diff options
| author |   Dominik Orliński <d.orlinski@samsung.com> | 2019-04-30 11:46:19 +0200 |
|---|---|---|
| committer | Dominik Orliński <d.orlinski@samsung.com> | 2019-06-17 11:46:06 +0200 |
| commit | d4ce764ca897efe12f3b46850aa37852c0372aa5 (patch) | |
| tree | b89377353c5f6cbcfaf79dccdc029273bf38a8f8 | |
| parent | a543a773266e13155d739e00c4b9d4b0d1529abf (diff) | |
Fix sql injection vulnerability
Use a variable binding instead of concatenation.
Change test 'getAppRolesForNonCentralizedPartnerAppTest'.
Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I45895dc7665ff17394e602cbccf875e4e91b5ce1
2 files changed, 8 insertions, 3 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java index 5d9761ce..17996ef8 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java @@ -523,7 +523,10 @@ public class UserRolesCommonServiceImpl { // Delete from fn_user_role @SuppressWarnings("unchecked") List<EPUserApp> userRoles = localSession.createQuery( - "from " + EPUserApp.class.getName() + " where app.id=" + appId + " and role_id=" + roleId) + "from :name where app.id=:appId and role_id=:roleId") + .setParameter("name",EPUserApp.class.getName()) + .setParameter("appId",appId) + .setParameter("roleId",roleId) .list(); logger.debug(EELFLoggerDelegate.debugLogger, "syncAppRoles: number of userRoles to delete: " + userRoles.size()); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java index c907a6e5..bb6f1676 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java @@ -427,9 +427,11 @@ public class UserRolesCommonServiceImplTest { Mockito.when(session.createQuery("from " + EPRole.class.getName() + " where appId=" + mockApp.getId())) .thenReturn(epRoleQuery); Mockito.doReturn(mockEPRoleList).when(epRoleQuery).list(); - Mockito.when(session.createQuery( - "from " + EPUserApp.class.getName() + " where app.id=" + mockApp.getId() + " and role_id=" + 15l)) + Mockito.when(session.createQuery("from :name where app.id=:appId and role_id=:roleId")) .thenReturn(epUserAppsQuery); + Mockito.when(epUserAppsQuery.setParameter("name",EPUserApp.class.getName())).thenReturn(epUserAppsQuery); + Mockito.when(epUserAppsQuery.setParameter("appId",mockApp.getId())).thenReturn(epUserAppsQuery); + Mockito.when(epUserAppsQuery.setParameter("roleId",15l)).thenReturn(epUserAppsQuery); Mockito.doReturn(mockUserRolesList).when(epUserAppsQuery).list(); Mockito.when(session.createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + 15l)) |