summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common/src
diff options
context:
space:
mode:
authorDominik Orliński <d.orlinski@samsung.com>2019-06-17 11:53:22 +0200
committerDominik Orliński <d.orlinski@samsung.com>2019-06-25 11:31:08 +0200
commitd38e7941361188f3d114f2f25258a0024f2a2f90 (patch)
tree11de023b8d23a22eb19f4ab512ac795220e2f0f5 /ecomp-portal-BE-common/src
parenta543a773266e13155d739e00c4b9d4b0d1529abf (diff)
Fix sql injection vulnerability
Use a variable binding instead of concatenation. Issue-ID: OJSI-174 Signed-off-by: Dominik Orliński <d.orlinski@samsung.com> Change-Id: I8d72c819004f05fbbf464cde73b405f2028c7bb6
Diffstat (limited to 'ecomp-portal-BE-common/src')
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java5
1 files changed, 4 insertions, 1 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..14f39729 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -271,7 +271,10 @@ public class UserRolesCommonServiceImpl {
transaction = localSession.beginTransaction();
@SuppressWarnings("unchecked")
List<EPUser> userList = localSession
- .createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+ .createQuery("from :name where orgUserId=:userId")
+ .setParameter("name",EPUser.class.getName())
+ .setParameter("userId",userId)
+ .list();
if (userList.size() > 0) {
EPUser client = userList.get(0);
roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";