diff options
author | Dominik Orliński <d.orlinski@samsung.com> | 2019-04-30 11:29:06 +0200 |
---|---|---|
committer | Dominik Orliński <d.orlinski@samsung.com> | 2019-05-30 08:55:47 +0200 |
commit | 3264d36e04f57e7f9d407b49c1253f73c4bf5d72 (patch) | |
tree | ed20e442864995b432758268c445093144ac1ac6 /ecomp-portal-BE-common/src/test | |
parent | ba546e970d779a5e87a07b3058a85e1446c39129 (diff) |
Fix sql injection vulnerability
Use a variable binding instead of concatenation.
Add new test for function 'createLocalUserIfNecessary'.
Issue-ID: OJSI-174
Change-Id: Iddd65893bb2cb16c90d4f8db59816fdf261874bc
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Diffstat (limited to 'ecomp-portal-BE-common/src/test')
-rw-r--r-- | ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java index c907a6e5..82b902a1 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java @@ -55,6 +55,7 @@ import java.util.TreeSet; import javax.servlet.http.HttpServletResponse; import org.apache.cxf.transport.http.HTTPException; +import org.drools.core.command.assertion.AssertEquals; import org.hibernate.Query; import org.hibernate.SQLQuery; import org.hibernate.Session; @@ -239,6 +240,31 @@ public class UserRolesCommonServiceImplTest { @SuppressWarnings("unchecked") @Test + public void checkTheProtectionAgainstSQLInjection() throws Exception { + EPUser user = mockUser.mockEPUser(); + user.setId(1l); + user.setOrgId(2l); + Query epUserQuery = Mockito.mock(Query.class); + List<EPUser> mockEPUserList = new ArrayList<>(); + mockEPUserList.add(user); + + // test with SQL injection, should return false + Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery); + Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery); + Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId() + "; select * from " + EPUser.class.getName() +";")).thenReturn(epUserQuery); + boolean ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId()); + assertFalse(ret); + + // test without SQL injection, should return true + Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery); + Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery); + Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId())).thenReturn(epUserQuery); + ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId()); + assertTrue(ret); + } + + @SuppressWarnings("unchecked") + @Test public void getAppRolesForUserNonCentralizedForPortal() throws Exception { EPUser user = mockUser.mockEPUser(); user.setId(1l); |