summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common/src/test
diff options
context:
space:
mode:
authorDominik Orliński <d.orlinski@samsung.com>2019-04-30 11:29:06 +0200
committerDominik Orliński <d.orlinski@samsung.com>2019-05-30 08:55:47 +0200
commit3264d36e04f57e7f9d407b49c1253f73c4bf5d72 (patch)
treeed20e442864995b432758268c445093144ac1ac6 /ecomp-portal-BE-common/src/test
parentba546e970d779a5e87a07b3058a85e1446c39129 (diff)
Fix sql injection vulnerability
Use a variable binding instead of concatenation. Add new test for function 'createLocalUserIfNecessary'. Issue-ID: OJSI-174 Change-Id: Iddd65893bb2cb16c90d4f8db59816fdf261874bc Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Diffstat (limited to 'ecomp-portal-BE-common/src/test')
-rw-r--r--ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java26
1 files changed, 26 insertions, 0 deletions
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index c907a6e5..82b902a1 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -55,6 +55,7 @@ import java.util.TreeSet;
import javax.servlet.http.HttpServletResponse;
import org.apache.cxf.transport.http.HTTPException;
+import org.drools.core.command.assertion.AssertEquals;
import org.hibernate.Query;
import org.hibernate.SQLQuery;
import org.hibernate.Session;
@@ -239,6 +240,31 @@ public class UserRolesCommonServiceImplTest {
@SuppressWarnings("unchecked")
@Test
+ public void checkTheProtectionAgainstSQLInjection() throws Exception {
+ EPUser user = mockUser.mockEPUser();
+ user.setId(1l);
+ user.setOrgId(2l);
+ Query epUserQuery = Mockito.mock(Query.class);
+ List<EPUser> mockEPUserList = new ArrayList<>();
+ mockEPUserList.add(user);
+
+ // test with SQL injection, should return false
+ Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery);
+ Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery);
+ Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId() + "; select * from " + EPUser.class.getName() +";")).thenReturn(epUserQuery);
+ boolean ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId());
+ assertFalse(ret);
+
+ // test without SQL injection, should return true
+ Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery);
+ Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery);
+ Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId())).thenReturn(epUserQuery);
+ ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId());
+ assertTrue(ret);
+ }
+
+ @SuppressWarnings("unchecked")
+ @Test
public void getAppRolesForUserNonCentralizedForPortal() throws Exception {
EPUser user = mockUser.mockEPUser();
user.setId(1l);