diff options
| author |   Rodriguez, Cuauhtemoctzin (cr056n) <cr056n@us.att.com> | 2017-08-04 16:02:20 -0500 |
|---|---|---|
| committer |   Temoc Rodriguez <cr056n@att.com> | 2017-08-14 18:26:18 +0000 |
| commit | 59e3ddb0f0698965962a7d5879a6e39a80744648 (patch) | |
| tree | a5315a4d0bb39574ecea01d376019073005b0809 /POLICY-SDK-APP/src/main/java/org/onap/policy/controller/AutoPushController.java | |
| parent | 827a2016429bc377e28d2a414b6bcbdf8b6dc924 (diff) | |
Add fix for SQL injection.
Add fix for SQL injection by passing parameters into getDataByQuery method and binding parameters. Add junit test file. Override equals and hashcode methods for more thorough testing on ActionBodyEntity, ConfigurationDataEntity, PolicyEntity, PolicyVersion, WatchPolicyNotificationTable classes.
Issue-Id: [POLICY-158]
Change-Id: Icebe1ca1ff01c8ea7435729967f4d349a1026054
Signed-off-by: ITSERVICES\cr056n <cr056n@att.com>
Diffstat (limited to 'POLICY-SDK-APP/src/main/java/org/onap/policy/controller/AutoPushController.java')
| -rw-r--r-- | POLICY-SDK-APP/src/main/java/org/onap/policy/controller/AutoPushController.java | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/AutoPushController.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/AutoPushController.java index 7d601d6f3..b72993f19 100644 --- a/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/AutoPushController.java +++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/AutoPushController.java @@ -38,6 +38,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import javax.script.SimpleBindings; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -148,8 +149,11 @@ public class AutoPushController extends RestrictedBaseController{ }else{ if(!scopes.isEmpty()){ for(String scope : scopes){ - String query = "From PolicyVersion where policy_name like '"+scope+"%' and id > 0"; - List<Object> filterdatas = commonClassDao.getDataByQuery(query); + scope += "%"; + String query = "From PolicyVersion where policy_name like :scope and id > 0"; + SimpleBindings params = new SimpleBindings(); + params.put("scope", scope); + List<Object> filterdatas = commonClassDao.getDataByQuery(query, params); if(filterdatas != null){ for(int i =0; i < filterdatas.size(); i++){ data.add(filterdatas.get(i)); @@ -236,8 +240,11 @@ public class AutoPushController extends RestrictedBaseController{ dbCheckName = dbCheckName.replace(".Decision_", ":Decision_"); } String[] split = dbCheckName.split(":"); - String query = "FROM PolicyEntity where policyName = '"+split[1]+"' and scope ='"+split[0]+"'"; - List<Object> queryData = controller.getDataByQuery(query); + String query = "FROM PolicyEntity where policyName = :split_1 and scope = :split_0"; + SimpleBindings policyParams = new SimpleBindings(); + policyParams.put("split_1", split[1]); + policyParams.put("split_0", split[0]); + List<Object> queryData = controller.getDataByQuery(query, policyParams); PolicyEntity policyEntity = (PolicyEntity) queryData.get(0); File temp = new File(name); BufferedWriter bw = new BufferedWriter(new FileWriter(temp)); |