diff options
author | Rodriguez, Cuauhtemoctzin (cr056n) <cr056n@us.att.com> | 2017-08-04 16:02:20 -0500 |
---|---|---|
committer | Temoc Rodriguez <cr056n@att.com> | 2017-08-14 18:26:18 +0000 |
commit | 59e3ddb0f0698965962a7d5879a6e39a80744648 (patch) | |
tree | a5315a4d0bb39574ecea01d376019073005b0809 /ONAP-PAP-REST/src | |
parent | 827a2016429bc377e28d2a414b6bcbdf8b6dc924 (diff) |
Add fix for SQL injection.
Add fix for SQL injection by passing parameters into getDataByQuery method and binding parameters. Add junit test file. Override equals and hashcode methods for more thorough testing on ActionBodyEntity, ConfigurationDataEntity, PolicyEntity, PolicyVersion, WatchPolicyNotificationTable classes.
Issue-Id: [POLICY-158]
Change-Id: Icebe1ca1ff01c8ea7435729967f4d349a1026054
Signed-off-by: ITSERVICES\cr056n <cr056n@att.com>
Diffstat (limited to 'ONAP-PAP-REST/src')
2 files changed, 17 insertions, 5 deletions
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java index 047342ad0..923e528fa 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/CreateBrmsParamPolicy.java @@ -38,6 +38,8 @@ import java.util.UUID; import java.util.regex.Matcher; import java.util.regex.Pattern; +import javax.script.SimpleBindings; + import org.apache.commons.io.FilenameUtils; import org.onap.policy.common.logging.eelf.MessageCodes; import org.onap.policy.common.logging.eelf.PolicyLogger; @@ -189,8 +191,10 @@ public class CreateBrmsParamPolicy extends Policy { private String getValueFromDictionary(String templateName){ String ruleTemplate = null; CommonClassDaoImpl dbConnection = new CommonClassDaoImpl(); - String queryString="from BRMSParamTemplate where param_template_name= '"+templateName+"'"; - List<Object> result = dbConnection.getDataByQuery(queryString); + String queryString="from BRMSParamTemplate where param_template_name= :templateName"; + SimpleBindings params = new SimpleBindings(); + params.put("templateName", templateName); + List<Object> result = dbConnection.getDataByQuery(queryString, params); if(!result.isEmpty()){ BRMSParamTemplate template = (BRMSParamTemplate) result.get(0); ruleTemplate = template.getRule(); diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java index 2cc211701..7b50397ca 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/daoimpl/CommonClassDaoImpl.java @@ -21,6 +21,9 @@ package org.onap.policy.pap.xacml.rest.daoimpl; import java.util.List; +import java.util.Map; + +import javax.script.SimpleBindings; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -228,24 +231,29 @@ public class CommonClassDaoImpl implements CommonClassDao{ return data; } - + @SuppressWarnings("unchecked") @Override - public List<Object> getDataByQuery(String query) { + public List<Object> getDataByQuery(String query, SimpleBindings params) { Session session = sessionFactory.openSession(); Transaction tx = session.beginTransaction(); List<Object> data = null; try { Query hbquery = session.createQuery(query); + for (Map.Entry<String, Object> paramPair : params.entrySet()) { + hbquery.setParameter(paramPair.getKey(), paramPair.getValue()); + } data = hbquery.list(); tx.commit(); } catch (Exception e) { - LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Querying Database Table"+e); + LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Querying Database Table"+e); + throw e; }finally{ try{ session.close(); }catch(Exception e1){ LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Error While Closing Connection/Statement"+e1); + throw e1; } } return data; |