summaryrefslogtreecommitdiffstats
path: root/ONAP-PAP-REST/src
diff options
context:
space:
mode:
authorJorge Hernandez <jh1730@att.com>2017-08-14 19:03:26 +0000
committerGerrit Code Review <gerrit@onap.org>2017-08-14 19:03:26 +0000
commit3c519a0d908c34e22d724d663ad3512f6cdd8d8f (patch)
tree403dfa329027248561a454a0aa6253fa746d2967 /ONAP-PAP-REST/src
parent40aef4f4b85c6621f255f526555a8b68616f2a9a (diff)
parent59e3ddb0f0698965962a7d5879a6e39a80744648 (diff)
Merge "Add fix for SQL injection."
Diffstat (limited to 'ONAP-PAP-REST/src')
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java8
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java14
2 files changed, 17 insertions, 5 deletions
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java
index 047342ad0..923e528fa 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java
@@ -38,6 +38,8 @@ import java.util.UUID;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import javax.script.SimpleBindings;
+
import org.apache.commons.io.FilenameUtils;
import org.onap.policy.common.logging.eelf.MessageCodes;
import org.onap.policy.common.logging.eelf.PolicyLogger;
@@ -189,8 +191,10 @@ public class CreateBrmsParamPolicy extends Policy {
private String getValueFromDictionary(String templateName){
String ruleTemplate = null;
CommonClassDaoImpl dbConnection = new CommonClassDaoImpl();
- String queryString="from BRMSParamTemplate where param_template_name= '"+templateName+"'";
- List<Object> result = dbConnection.getDataByQuery(queryString);
+ String queryString="from BRMSParamTemplate where param_template_name= :templateName";
+ SimpleBindings params = new SimpleBindings();
+ params.put("templateName", templateName);
+ List<Object> result = dbConnection.getDataByQuery(queryString, params);
if(!result.isEmpty()){
BRMSParamTemplate template = (BRMSParamTemplate) result.get(0);
ruleTemplate = template.getRule();
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java
index 2cc211701..7b50397ca 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java
@@ -21,6 +21,9 @@
package org.onap.policy.pap.xacml.rest.daoimpl;
import java.util.List;
+import java.util.Map;
+
+import javax.script.SimpleBindings;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -228,24 +231,29 @@ public class CommonClassDaoImpl implements CommonClassDao{
return data;
}
-
+
@SuppressWarnings("unchecked")
@Override
- public List<Object> getDataByQuery(String query) {
+ public List<Object> getDataByQuery(String query, SimpleBindings params) {
Session session = sessionFactory.openSession();
Transaction tx = session.beginTransaction();
List<Object> data = null;
try {
Query hbquery = session.createQuery(query);
+ for (Map.Entry<String, Object> paramPair : params.entrySet()) {
+ hbquery.setParameter(paramPair.getKey(), paramPair.getValue());
+ }
data = hbquery.list();
tx.commit();
} catch (Exception e) {
- LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Querying Database Table"+e);
+ LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Querying Database Table"+e);
+ throw e;
}finally{
try{
session.close();
}catch(Exception e1){
LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Closing Connection/Statement"+e1);
+ throw e1;
}
}
return data;