Finish up release

CHANGELOG.md

@@ -2,7 +2,23 @@
 
 Changes that happened in releases
 
-## 1.6.11-SNAPSHOT
+## 1.6.12-SNAPSHOT
+
+### New features
+
+None yet
+
+### Bug fixes
+
+None yet
+
+### Backwards-incompatible changes
+
+None yet
+
+## 1.6.11
+
+10/01/2024 - [Release tag](https://github.com/Blazebit/blaze-persistence/releases/tag/1.6.11) [Resolved issues](https://github.com/Blazebit/blaze-persistence/issues?q=is%3Aissue+milestone%3A1.6.11+is%3Aclosed+sort%3Aupdated-desc)
 
 ### New features
 
@@ -13,6 +29,7 @@ Changes that happened in releases
 * Fix over-fetching of entity view data with dynamic fetches
 * Fix Spring 6.1 compatibility
 * Fix Hibernate 6.4.0.Final compatibility
+* Disallow repository sorting by anything other than entity or entity view attribute paths
 
 ### Backwards-incompatible changes
 

README.md

@@ -57,7 +57,7 @@ Blaze-Persistence is split up into different modules. We recommend that you defi
 
 ```xml
 <properties>
-    <blaze-persistence.version>1.6.10</blaze-persistence.version>
+    <blaze-persistence.version>1.6.11</blaze-persistence.version>
 </properties>
 ```
 
@@ -84,49 +84,49 @@ If you want a sample application with everything setup where you can poke around
 Core-only archetype:
 
 ```bash
-mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-core-sample" "-DarchetypeVersion=1.6.10"
+mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-core-sample" "-DarchetypeVersion=1.6.11"
 ```
 
 Entity view archetype:
 
 ```bash
-mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-entity-view-sample" "-DarchetypeVersion=1.6.10"
+mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-entity-view-sample" "-DarchetypeVersion=1.6.11"
 ```
 
 Spring-Data archetype:
 
 ```bash
-mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-spring-data-sample" "-DarchetypeVersion=1.6.10"
+mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-spring-data-sample" "-DarchetypeVersion=1.6.11"
 ```
 
 Spring-Boot archetype:
 
 ```bash
-mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-spring-boot-sample" "-DarchetypeVersion=1.6.10"
+mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-spring-boot-sample" "-DarchetypeVersion=1.6.11"
 ```
 
 DeltaSpike Data archetype:
 
 ```bash
-mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-deltaspike-data-sample" "-DarchetypeVersion=1.6.10"
+mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-deltaspike-data-sample" "-DarchetypeVersion=1.6.11"
 ```
 
 Java EE archetype:
 
 ```bash
-mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-java-ee-sample" "-DarchetypeVersion=1.6.10"
+mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-java-ee-sample" "-DarchetypeVersion=1.6.11"
 ```
 
 Core-only Jakarta archetype:
 
 ```bash
-mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-core-sample-jakarta" "-DarchetypeVersion=1.6.10"
+mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-core-sample-jakarta" "-DarchetypeVersion=1.6.11"
 ```
 
 Entity view Jakarta archetype:
 
 ```bash
-mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-entity-view-sample-jakarta" "-DarchetypeVersion=1.6.10"
+mvn archetype:generate "-DarchetypeGroupId=com.blazebit" "-DarchetypeArtifactId=blaze-persistence-archetype-entity-view-sample-jakarta" "-DarchetypeVersion=1.6.11"
 ```
 
 ## Supported Java runtimes

creating-a-release.md

@@ -18,7 +18,7 @@ A release involves various steps which are outlined here and should be kept up-t
 . Open `website/pom.xml` and update the property `stable.version` to the latest released version, `snapshot.version` to the latest snapshot version and `series.version` to the current version series
 . Open `documentation/pom.xml` and update the property `stable.version` to the latest released version and `series.version` to the current version series
 . Prepare a local Maven release via `mvnw -P "blazebit-release,h2,hibernate-5.6,deltaspike-1.9,spring-data-2.7.x" release:clean release:prepare "-Darguments=-DskipTests -DskipITs '-Djdk8.home=C:\Program Files\Eclipse Adoptium\jdk-8.0.332.9-hotspot'"`
-. Actually deploy the release with `mvnw -P "blazebit-release,h2,hibernate-5.6,deltaspike-1.9,spring-data-2.7.x" release:perform "-Darguments=-DskipTests -DskipITs '-Djdk8.home=C:\Program Files\Eclipse Adoptium\jdk-8.0.332.9-hotspot'"`
+. Actually deploy the release with `mvnw -P "blazebit-release,h2,hibernate-5.6,deltaspike-1.9,spring-data-2.7.x" release:perform "-Darguments=-DskipTests -DskipITs '-Djdk8.home=C:\Program Files\Eclipse Adoptium\jdk-8.0.332.9-hotspot' -DretryFailedDeploymentCount=10"`
 . Goto https://oss.sonatype.org and login. In *Build Promotion* click on *Staging Repositories* then scroll down and find a repository named *comblazebit-...*
 . Click on the repository, then click *Close* and *Confirm*. Wait a few seconds, click *Refresh* and finally click *Release* and *Confirm*
 . Commit the changes and push the branch `git push origin`, as well as the created tag `git push origin TAG`

documentation/pom.xml

@@ -32,7 +32,7 @@
 
     <properties>
         <version.asciidoctor>1.6.0-alpha.7</version.asciidoctor>
-        <stable.version>1.6.10</stable.version>
+        <stable.version>1.6.11</stable.version>
         <series.version>1.6</series.version>
     </properties>
 

website/pom.xml

@@ -32,10 +32,10 @@
 
     <properties>
         <!-- The current stable version -->
-        <stable.version>1.6.10</stable.version>
+        <stable.version>1.6.11</stable.version>
         <series.version>1.6</series.version>
         <!-- The current snapshot version -->
-        <snapshot.version>1.6.11-SNAPSHOT</snapshot.version>
+        <snapshot.version>1.6.12-SNAPSHOT</snapshot.version>
 
         <!-- This is used for the htaccess file for filename based caching -->
         <maven.build.timestamp.format>yyyyMMddHHmmssSSSS</maven.build.timestamp.format>

website/src/main/jbake/content/downloads.adoc

@@ -9,7 +9,7 @@
 
 [.releases]
 |===
-| 1.6.10        | 2023-11-12     | https://github.com/Blazebit/blaze-persistence/releases/download/1.6.10/blaze-persistence-dist-1.6.10.zip[*Download*, window="_blank"] | link:news/2023/blaze-persistence-1.6.10-release.html[More...]
+| 1.6.11        | 2024-01-10     | https://github.com/Blazebit/blaze-persistence/releases/download/1.6.11/blaze-persistence-dist-1.6.11.zip[*Download*, window="_blank"] | link:news/2024/blaze-persistence-1.6.11-release.html[More...]
 | 1.5.1         | 2020-09-14     | https://github.com/Blazebit/blaze-persistence/releases/download/1.5.1/blaze-persistence-dist-1.5.1.zip[*Download*, window="_blank"] | link:news/2020/blaze-persistence-1.5.1-release.html[More...]
 | 1.4.1         | 2020-01-28     | https://github.com/Blazebit/blaze-persistence/releases/download/1.4.1/blaze-persistence-dist-1.4.1.zip[*Download*, window="_blank"] | link:news/2020/blaze-persistence-1.4.1-release.html[More...]
 | 1.3.2         | 2019-02-26     | https://github.com/Blazebit/blaze-persistence/releases/download/1.3.2/blaze-persistence-dist-1.3.2.zip[*Download*, window="_blank"] | link:news/2019/blaze-persistence-1.3.2-release.html[More...]

website/src/main/jbake/content/news/2024/blaze-persistence-1.6.11-release.adoc

@@ -0,0 +1,66 @@
+= Blaze-Persistence 1.6.11 Release
+Christian Beikov
+2024-01-10 0
+:description: Blaze-Persistence version 1.6.11 was just released
+:page: news
+:icon: christian_head.png
+:jbake-tags: announcement,release
+:jbake-type: post
+:jbake-status: published
+:linkattrs:
+
+We are happy to announce the eleventh bug fix release of the 1.6 series.
+
+=== Hibernate ORM 6.4 compatibility
+
+So far, the Hibernate ORM 6 integration was tested against Hibernate ORM 6.4.0.CR1.
+The integration was adapted due to a slight change in 6.4.0.Final,
+which unfortunately prevented the use of Blaze-Persistence with that version.
+
+=== Spring Framework 6.1 compatibility
+
+Spring Framework 6.1 apparently removed methods that were previously marked as deprecated, which+++<!-- PREVIEW-SUFFIX --><!-- </p></div> --><!-- PREVIEW-END -->+++
+our Spring Data integration unfortunately was still using. This was causing `NoSuchMethodError` to be thrown, but is now fixed.
+
+=== Security fix for Spring Data integration
+
+This release contains a fix for a security issue in the Spring Data integration which was recently reported by https://github.com/nelsonneto-hotmart[Nelson Neto, window="_blank"].
+Since every version of Blaze-Persistence is affected, every user of the Spring Data integration is strongly advised to update immediately.
+The issue could potentially lead to a data leak. There is no known reproducer or attack yet, but know that this is a high severity issue.
+
+In short, the problem is that `Sort.Order` is assumed to be safe, but it is usually untrusted user input,
+usually being parsed by the Spring Data WebMvc/WebFlux integration from a query parameter.
+
+Any Spring Data repository method is affected that:
+
+* accepts a `Sort` parameter directly, or indirectly through `Pageable`/`PageRequest` or `KeysetPageable`/`KeysetPageRequest`
+* Returns an entity view type explicitly or through a dynamic projection
+
+Calling such repository methods with untrusted `Sort` inputs allows for JPQL.next injection,
+which ultimately is SQL injection.
+
+Regular Spring Data JPA repositories only allow sorting by attribute paths relative to the query root,
+which is ensured by construction i.e. Spring Data JPA tries to find attributes based on the entity metamodel.
+
+Entity view based Spring Data repositories allow sorting by entity view attribute paths and
+additionally also allow to sort by entity attribute paths. Until Blaze-Persistence 1.6.11
+entity attribute paths were not validated to be relative to the query root.
+In fact, any valid JPQL.next expression was accepted, which essentially leads to a SQL injection vulnerability.
+
+If updating to the latest version of Blaze-Persistence is not possible for some reason,
+the security issue can be mitigated by validating the `Sort` e.g.
+
+```java
+Pattern validCharsPattern = Pattern.compile("[\\w.]+");
+for (Sort.Order order : sort) {
+    if (!validCharsPattern.matcher(order.getProperty()).matches()) {
+        throw new IllegalArgumentException("Attempted SQL injection");
+    }
+}
+```
+
+=== Various bug fixes
+
+Take a look into the https://github.com/Blazebit/blaze-persistence/blob/main/CHANGELOG.md#1611[changelog, window="_blank"] for a full list of changes and improvements.
+
+Enjoy the release and stay tuned for the next one!

website/src/main/jbake/jbake.properties

@@ -17,7 +17,7 @@
 site.host=http://localhost:8820/
 asciidoctor.attributes.export=true
 asciidoctor.attributes=imagesdir=images,source-highlighter=prettify
-stable.version=1.6.10
+stable.version=1.6.11
 template.index.file=index.ftl
 template.downloads.file=downloads.ftl
 render.tags=true