From: Markus Koschany <apo@debian.org>
Date: Sun, 3 Jan 2021 14:42:46 +0100
Subject: CVE-2020-25638

Origin: https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78
---
 .../src/main/java/org/hibernate/dialect/Dialect.java          | 11 +++++++++++
 .../src/main/java/org/hibernate/loader/Loader.java            |  3 ++-
 .../src/main/java/org/hibernate/sql/Delete.java               |  4 +++-
 .../src/main/java/org/hibernate/sql/Insert.java               |  2 +-
 .../src/main/java/org/hibernate/sql/InsertSelect.java         |  2 +-
 .../src/main/java/org/hibernate/sql/QuerySelect.java          |  2 +-
 .../src/main/java/org/hibernate/sql/Select.java               |  3 ++-
 .../src/main/java/org/hibernate/sql/SimpleSelect.java         |  2 +-
 .../src/main/java/org/hibernate/sql/Update.java               |  2 +-
 9 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/project/hibernate-core/src/main/java/org/hibernate/dialect/Dialect.java b/project/hibernate-core/src/main/java/org/hibernate/dialect/Dialect.java
index 1b0c776..65acb85 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/dialect/Dialect.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/dialect/Dialect.java
@@ -36,6 +36,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -121,6 +122,8 @@ public abstract class Dialect {
 		// TODO: shouldn't SerializableToBlobType be in this list???
 	}
 
+	private static final Pattern ESCAPE_CLOSING_COMMENT_PATTERN = Pattern.compile( "\\*/" );
+	private static final Pattern ESCAPE_OPENING_COMMENT_PATTERN = Pattern.compile( "/\\*" );
 	private final TypeNames typeNames = new TypeNames();
 	private final TypeNames hibernateTypeNames = new TypeNames();
 
@@ -1654,6 +1657,14 @@ public abstract class Dialect {
 		return false;
 	}
 
+	public static String escapeComment(String comment) {
+		if ( StringHelper.isNotEmpty( comment ) ) {
+			final String escaped = ESCAPE_CLOSING_COMMENT_PATTERN.matcher( comment ).replaceAll( "*\\\\/" );
+			return ESCAPE_OPENING_COMMENT_PATTERN.matcher( escaped ).replaceAll( "/\\\\*" );
+		}
+		return comment;
+	}
+
 	/**
 	 * Does this dialect support column-level check constraints?
 	 *
diff --git a/project/hibernate-core/src/main/java/org/hibernate/loader/Loader.java b/project/hibernate-core/src/main/java/org/hibernate/loader/Loader.java
index 805c7cd..29c9b40 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/loader/Loader.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/loader/Loader.java
@@ -237,9 +237,10 @@ public abstract class Loader {
 			return sql;
 		}
 		else {
+			String newcomment = Dialect.escapeComment( comment );
 			return new StringBuffer( comment.length() + sql.length() + 5 )
 					.append( "/* " )
-					.append( comment )
+					.append( newcomment )
 					.append( " */ " )
 					.append( sql )
 					.toString();
diff --git a/project/hibernate-core/src/main/java/org/hibernate/sql/Delete.java b/project/hibernate-core/src/main/java/org/hibernate/sql/Delete.java
index 6ec17cc..2fcfbb8 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/sql/Delete.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/sql/Delete.java
@@ -28,6 +28,8 @@ import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
+import org.hibernate.dialect.Dialect;
+
 /**
  * An SQL <tt>DELETE</tt> statement
  *
@@ -55,7 +57,7 @@ public class Delete {
 	public String toStatementString() {
 		StringBuffer buf = new StringBuffer( tableName.length() + 10 );
 		if ( comment!=null ) {
-			buf.append( "/* " ).append(comment).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " );
 		}
 		buf.append( "delete from " ).append(tableName);
 		if ( where != null || !primaryKeyColumns.isEmpty() || versionColumnName != null ) {
diff --git a/project/hibernate-core/src/main/java/org/hibernate/sql/Insert.java b/project/hibernate-core/src/main/java/org/hibernate/sql/Insert.java
index 5d8e232..7672654 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/sql/Insert.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/sql/Insert.java
@@ -109,7 +109,7 @@ public class Insert {
 	public String toStatementString() {
 		StringBuffer buf = new StringBuffer( columns.size()*15 + tableName.length() + 10 );
 		if ( comment != null ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " );
 		}
 		buf.append("insert into ")
 			.append(tableName);
diff --git a/project/hibernate-core/src/main/java/org/hibernate/sql/InsertSelect.java b/project/hibernate-core/src/main/java/org/hibernate/sql/InsertSelect.java
index 69a54ea..4887fea 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/sql/InsertSelect.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/sql/InsertSelect.java
@@ -81,7 +81,7 @@ public class InsertSelect {
 
 		StringBuffer buf = new StringBuffer( (columnNames.size() * 15) + tableName.length() + 10 );
 		if ( comment!=null ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " );
 		}
 		buf.append( "insert into " ).append( tableName );
 		if ( !columnNames.isEmpty() ) {
diff --git a/project/hibernate-core/src/main/java/org/hibernate/sql/QuerySelect.java b/project/hibernate-core/src/main/java/org/hibernate/sql/QuerySelect.java
index f019782..822444c 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/sql/QuerySelect.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/sql/QuerySelect.java
@@ -135,7 +135,7 @@ public class QuerySelect {
 
 	public String toQueryString() {
 		StringBuffer buf = new StringBuffer(50);
-		if (comment!=null) buf.append("/* ").append(comment).append(" */ ");
+		if (comment!=null) buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " );
 		buf.append("select ");
 		if (distinct) buf.append("distinct ");
 		String from = joins.toFromFragmentString();
diff --git a/project/hibernate-core/src/main/java/org/hibernate/sql/Select.java b/project/hibernate-core/src/main/java/org/hibernate/sql/Select.java
index 9a52cd4..0ee9133 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/sql/Select.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/sql/Select.java
@@ -30,6 +30,7 @@ import org.hibernate.dialect.Dialect;
 import org.hibernate.util.StringHelper;
 
 
+
 /**
  * A simple SQL <tt>SELECT</tt> statement
  * @author Gavin King
@@ -59,7 +60,7 @@ public class Select {
 	public String toStatementString() {
 		StringBuffer buf = new StringBuffer(guesstimatedBufferSize);
 		if ( StringHelper.isNotEmpty(comment) ) {
-			buf.append("/* ").append(comment).append(" */ ");
+			buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " );
 		}
 		
 		buf.append("select ").append(selectClause)
diff --git a/project/hibernate-core/src/main/java/org/hibernate/sql/SimpleSelect.java b/project/hibernate-core/src/main/java/org/hibernate/sql/SimpleSelect.java
index 5035eeb..cca2d65 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/sql/SimpleSelect.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/sql/SimpleSelect.java
@@ -156,7 +156,7 @@ public class SimpleSelect {
 			);
 		
 		if ( comment!=null ) {
-			buf.append("/* ").append(comment).append(" */ ");
+			buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " );
 		}
 		
 		buf.append("select ");
diff --git a/project/hibernate-core/src/main/java/org/hibernate/sql/Update.java b/project/hibernate-core/src/main/java/org/hibernate/sql/Update.java
index 400fe7c..b8ea145 100644
--- a/project/hibernate-core/src/main/java/org/hibernate/sql/Update.java
+++ b/project/hibernate-core/src/main/java/org/hibernate/sql/Update.java
@@ -181,7 +181,7 @@ public class Update {
 	public String toStatementString() {
 		StringBuffer buf = new StringBuffer( (columns.size() * 15) + tableName.length() + 10 );
 		if ( comment!=null ) {
-			buf.append( "/* " ).append( comment ).append( " */ " );
+			buf.append( "/* " ).append( Dialect.escapeComment( comment ) ).append( " */ " );
 		}
 		buf.append( "update " ).append( tableName ).append( " set " );
 		boolean assignmentsAppended = false;
