Skip to content

Commit

Permalink
Use Locale.ROOT for locale neutral, case insensitive comparisons
Browse files Browse the repository at this point in the history
This addresses  CVE-2024-38820
  • Loading branch information
abhinaynagpal committed Jan 6, 2025
1 parent 8a44eaa commit bda04f0
Show file tree
Hide file tree
Showing 23 changed files with 76 additions and 48 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import java.util.Arrays;
import java.util.Comparator;
import java.util.List;
import java.util.Locale;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
Expand Down Expand Up @@ -77,8 +78,8 @@ public int compare(T o1, T o2) {
Object v1 = getPropertyValue(o1);
Object v2 = getPropertyValue(o2);
if (this.sortDefinition.isIgnoreCase() && (v1 instanceof String) && (v2 instanceof String)) {
v1 = ((String) v1).toLowerCase();
v2 = ((String) v2).toLowerCase();
v1 = ((String) v1).toLowerCase(Locale.ROOT);
v2 = ((String) v2).toLowerCase(Locale.ROOT);
}

int result;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import java.sql.Connection;
import java.sql.DatabaseMetaData;
import java.sql.SQLException;
import java.util.Locale;

import javax.sql.DataSource;

Expand Down Expand Up @@ -155,7 +156,7 @@ public void initialize() {
String productName = JdbcUtils.extractDatabaseMetaData(this.dataSource,
DatabaseMetaData::getDatabaseProductName);
productName = JdbcUtils.commonDatabaseName(productName);
if (productName != null && productName.toLowerCase().contains("hsql")) {
if (productName != null && productName.toLowerCase(Locale.ROOT).contains("hsql")) {
setUseDBLocks(false);
setLockHandler(new SimpleSemaphore());
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ class MonthFormatter implements Formatter<Month> {

@Override
public Month parse(String text, Locale locale) throws ParseException {
return Month.valueOf(text.toUpperCase());
return Month.valueOf(text.toUpperCase(Locale.ROOT));
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import java.time.temporal.ChronoUnit;
import java.time.temporal.Temporal;
import java.time.temporal.ValueRange;
import java.util.Locale;
import java.util.function.BiFunction;

import org.springframework.lang.Nullable;
Expand Down Expand Up @@ -143,7 +144,7 @@ private static CronField parseList(String value, Type type, BiFunction<String, T
}

private static String replaceOrdinals(String value, String[] list) {
value = value.toUpperCase();
value = value.toUpperCase(Locale.ROOT);
for (int i = 0; i < list.length; i++) {
String replacement = Integer.toString(i + 1);
value = StringUtils.replace(value, list[i], replacement);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.Locale;
import java.util.TimeZone;

import org.springframework.lang.Nullable;
Expand Down Expand Up @@ -305,8 +306,8 @@ private void doParse(String[] fields) {
private String replaceOrdinals(String value, String commaSeparatedList) {
String[] list = StringUtils.commaDelimitedListToStringArray(commaSeparatedList);
for (int i = 0; i < list.length; i++) {
String item = list[i].toUpperCase();
value = StringUtils.replace(value.toUpperCase(), item, "" + i);
String item = list[i].toUpperCase(Locale.ROOT);
value = StringUtils.replace(value.toUpperCase(Locale.ROOT), item, "" + i);
}
return value;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package org.springframework.core.convert.support;

import java.util.HashSet;
import java.util.Locale;
import java.util.Set;

import org.springframework.core.convert.converter.Converter;
Expand Down Expand Up @@ -55,7 +56,7 @@ public Boolean convert(String source) {
if (value.isEmpty()) {
return null;
}
value = value.toLowerCase();
value = value.toLowerCase(Locale.ROOT);
if (trueValues.contains(value)) {
return Boolean.TRUE;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package org.springframework.core.env;

import java.util.Locale;
import java.util.Map;

import org.springframework.lang.Nullable;
Expand Down Expand Up @@ -109,7 +110,7 @@ protected final String resolvePropertyName(String name) {
if (resolvedName != null) {
return resolvedName;
}
String uppercasedName = name.toUpperCase();
String uppercasedName = name.toUpperCase(Locale.ROOT);
if (!name.equals(uppercasedName)) {
resolvedName = checkPropertyName(uppercasedName);
if (resolvedName != null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
import java.util.Locale;

import org.springframework.lang.Nullable;

Expand Down Expand Up @@ -295,7 +296,7 @@ public static boolean isJarURL(URL url) {
*/
public static boolean isJarFileURL(URL url) {
return (URL_PROTOCOL_FILE.equals(url.getProtocol()) &&
url.getPath().toLowerCase().endsWith(JAR_FILE_EXTENSION));
url.getPath().toLowerCase(Locale.ROOT).endsWith(JAR_FILE_EXTENSION));
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,13 @@

package org.springframework.expression.spel;

import java.util.Locale;

import org.springframework.core.SpringProperties;
import org.springframework.lang.Nullable;



/**
* Configuration object for the SpEL expression parser.
*
Expand All @@ -45,7 +49,7 @@ public class SpelParserConfiguration {
static {
String compilerMode = SpringProperties.getProperty(SPRING_EXPRESSION_COMPILER_MODE_PROPERTY_NAME);
defaultCompilerMode = (compilerMode != null ?
SpelCompilerMode.valueOf(compilerMode.toUpperCase()) : SpelCompilerMode.OFF);
SpelCompilerMode.valueOf(compilerMode.toUpperCase(Locale.ROOT)) : SpelCompilerMode.OFF);
}


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package org.springframework.expression.spel.ast;

import java.lang.reflect.Array;
import java.util.Locale;

import org.springframework.asm.MethodVisitor;
import org.springframework.asm.Type;
Expand Down Expand Up @@ -57,7 +58,7 @@ public TypedValue getValueInternal(ExpressionState state) throws EvaluationExcep
String typeName = (String) this.children[0].getValueInternal(state).getValue();
Assert.state(typeName != null, "No type name");
if (!typeName.contains(".") && Character.isLowerCase(typeName.charAt(0))) {
TypeCode tc = TypeCode.valueOf(typeName.toUpperCase());
TypeCode tc = TypeCode.valueOf(typeName.toUpperCase(Locale.ROOT));
if (tc != TypeCode.OBJECT) {
// It is a primitive type
Class<?> clazz = makeArrayIfNecessary(tc.getType());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@
import java.util.Collections;
import java.util.Deque;
import java.util.List;
import java.util.Locale;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.regex.Pattern;


import org.springframework.expression.ParseException;
import org.springframework.expression.ParserContext;
import org.springframework.expression.common.TemplateAwareExpressionParser;
Expand Down Expand Up @@ -750,7 +752,7 @@ private SpelNodeImpl eatPossiblyQualifiedId() {
throw internalException( this.expressionString.length(), SpelMessage.OOD);
}
throw internalException(node.startPos, SpelMessage.NOT_EXPECTED_TOKEN,
"qualified ID", node.getKind().toString().toLowerCase());
"qualified ID", node.getKind().toString().toLowerCase(Locale.ROOT));
}
return new QualifiedIdentifier(qualifiedIdPieces.getFirst().getStartPosition(),
qualifiedIdPieces.getLast().getEndPosition(), qualifiedIdPieces.toArray(new SpelNodeImpl[0]));
Expand Down Expand Up @@ -942,7 +944,7 @@ private Token eatToken(TokenKind expectedKind) {
}
if (t.kind != expectedKind) {
throw internalException(t.startPos, SpelMessage.NOT_EXPECTED_TOKEN,
expectedKind.toString().toLowerCase(), t.getKind().toString().toLowerCase());
expectedKind.toString().toLowerCase(), t.getKind().toString().toLowerCase(Locale.ROOT));
}
return t;
}
Expand Down Expand Up @@ -1038,7 +1040,7 @@ public String toString(@Nullable Token t) {
if (t.getKind().hasPayload()) {
return t.stringValue();
}
return t.kind.toString().toLowerCase();
return t.kind.toString().toLowerCase(Locale.ROOT);
}

private void checkOperands(Token token, @Nullable SpelNodeImpl left, @Nullable SpelNodeImpl right) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;

import org.springframework.expression.spel.InternalParseException;
import org.springframework.expression.spel.SpelMessage;
Expand Down Expand Up @@ -455,7 +456,7 @@ private void lexIdentifier() {
// Check if this is the alternative (textual) representation of an operator (see
// alternativeOperatorNames)
if ((this.pos - start) == 2 || (this.pos - start) == 3) {
String asString = new String(subarray).toUpperCase();
String asString = new String(subarray).toUpperCase(Locale.ROOT);
int idx = Arrays.binarySearch(ALTERNATIVE_OPERATOR_NAMES, asString);
if (idx >= 0) {
pushOneCharOrTwoCharToken(TokenKind.valueOf(asString), start, subarray);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -385,7 +385,7 @@ protected List<SqlParameter> reconcileParameters(List<SqlParameter> parameters)
if (meta.isReturnParameter()) {
param = declaredParams.get(getFunctionReturnName());
if (param == null && !getOutParameterNames().isEmpty()) {
param = declaredParams.get(getOutParameterNames().get(0).toLowerCase());
param = declaredParams.get(getOutParameterNames().get(0).toLowerCase(Locale.ROOT));
}
if (param == null) {
throw new InvalidDataAccessApiUsageException(
Expand Down Expand Up @@ -488,15 +488,15 @@ public Map<String, Object> matchInParameterValuesWithCallParameters(SqlParameter
String parameterName = parameter.getName();
String parameterNameToMatch = obtainMetaDataProvider().parameterNameToUse(parameterName);
if (parameterNameToMatch != null) {
callParameterNames.put(parameterNameToMatch.toLowerCase(), parameterName);
callParameterNames.put(parameterNameToMatch.toLowerCase(Locale.ROOT), parameterName);
}
if (parameterName != null) {
if (parameterSource.hasValue(parameterName)) {
matchedParameters.put(parameterName,
SqlParameterSourceUtils.getTypedValue(parameterSource, parameterName));
}
else {
String lowerCaseName = parameterName.toLowerCase();
String lowerCaseName = parameterName.toLowerCase(Locale.ROOT);
if (parameterSource.hasValue(lowerCaseName)) {
matchedParameters.put(parameterName,
SqlParameterSourceUtils.getTypedValue(parameterSource, lowerCaseName));
Expand Down Expand Up @@ -556,7 +556,7 @@ else if (logger.isInfoEnabled()) {
String parameterName = parameter.getName();
String parameterNameToMatch = provider.parameterNameToUse(parameterName);
if (parameterNameToMatch != null) {
callParameterNames.put(parameterNameToMatch.toLowerCase(), parameterName);
callParameterNames.put(parameterNameToMatch.toLowerCase(Locale.ROOT), parameterName);
}
}
}
Expand Down Expand Up @@ -680,7 +680,7 @@ protected String createParameterBinding(SqlParameter parameter) {
}

private static String lowerCase(@Nullable String paramName) {
return (paramName != null ? paramName.toLowerCase() : "");
return (paramName != null ? paramName.toLowerCase(Locale.ROOT) : "");
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import java.sql.DatabaseMetaData;
import java.sql.SQLException;
import java.util.Locale;

import org.springframework.lang.Nullable;

Expand Down Expand Up @@ -73,7 +74,7 @@ public String metaDataSchemaNameToUse(@Nullable String schemaName) {

// Use current user schema if no schema specified...
String userName = getUserName();
return (userName != null ? userName.toUpperCase() : null);
return (userName != null ? userName.toUpperCase(Locale.ROOT) : null);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import java.sql.DatabaseMetaData;
import java.sql.SQLException;
import java.util.Locale;

import org.springframework.lang.Nullable;

Expand Down Expand Up @@ -45,7 +46,7 @@ public String metaDataSchemaNameToUse(@Nullable String schemaName) {

// Use current user schema if no schema specified...
String userName = getUserName();
return (userName != null ? userName.toUpperCase() : null);
return (userName != null ? userName.toUpperCase(Locale.ROOT) : null);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import java.sql.Types;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
Expand Down Expand Up @@ -279,10 +280,10 @@ private String identifierNameToUse(@Nullable String identifierName) {
return null;
}
else if (isStoresUpperCaseIdentifiers()) {
return identifierName.toUpperCase();
return identifierName.toUpperCase(Locale.ROOT);
}
else if (isStoresLowerCaseIdentifiers()) {
return identifierName.toLowerCase();
return identifierName.toLowerCase(Locale.ROOT);
}
else {
return identifierName;
Expand Down
Loading

0 comments on commit bda04f0

Please sign in to comment.