summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominik Orliński <d.orlinski@samsung.com>2019-06-17 11:53:25 +0200
committerDominik Orliński <d.orlinski@samsung.com>2019-06-25 11:31:42 +0200
commit55d9f1b146a9c421bed9d2613cefcfcb41ab3037 (patch)
tree6eeea3fb6ad7ed683a0085a00328fb1468546c60
parenta543a773266e13155d739e00c4b9d4b0d1529abf (diff)
Fix sql injection vulnerability
Use a variable binding instead of concatenation. Issue-ID: OJSI-174 Signed-off-by: Dominik Orliński <d.orlinski@samsung.com> Change-Id: I9dcec677ee9edd0d274a486af37eb950d8e828cf
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java8
1 files changed, 6 insertions, 2 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..29817214 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -276,8 +276,12 @@ public class UserRolesCommonServiceImpl {
EPUser client = userList.get(0);
roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";
@SuppressWarnings("unchecked")
- List<EPUserApp> userRoles = localSession.createQuery("from " + EPUserApp.class.getName()
- + " where app.id=" + appId + roleActive + " and userId=" + client.getId()).list();
+ List<EPUserApp> userRoles = localSession.createQuery("from :name where app.id=:appId :roleActive and userId=:userId")
+ .setParameter("name",EPUserApp.class.getName())
+ .setParameter("appId",appId)
+ .setParameter("roleActive",roleActive)
+ .setParameter("userId",client.getId())
+ .list();
if ("DELETE".equals(reqType)) {
for (EPUserApp userAppRoleList : userRoles) {