mybatis-user

MyBatis upgrade from 3.4.0 to 3.5.6 not matching the columns if the attributes names not matching with Entity class property

Classic

List

Threaded

2 messages Options

Durgapriya Babu

MyBatis upgrade from 3.4.0 to 3.5.6 not matching the columns if the attributes names not matching with Entity class property

We have an application which use MyBatis version 3.4.0 and as as part of the security scan we need to upgrade it to 3.5.6

But after upgrade we see there are issues when the attributes in the SQL is not matching exactly with entity class. As this is an existing application with 1000's of SQL statements , it's cumbersome to identify and change in each SQL. Is there any workaround for this ? Please suggest.

Example:

</resultMap>

select org_id as orgId from table1 where ref = #{ref}

</select>

Above is not mapping the orgID value as the result property column name is different with the alias name in SQL statement. This works fine in 3.4.0

Thanks!

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/8508134f-6905-478f-b57f-4c0250622156n%40googlegroups.com.

Iwao AVE!

Re: MyBatis upgrade from 3.4.0 to 3.5.6 not matching the columns if the attributes names not matching with Entity class property

Hello,

It probably is related to this fix made in version 3.5.4 : https://github.com/mybatis/mybatis-3/issues/1551

Basically, there was a bug in one of the built-in type handlers that used 'column name' instead of 'column label' when getting the result.
In your case, this bug hid the misconfiguration in your result map when the app was developed.
And now that the bug is fixed, the hidden problem is exposed.

As an easy/temporary workaround, you can try disabling `useColumnLabel`, however, this could cause other problems for obvious reasons.
https://mybatis.org/mybatis-3/configuration.html#settings

You seem to understand this, but the right solution would be to correct the `column` value of `<result />` or to modify the column alias in the SQL.

p.s.
If your security concern is about the JDK's deserialization vulnerability, you can (and should) use the JEP-290 serialization filter.
It is effective against any version of MyBatis (and most other libraries/frameworks), so you may be able to use MyBatis 3.5.3 which does not include the bug fix.
https://docs.oracle.com/pls/topic/lookup?ctx=javase15&id=GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66

Regards,
Iwao

On Wed, Jan 6, 2021 at 4:43 PM Durgapriya Babu <[hidden email]> wrote:

We have an application which use MyBatis version 3.4.0 and as as part of the security scan we need to upgrade it to 3.5.6

But after upgrade we see there are issues when the attributes in the SQL is not matching exactly with entity class. As this is an existing application with 1000's of SQL statements , it's cumbersome to identify and change in each SQL. Is there any workaround for this ? Please suggest.

Example:
<resultMap type="com.test.Org" id="orgResult">
<result property="orgId" column="org_Id" />
</resultMap>

<select id="getResponse" resultType="orgResult">
select org_id as orgId from table1 where ref = #{ref}
</select>

Above is not mapping the orgID value as the result property column name is different with the alias name in SQL statement. This works fine in 3.4.0

Thanks!

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/CA%2Buep2SS%3DY7FPjdxsD9eBZ_3n5_aRzWY22H%2BPw-QCDAGCYJC6A%40mail.gmail.com.