCommand(Parser.java:569) [java] [script] at org.h2.engine.SessionLocal.prepareLocal(SessionLocal.java:631) [java] [script] at org.h2.engine.SessionLocal.prepareCommand(SessionLocal.java:554) [java] [script] at org.h2.jdbc.JdbcConnection.prepareCommand(JdbcConnection.java:1116) [java] [script] at org.h2.jdbc.JdbcStatement.executeInternal(JdbcStatement.java:237) [java] [script] at org.h2.jdbc.JdbcStatement.execute(JdbcStatement.java:223) [java] [script] at lucee.runtime.type.util.QueryUtil.execute(QueryUtil.java:345) [java] [script] at lucee.runtime.type.QueryImpl.execute(QueryImpl.java:296) [java] [script] at lucee.runtime.type.QueryImpl.<init>(QueryImpl.java:242) [java] [script] at lucee.runtime.tag.Query.executeDatasoure(Query.java:1122) [java] [script] at lucee.runtime.tag.Query._doEndTag(Query.java:694) [java] [script] at lucee.runtime.tag.Query.doEndTag(Query.java:559) [java] [script] at tickets.ldev4866_cfc$cf.udfCall(/test/tickets/LDEV4866.cfc:11)

that was with the example code, same result with <cfquery name="test" datasource="#ds#">/</cfquery>

https://github.com/lucee/Lucee/commit/a29a0b91b003c7d5c298e838cc2da11b5bddf4d7

Test case PR for 5.4, let’s see what happens https://github.com/lucee/Lucee/pull/2374

same result https://github.com/lucee/Lucee/actions/runs/9204585480

Details

Assignee

Reporter

Priority

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

Affects versions

Created 22 May 2024 at 19:27
Updated 6 March 2025 at 11:38

Flag notifications