Fix sql injection vulnerability

Use a variable binding instead of concatenation.
Change test 'getAppRolesForNonCentralizedPartnerAppTest'.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I676ed349746cdabf320027dd27a0c16949fff6d8

1 files changed, 6 insertions, 2 deletions

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..4eeccaac 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -538,7 +538,9 @@ public class UserRolesCommonServiceImpl  {
 					// Delete from fn_menu_functional_roles
 					@SuppressWarnings("unchecked")
 					List<FunctionalMenuRole> funcMenuRoles = localSession
-							.createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + roleId)
+							.createQuery("from :name where roleId=:roleId")
+							.setParameter("name",FunctionalMenuRole.class.getName())
+							.setParameter("roleId",roleId)
 							.list();
 					int numMenuRoles = funcMenuRoles.size();
 					logger.debug(EELFLoggerDelegate.debugLogger,
@@ -550,7 +552,9 @@ public class UserRolesCommonServiceImpl  {
 						// so must null out the url too, to be consistent
 						@SuppressWarnings("unchecked")
 						List<FunctionalMenuRole> funcMenuRoles2 = localSession
-								.createQuery("from " + FunctionalMenuRole.class.getName() + " where menuId=" + menuId)
+								.createQuery("from :name where menuId=:menuId")
+								.setParameter("name",FunctionalMenuRole.class.getName())
+								.setParameter("menuId",menuId)
 								.list();
 						int numMenuRoles2 = funcMenuRoles2.size();
 						logger.debug(EELFLoggerDelegate.debugLogger,