diff options
author | david.mcweeney <david.mcweeney@est.tech> | 2021-07-27 09:39:48 +0100 |
---|---|---|
committer | david.mcweeney <david.mcweeney@est.tech> | 2021-07-27 10:23:41 +0100 |
commit | 4916be0d1ef49873bb8f08e71502a7c0cb2233b1 (patch) | |
tree | fd6ed252359a975c005718c721a75e04ba080fd6 | |
parent | d73829d6083d7d31bd780cfbc086476ae0da8bb0 (diff) |
DMAAP-DR SQL Injection fix
Change-Id: Ie85bbb46455d79f9e6eb23bc32253ea355a8e3b2
Signed-off-by: david.mcweeney <david.mcweeney@est.tech>
Issue-ID: DMAAP-1623
-rwxr-xr-x | datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java index c564db86..8a82c5cf 100755 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java @@ -79,6 +79,8 @@ public class StatisticsServlet extends BaseServlet { private static final String SQL_JOIN_RECORDS = " e JOIN LOG_RECORDS m ON m.PUBLISH_ID = e.PUBLISH_ID AND e.FEEDID IN (";
private static final String SQL_STATUS_204 = " AND m.STATUS=204 AND e.RESULT=204 ";
private static final String SQL_GROUP_SUB_ID = " group by SUBID";
+ private static final String JSON_OUTPUT_TYPE = "json";
+ private static final String CSV_OUTPUT_TYPE = "csv";
/**
@@ -109,7 +111,7 @@ public class StatisticsServlet extends BaseServlet { // check Accept: header??
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType(LOGLIST_CONTENT_TYPE);
- String outputType = "json";
+ String outputType = JSON_OUTPUT_TYPE;
if (req.getParameter(FEEDID) == null && req.getParameter(GROUPID) == null) {
try {
resp.getOutputStream().print("Invalid request, Feedid or Group ID is required.");
@@ -153,8 +155,12 @@ public class StatisticsServlet extends BaseServlet { if (req.getParameter("type") != null) {
map.put(EVENT_TYPE, req.getParameter("type").replace("|", ","));
}
- if (req.getParameter(OUTPUT_TYPE) != null) {
- map.put(OUTPUT_TYPE, req.getParameter(OUTPUT_TYPE));
+ if (req.getParameter(OUTPUT_TYPE) != null && req.getParameter(OUTPUT_TYPE).equals(CSV_OUTPUT_TYPE)) {
+ map.put(OUTPUT_TYPE, req.getParameter(CSV_OUTPUT_TYPE));
+ outputType = CSV_OUTPUT_TYPE;
+ }
+ if (req.getParameter(OUTPUT_TYPE) != null && req.getParameter(OUTPUT_TYPE).equals(JSON_OUTPUT_TYPE)) {
+ map.put(OUTPUT_TYPE, req.getParameter(JSON_OUTPUT_TYPE));
}
if (req.getParameter(START_TIME) != null) {
map.put(START_TIME, req.getParameter(START_TIME));
@@ -166,9 +172,6 @@ public class StatisticsServlet extends BaseServlet { map.put(START_TIME, req.getParameter("time"));
map.put(END_TIME, null);
}
- if (req.getParameter(OUTPUT_TYPE) != null) {
- outputType = req.getParameter(OUTPUT_TYPE);
- }
try {
this.getRecordsForSQL(map, outputType, resp.getOutputStream(), resp);
} catch (IOException ioe) {
@@ -511,7 +514,7 @@ public class StatisticsServlet extends BaseServlet { try (Connection conn = ProvDbUtils.getInstance().getConnection();
PreparedStatement ps = conn.prepareStatement(filterQuery);
ResultSet rs = ps.executeQuery()) {
- if ("csv".equals(outputType)) {
+ if (CSV_OUTPUT_TYPE.equals(outputType)) {
resp.setContentType("application/octet-stream");
DateTimeFormatter formatter = DateTimeFormatter.ofPattern("dd-MM-yyyy HH:mm:ss");
resp.setHeader("Content-Disposition",
|