summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominik Orliński <d.orlinski@samsung.com>2019-06-17 11:53:27 +0200
committerDominik Orliński <d.orlinski@samsung.com>2019-06-25 11:32:04 +0200
commitbc81456aaed10ee5dfd3e5c031a7607d11be3e5b (patch)
tree1ae167d999eda683ec518c9fadd35dbc717351e3
parenta543a773266e13155d739e00c4b9d4b0d1529abf (diff)
Fix sql injection vulnerability
Use a variable binding instead of concatenation. Issue-ID: OJSI-174 Signed-off-by: Dominik Orliński <d.orlinski@samsung.com> Change-Id: Ia655ccf79800c132b3ac466016b8fdfd9f9c27bd
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java5
1 files changed, 4 insertions, 1 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..5e6f1d9a 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -323,7 +323,10 @@ public class UserRolesCommonServiceImpl {
} else { // remote app
@SuppressWarnings("unchecked")
List<EPRole> roles = localSession
- .createQuery("from " + EPRole.class.getName() + " where appId=" + appId).list();
+ .createQuery("from :name where appId=:appId")
+ .setParameter("name",EPRole.class.getName())
+ .setParameter("appId",appId)
+ .list();
for (EPRole role : roles) {
if (!extRequestValue && app.getCentralAuth()) {
rolesMap.put(role.getId(), role);