Merge "Fix sql injection vulnerability"

author: Sunder Tattavarada <statta@research.att.com> 2019-06-14 16:12:15 +0000
committer: Gerrit Code Review <gerrit@onap.org> 2019-06-14 16:12:15 +0000
commit: 9abe14fca14a8f15a7ee58cab1e92908282fef0b (patch)
tree: 3221bda9c1b1983d0b45dc5e3938b658396eac9d
parent: e496b1b94a07e7995fefd8113c0fbe25953322ea (diff)
parent: 3264d36e04f57e7f9d407b49c1253f73c4bf5d72 (diff)
2 files changed, 34 insertions, 3 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..aaaf91bd 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -176,10 +176,10 @@ public class UserRolesCommonServiceImpl  {
 	 * 
 	 * @param userId
 	 */
-	protected void createLocalUserIfNecessary(String userId) {
+	protected boolean createLocalUserIfNecessary(String userId) {
 		if (StringUtils.isEmpty(userId)) {
 			logger.error(EELFLoggerDelegate.errorLogger, "createLocalUserIfNecessary : empty userId!");
-			return;
+			return false;
 		}
 		Session localSession = null;
 		Transaction transaction = null;
@@ -188,7 +188,10 @@ public class UserRolesCommonServiceImpl  {
 			transaction = localSession.beginTransaction();
 			@SuppressWarnings("unchecked")
 			List<EPUser> userList = localSession
-					.createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+					.createQuery("from :name where orgUserId=:userId")
+					.setParameter("name",EPUser.class.getName())
+					.setParameter("userId",userId)
+					.list();
 			if (userList.size() == 0) {
 				EPUser client = searchService.searchUserByUserId(userId);
 				if (client == null) {
@@ -202,9 +205,11 @@ public class UserRolesCommonServiceImpl  {
 				}
 			}
 			transaction.commit();
+			return true;
 		} catch (Exception e) {
 			EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
 			EcompPortalUtils.rollbackTransaction(transaction, "searchOrCreateUser rollback, exception = " + e);
+			return false;
 		} finally {
 			EcompPortalUtils.closeLocalSession(localSession, "searchOrCreateUser");
 		}
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index c907a6e5..82b902a1 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -55,6 +55,7 @@ import java.util.TreeSet;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.cxf.transport.http.HTTPException;
+import org.drools.core.command.assertion.AssertEquals;
 import org.hibernate.Query;
 import org.hibernate.SQLQuery;
 import org.hibernate.Session;
@@ -239,6 +240,31 @@ public class UserRolesCommonServiceImplTest {
 
 	@SuppressWarnings("unchecked")
 	@Test
+	public void checkTheProtectionAgainstSQLInjection() throws Exception {
+		EPUser user = mockUser.mockEPUser();
+		user.setId(1l);
+		user.setOrgId(2l);
+		Query epUserQuery = Mockito.mock(Query.class);
+		List<EPUser> mockEPUserList = new ArrayList<>();
+		mockEPUserList.add(user);
+
+		// test with SQL injection, should return false
+		Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery);
+		Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery);
+		Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId() + "; select * from " + EPUser.class.getName() +";")).thenReturn(epUserQuery);
+		boolean ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId());
+		assertFalse(ret);
+
+		// test without SQL injection, should return true
+		Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery);
+		Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery);
+		Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId())).thenReturn(epUserQuery);
+		ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId());
+		assertTrue(ret);
+	}
+
+	@SuppressWarnings("unchecked")
+	@Test
 	public void getAppRolesForUserNonCentralizedForPortal() throws Exception {
 		EPUser user = mockUser.mockEPUser();
 		user.setId(1l);
author	Sunder Tattavarada <statta@research.att.com>	2019-06-14 16:12:15 +0000
committer	Gerrit Code Review <gerrit@onap.org>	2019-06-14 16:12:15 +0000
commit	9abe14fca14a8f15a7ee58cab1e92908282fef0b (patch)
tree	3221bda9c1b1983d0b45dc5e3938b658396eac9d
parent	e496b1b94a07e7995fefd8113c0fbe25953322ea (diff)
parent	3264d36e04f57e7f9d407b49c1253f73c4bf5d72 (diff)