summaryrefslogtreecommitdiffstats
path: root/ONAP-PAP-REST/src
diff options
context:
space:
mode:
authorRodriguez, Cuauhtemoctzin (cr056n) <cr056n@us.att.com>2017-08-04 16:02:20 -0500
committerTemoc Rodriguez <cr056n@att.com>2017-08-14 18:26:18 +0000
commit59e3ddb0f0698965962a7d5879a6e39a80744648 (patch)
treea5315a4d0bb39574ecea01d376019073005b0809 /ONAP-PAP-REST/src
parent827a2016429bc377e28d2a414b6bcbdf8b6dc924 (diff)
Add fix for SQL injection.
Add fix for SQL injection by passing parameters into getDataByQuery method and binding parameters. Add junit test file. Override equals and hashcode methods for more thorough testing on ActionBodyEntity, ConfigurationDataEntity, PolicyEntity, PolicyVersion, WatchPolicyNotificationTable classes. Issue-Id: [POLICY-158] Change-Id: Icebe1ca1ff01c8ea7435729967f4d349a1026054 Signed-off-by: ITSERVICES\cr056n <cr056n@att.com>
Diffstat (limited to 'ONAP-PAP-REST/src')
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java8
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java14
2 files changed, 17 insertions, 5 deletions
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java
index 047342ad0..923e528fa 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java
@@ -38,6 +38,8 @@ import java.util.UUID;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import javax.script.SimpleBindings;
+
import org.apache.commons.io.FilenameUtils;
import org.onap.policy.common.logging.eelf.MessageCodes;
import org.onap.policy.common.logging.eelf.PolicyLogger;
@@ -189,8 +191,10 @@ public class CreateBrmsParamPolicy extends Policy {
private String getValueFromDictionary(String templateName){
String ruleTemplate = null;
CommonClassDaoImpl dbConnection = new CommonClassDaoImpl();
- String queryString="from BRMSParamTemplate where param_template_name= '"+templateName+"'";
- List<Object> result = dbConnection.getDataByQuery(queryString);
+ String queryString="from BRMSParamTemplate where param_template_name= :templateName";
+ SimpleBindings params = new SimpleBindings();
+ params.put("templateName", templateName);
+ List<Object> result = dbConnection.getDataByQuery(queryString, params);
if(!result.isEmpty()){
BRMSParamTemplate template = (BRMSParamTemplate) result.get(0);
ruleTemplate = template.getRule();
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java
index 2cc211701..7b50397ca 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java
@@ -21,6 +21,9 @@
package org.onap.policy.pap.xacml.rest.daoimpl;
import java.util.List;
+import java.util.Map;
+
+import javax.script.SimpleBindings;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -228,24 +231,29 @@ public class CommonClassDaoImpl implements CommonClassDao{
return data;
}
-
+
@SuppressWarnings("unchecked")
@Override
- public List<Object> getDataByQuery(String query) {
+ public List<Object> getDataByQuery(String query, SimpleBindings params) {
Session session = sessionFactory.openSession();
Transaction tx = session.beginTransaction();
List<Object> data = null;
try {
Query hbquery = session.createQuery(query);
+ for (Map.Entry<String, Object> paramPair : params.entrySet()) {
+ hbquery.setParameter(paramPair.getKey(), paramPair.getValue());
+ }
data = hbquery.list();
tx.commit();
} catch (Exception e) {
- LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Querying Database Table"+e);
+ LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Querying Database Table"+e);
+ throw e;
}finally{
try{
session.close();
}catch(Exception e1){
LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Closing Connection/Statement"+e1);
+ throw e1;
}
}
return data;