Update h2 database to 2.0.202 to avoid XXE CVE

https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-1769238 NOTE: This CVE did not impact this project directly as we were not using the XML abilities of JDBC. Also had to update SQL to be compliant with new h2 version.
danfickle · Dec 10, 2021 · ef4dcae · ef4dcae
1 parent 43e2723
commit ef4dcae
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/pom.xml b/pom.xml
@@ -46,7 +46,7 @@
     <dependency>
       <groupId>com.h2database</groupId>
       <artifactId>h2</artifactId>
-      <version>1.4.200</version>
+      <version>2.0.202</version>
     </dependency>
     <dependency>
        <groupId>org.slf4j</groupId>

diff --git a/src/main/java/com/openhtmltopdf/projects/resume/Generator.java b/src/main/java/com/openhtmltopdf/projects/resume/Generator.java
@@ -186,7 +186,7 @@ private static Object uploadResumeJson(Request req, Response res) {
       String token = getHex(tokenBytes);
 
       // Insert into db.
-      String sql = "INSERT INTO resumes(id, json, token, ts, template) VALUES(NULL, ?, ?, NOW(), ?)";
+      String sql = "INSERT INTO resumes(id, json, token, ts, template) VALUES(DEFAULT, ?, ?, NOW(), ?)";
       PreparedStatement stmt = conn.prepareStatement(sql, Statement.RETURN_GENERATED_KEYS);
       stmt.setString(1, json);
       stmt.setString(2, token);
@@ -300,7 +300,7 @@ public static void main(String[] args) throws ClassNotFoundException {
     try(Connection conn = getDb()) {
       String sql = 
         "CREATE TABLE IF NOT EXISTS resumes ( " +
-        "id BIGINT IDENTITY PRIMARY KEY, json VARCHAR(10000), token VARCHAR(50), ts TIMESTAMP, template VARCHAR(64) )";
+        "id BIGINT GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY, json VARCHAR(10000), token VARCHAR(50), ts TIMESTAMP, template VARCHAR(64) )";
 
       conn.createStatement().executeUpdate(sql);
     } catch (SQLException sqlEx) {