diff options
author | Dominik Orliński <d.orlinski@samsung.com> | 2019-06-17 11:53:25 +0200 |
---|---|---|
committer | Dominik Orliński <d.orlinski@samsung.com> | 2019-06-25 11:31:42 +0200 |
commit | 55d9f1b146a9c421bed9d2613cefcfcb41ab3037 (patch) | |
tree | 6eeea3fb6ad7ed683a0085a00328fb1468546c60 /ecomp-portal-BE-common | |
parent | a543a773266e13155d739e00c4b9d4b0d1529abf (diff) |
Fix sql injection vulnerability
Use a variable binding instead of concatenation.
Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I9dcec677ee9edd0d274a486af37eb950d8e828cf
Diffstat (limited to 'ecomp-portal-BE-common')
-rw-r--r-- | ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java index 5d9761ce..29817214 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java @@ -276,8 +276,12 @@ public class UserRolesCommonServiceImpl { EPUser client = userList.get(0); roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'"; @SuppressWarnings("unchecked") - List<EPUserApp> userRoles = localSession.createQuery("from " + EPUserApp.class.getName() - + " where app.id=" + appId + roleActive + " and userId=" + client.getId()).list(); + List<EPUserApp> userRoles = localSession.createQuery("from :name where app.id=:appId :roleActive and userId=:userId") + .setParameter("name",EPUserApp.class.getName()) + .setParameter("appId",appId) + .setParameter("roleActive",roleActive) + .setParameter("userId",client.getId()) + .list(); if ("DELETE".equals(reqType)) { for (EPUserApp userAppRoleList : userRoles) { |