#530 Exposed does not work with just-released H2Database (1.4.199)

#558 H2 dependency 1.4.197 is vulnerable to remote code execution (CVE-2018-10054)
JetBrains · Jun 2, 2019 · f04af1d · f04af1d
1 parent 4362a41
commit f04af1d
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 9 deletions.
diff --git a/exposed/build.gradle.kts b/exposed/build.gradle.kts
@@ -17,14 +17,14 @@ dependencies {
     implementation("org.jetbrains.kotlinx", "kotlinx-coroutines-core", "1.0.1")
     api("joda-time", "joda-time", "2.10.2")
     api("org.slf4j", "slf4j-api", "1.7.25")
-    implementation("com.h2database", "h2", "1.4.197")
+    implementation("com.h2database", "h2", "1.4.199")
 
     testImplementation(kotlin("test-junit"))
     testImplementation("org.slf4j", "slf4j-log4j12", "1.7.26")
     testImplementation("log4j", "log4j", "1.2.17")
     testImplementation("junit", "junit", "4.12")
     testImplementation("org.hamcrest", "hamcrest-library", "1.3")
-    testImplementation("com.h2database", "h2", "1.4.197")
+    testImplementation("com.h2database", "h2", "1.4.199")
 
     testImplementation("mysql", "mysql-connector-java", "5.1.47")
     testImplementation("mysql", "mysql-connector-mxj", "5.0.12")

diff --git a/exposed/src/main/kotlin/org/jetbrains/exposed/sql/vendors/H2.kt b/exposed/src/main/kotlin/org/jetbrains/exposed/sql/vendors/H2.kt
@@ -40,7 +40,7 @@ internal object H2FunctionProvider : FunctionProvider() {
         val uniqueIdxCols = table.indices.filter { it.unique }.flatMap { it.columns.toList() }
         val uniqueCols = columns.filter { it.indexInPK != null || it in uniqueIdxCols}
         return when {
-            // INSERT IGNORE support added in H2 version 1.4.198 (2018-03-18)
+            // INSERT IGNORE support added in H2 version 1.4.197 (2018-03-18)
             ignore && uniqueCols.isNotEmpty() && isMySQLMode && dbReleaseDate(transaction).isBefore(DateTime.parse("2018-03-18")) -> {
                 val def = super.insert(false, table, columns, expr, transaction)
                 def + " ON DUPLICATE KEY UPDATE " + uniqueCols.joinToString { "${transaction.identity(it)}=VALUES(${transaction.identity(it)})" }

diff --git a/exposed/src/test/kotlin/org/jetbrains/exposed/sql/tests/shared/DDLTests.kt b/exposed/src/test/kotlin/org/jetbrains/exposed/sql/tests/shared/DDLTests.kt
@@ -770,8 +770,8 @@ class DDLTests : DatabaseTestsBase() {
         internal fun initEnumColumn(sql: String) {
             (columns as MutableList<Column<*>>).remove(enumColumn)
             enumColumn = customEnumeration("enumColumn", sql, { value ->
-                when (currentDialect) {
-                    is H2Dialect -> Foo.values()[value as Int]
+                when {
+                    currentDialect is H2Dialect && value is Int -> Foo.values()[value]
                     else -> Foo.valueOf(value as String)
                 }
             }, { value ->

diff --git a/exposed/src/test/kotlin/org/jetbrains/exposed/sql/tests/shared/DMLTests.kt b/exposed/src/test/kotlin/org/jetbrains/exposed/sql/tests/shared/DMLTests.kt
@@ -228,7 +228,8 @@ class DMLTests : DatabaseTestsBase() {
             userData.deleteWhere(limit = 1) { userData.value eq 20 }
             userData.slice(userData.user_id, userData.value).select { userData.value eq 20 }.let {
                 assertEquals(1, it.count())
-                assertEquals("eugene", it.single()[userData.user_id])
+                val expected = if (currentDialect is H2Dialect) "smth" else "eugene"
+                assertEquals(expected, it.single()[userData.user_id])
             }
         }
     }
@@ -641,7 +642,10 @@ class DMLTests : DatabaseTestsBase() {
             users.name.groupConcat(separator = " | ", distinct = true).checkExcept(PostgreSQLDialect::class, OracleDialect::class) {
                 assertEquals(3, it.size)
                 assertEquals("Andrey", it["St. Petersburg"])
-                val sorted = if (currentDialect is MysqlDialect || currentDialect is SQLServerDialect) "Eugene | Sergey" else "Sergey | Eugene"
+                val sorted = when (currentDialect) {
+                    is MysqlDialect, is SQLServerDialect, is H2Dialect -> "Eugene | Sergey"
+                    else -> "Sergey | Eugene"
+                }
                 assertEquals(sorted, it["Munich"])
                 assertNull(it["Prague"])
             }

diff --git a/spring-transaction/build.gradle.kts b/spring-transaction/build.gradle.kts
@@ -16,15 +16,15 @@ dependencies {
     api("org.springframework", "spring-jdbc", "5.1.7.RELEASE")
     api("org.springframework", "spring-context", "5.1.7.RELEASE")
     implementation("org.jetbrains.kotlinx", "kotlinx-coroutines-core", "1.0.1")
-    implementation("com.h2database", "h2", "1.4.197")
+    implementation("com.h2database", "h2", "1.4.199")
 
     testImplementation(kotlin("test-junit"))
     testImplementation("org.springframework", "spring-test", "5.1.7.RELEASE")
     testImplementation("org.slf4j", "slf4j-log4j12", "1.7.26")
     testImplementation("log4j", "log4j", "1.2.17")
     testImplementation("junit", "junit", "4.12")
     testImplementation("org.hamcrest", "hamcrest-library", "1.3")
-    testImplementation("com.h2database", "h2", "1.4.197")
+    testImplementation("com.h2database", "h2", "1.4.199")
 }
 
 publishJar {