diff options
author | Jorge Hernandez <jh1730@att.com> | 2017-08-14 19:03:26 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2017-08-14 19:03:26 +0000 |
commit | 3c519a0d908c34e22d724d663ad3512f6cdd8d8f (patch) | |
tree | 403dfa329027248561a454a0aa6253fa746d2967 /ONAP-PAP-REST/src/main/java/org | |
parent | 40aef4f4b85c6621f255f526555a8b68616f2a9a (diff) | |
parent | 59e3ddb0f0698965962a7d5879a6e39a80744648 (diff) |
Merge "Add fix for SQL injection."
Diffstat (limited to 'ONAP-PAP-REST/src/main/java/org')
2 files changed, 17 insertions, 5 deletions
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java index 047342ad0..923e528fa 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java @@ -38,6 +38,8 @@ import java.util.UUID; import java.util.regex.Matcher; import java.util.regex.Pattern; +import javax.script.SimpleBindings; + import org.apache.commons.io.FilenameUtils; import org.onap.policy.common.logging.eelf.MessageCodes; import org.onap.policy.common.logging.eelf.PolicyLogger; @@ -189,8 +191,10 @@ public class CreateBrmsParamPolicy extends Policy { private String getValueFromDictionary(String templateName){ String ruleTemplate = null; CommonClassDaoImpl dbConnection = new CommonClassDaoImpl(); - String queryString="from BRMSParamTemplate where param_template_name= '"+templateName+"'"; - List<Object> result = dbConnection.getDataByQuery(queryString); + String queryString="from BRMSParamTemplate where param_template_name= :templateName"; + SimpleBindings params = new SimpleBindings(); + params.put("templateName", templateName); + List<Object> result = dbConnection.getDataByQuery(queryString, params); if(!result.isEmpty()){ BRMSParamTemplate template = (BRMSParamTemplate) result.get(0); ruleTemplate = template.getRule(); diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java index 2cc211701..7b50397ca 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java @@ -21,6 +21,9 @@ package org.onap.policy.pap.xacml.rest.daoimpl; import java.util.List; +import java.util.Map; + +import javax.script.SimpleBindings; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -228,24 +231,29 @@ public class CommonClassDaoImpl implements CommonClassDao{ return data; } - + @SuppressWarnings("unchecked") @Override - public List<Object> getDataByQuery(String query) { + public List<Object> getDataByQuery(String query, SimpleBindings params) { Session session = sessionFactory.openSession(); Transaction tx = session.beginTransaction(); List<Object> data = null; try { Query hbquery = session.createQuery(query); + for (Map.Entry<String, Object> paramPair : params.entrySet()) { + hbquery.setParameter(paramPair.getKey(), paramPair.getValue()); + } data = hbquery.list(); tx.commit(); } catch (Exception e) { - LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Querying Database Table"+e); + LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Querying Database Table"+e); + throw e; }finally{ try{ session.close(); }catch(Exception e1){ LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Closing Connection/Statement"+e1); + throw e1; } } return data; |