Fix sql injection vulnerability

Use a variable binding instead of concatenation.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I9dcec677ee9edd0d274a486af37eb950d8e828cf

1 files changed, 6 insertions, 2 deletions

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..29817214 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -276,8 +276,12 @@ public class UserRolesCommonServiceImpl  {
 				EPUser client = userList.get(0);
 				roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";
 				@SuppressWarnings("unchecked")
-				List<EPUserApp> userRoles = localSession.createQuery("from " + EPUserApp.class.getName()
-						+ " where app.id=" + appId + roleActive + " and userId=" + client.getId()).list();
+				List<EPUserApp> userRoles = localSession.createQuery("from :name where app.id=:appId :roleActive and userId=:userId")
+						.setParameter("name",EPUserApp.class.getName())
+						.setParameter("appId",appId)
+						.setParameter("roleActive",roleActive)
+						.setParameter("userId",client.getId())
+						.list();
 				
 				if ("DELETE".equals(reqType)) {
 					for (EPUserApp userAppRoleList : userRoles) {