MyBatis upgrade from 3.4.0 to 3.5.6 not matching the columns if the attributes names not matching with Entity class property

[Durgapriya Babu]

We have an application which use MyBatis version 3.4.0 and as as part of the security scan we need to upgrade it to 3.5.6

But after upgrade we see there are issues when the attributes in the SQL is not matching exactly with entity class. As this is an existing application with 1000's of SQL statements , it's cumbersome to identify and change in each SQL. Is there any workaround for this ? Please suggest.

Example:

<resultMap type="com.test.Org" id="orgResult">

<result property="orgId" column="org_Id" />

</resultMap>

 <select id="getResponse" resultType="orgResult">

     select org_id as orgId from table1 where ref = #{ref}

</select>

     

Above is not mapping the orgID value as the result property column name is different with the alias name in SQL statement. This works fine in 3.4.0

Thanks!

[Iwao AVE!]

Hello,

It probably is related to this fix made in version 3.5.4 : https://github.com/mybatis/mybatis-3/issues/1551

Basically, there was a bug in one of the built-in type handlers that used 'column name' instead of 'column label' when getting the result.
In your case, this bug hid the misconfiguration in your result map when the app was developed.
And now that the bug is fixed, the hidden problem is exposed.

As an easy/temporary workaround, you can try disabling `useColumnLabel`, however, this could cause other problems for obvious reasons.
https://mybatis.org/mybatis-3/configuration.html#settings

You seem to understand this, but the right solution would be to correct the `column` value of `<result />` or to modify the column alias in the SQL.

p.s.
If your security concern is about the JDK's deserialization vulnerability, you can (and should) use the JEP-290 serialization filter.
It is effective against any version of MyBatis (and most other libraries/frameworks), so you may be able to use MyBatis 3.5.3 which does not include the bug fix.
https://docs.oracle.com/pls/topic/lookup?ctx=javase15&id=GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66

Regards,
Iwao

[Durgapriya Babu]

Thanks Iwao. We need to migrate it to 3.5.6. So we are planning to fix the issues that were previously ignored in the older versions. 
Is there any list of issues/recommendations available to follow to migrate from 3.4.0 ?

As we have many mapper files with lot of SQL statements in many modules, we need to know the known issues that can be checked instead of changing all.

Regards!

[Iwao AVE!]

The release notes are here: https://github.com/mybatis/mybatis-3/releases

For each version, there are lists of enhancements, fixed bugs and possibly backward incompatible changes.

If you have any difficulties with the upgrade, please post the details and we may be able to help.

Regards,

Iwao

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/2c0120d0-bbec-408b-993e-874d2b778f9dn%40googlegroups.com.

[Durgapriya Babu]

Hi,

For resultMap not using the same column name as in alias, we are not getting any exception. But the value is not mapped and returned as null. Is there any configuration to enable for throwing exceptions when there is a mismatch in the resultMap?

Thanks!

[Iwao AVE!]

You can try setting `autoMappingUnknownColumnBehavior` to `FAILING` or `WARNING`.

https://mybatis.org/mybatis-3/configuration.html#settings

There could be false-positives when the result map contains `<collection />` or `<association />`, but it would be better than nothing.

The best solution always is to have unit/integration tests to assert every mapping. :)

Regards,

Iwao

To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f2b23903-474f-4cde-b629-fdad32d33422n%40googlegroups.com.