Add fix for SQL injection.

Add fix for SQL injection by passing parameters into getDataByQuery method and binding parameters. Add junit test file. Override equals and hashcode methods for more thorough testing on ActionBodyEntity, ConfigurationDataEntity, PolicyEntity, PolicyVersion, WatchPolicyNotificationTable classes.

Issue-Id: [POLICY-158]
Change-Id: Icebe1ca1ff01c8ea7435729967f4d349a1026054
Signed-off-by: ITSERVICES\cr056n <cr056n@att.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/PolicyExportAndImportController.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/PolicyExportAndImportController.java
index d26781c0f..bb6f38b8e 100644
--- a/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/PolicyExportAndImportController.java
+++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/PolicyExportAndImportController.java
@@ -32,6 +32,7 @@ import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Set;
 
+import javax.script.SimpleBindings;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -279,8 +280,11 @@ public class PolicyExportAndImportController extends RestrictedBaseController {
 
 				if(finalColumn){
 					scope = policyEntity.getScope().replace(".", File.separator);
-					String query = "FROM PolicyEntity where policyName = '"+policyEntity.getPolicyName()+"' and scope ='"+policyEntity.getScope()+"'";
-					List<Object> queryData = controller.getDataByQuery(query);
+					String query = "FROM PolicyEntity where policyName = :policyName and scope = :policyScope";
+					SimpleBindings params = new SimpleBindings();
+					params.put("policyName", policyEntity.getPolicyName());
+					params.put("policyScope", policyEntity.getScope());
+					List<Object> queryData = controller.getDataByQuery(query, params);
 					if(!queryData.isEmpty()){
 						continue;
 					}