From c9fbe2b33517a7c91dabab58108ea1f0918a9b40 Mon Sep 17 00:00:00 2001
From: mikereiche <michael.reiche@couchbase.com>
Date: Wed, 23 Apr 2025 17:46:34 -0700
Subject: [PATCH] Switch to OpenFeign QueryDSL

because of CVE-2024-49203.

Closes #2409.

Signed-off-by: mikereiche <michael.reiche@couchbase.com>
---
 pom.xml                                               |  7 +++++--
 .../CouchbaseRepositoryQuerydslIntegrationTests.java  | 11 +++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index bdb8301a0..76bf84460 100644
--- a/pom.xml
+++ b/pom.xml
@@ -26,6 +26,7 @@
         <jodatime>2.10.13</jodatime>
         <jackson-joda>2.13.4</jackson-joda>
         <jakarta.el>4.0.0</jakarta.el>
+        <querydsl_of>6.11</querydsl_of>
     </properties>
 
     <dependencyManagement>
@@ -43,10 +44,12 @@
     <dependencies>
 
         <dependency>
+<!--
             <groupId>com.querydsl</groupId>
+-->
+            <groupId>io.github.openfeign.querydsl</groupId>
             <artifactId>querydsl-apt</artifactId>
-            <version>${querydsl}</version>
-            <classifier>jakarta</classifier>
+            <version>${querydsl_of}</version>
             <scope>provided</scope>
         </dependency>
 
diff --git a/src/test/java/org/springframework/data/couchbase/repository/query/CouchbaseRepositoryQuerydslIntegrationTests.java b/src/test/java/org/springframework/data/couchbase/repository/query/CouchbaseRepositoryQuerydslIntegrationTests.java
index 600b0cb19..d4dca5cb3 100644
--- a/src/test/java/org/springframework/data/couchbase/repository/query/CouchbaseRepositoryQuerydslIntegrationTests.java
+++ b/src/test/java/org/springframework/data/couchbase/repository/query/CouchbaseRepositoryQuerydslIntegrationTests.java
@@ -20,6 +20,7 @@
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.springframework.data.couchbase.util.Util.comprises;
 import static org.springframework.data.couchbase.util.Util.exactly;
 
@@ -29,6 +30,7 @@
 import java.util.Optional;
 import java.util.stream.StreamSupport;
 
+import com.querydsl.core.types.dsl.PathBuilder;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
@@ -43,8 +45,10 @@
 import org.springframework.data.couchbase.core.mapping.event.ValidatingCouchbaseEventListener;
 import org.springframework.data.couchbase.core.query.QueryCriteriaDefinition;
 import org.springframework.data.couchbase.domain.Airline;
+import org.springframework.data.couchbase.domain.AirlineCollectioned;
 import org.springframework.data.couchbase.domain.AirlineRepository;
 import org.springframework.data.couchbase.domain.QAirline;
+import org.springframework.data.couchbase.domain.QAirlineCollectioned;
 import org.springframework.data.couchbase.repository.auditing.EnableCouchbaseAuditing;
 import org.springframework.data.couchbase.repository.auditing.EnableReactiveCouchbaseAuditing;
 import org.springframework.data.couchbase.repository.config.EnableCouchbaseRepositories;
@@ -147,6 +151,13 @@ void testEq() {
 		}
 	}
 
+	@Test
+	void testInjection() {
+		String userSpecifiedPath = "1 = 1) OR (2";
+		PathBuilder<QAirline> pathBuilder = new PathBuilder<>(QAirline.class, "xyz");
+		assertThrows(IllegalStateException.class, () -> pathBuilder.get(userSpecifiedPath).eq("2"));
+	}
+
 	// this gives hqCountry == "" and hqCountry is missing
 	// @Test
 	void testStringIsEmpty() {