summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common
diff options
context:
space:
mode:
authorDominik Orliński <d.orlinski@samsung.com>2019-04-30 11:46:19 +0200
committerDominik Orliński <d.orlinski@samsung.com>2019-06-17 11:46:06 +0200
commitd4ce764ca897efe12f3b46850aa37852c0372aa5 (patch)
treeb89377353c5f6cbcfaf79dccdc029273bf38a8f8 /ecomp-portal-BE-common
parenta543a773266e13155d739e00c4b9d4b0d1529abf (diff)
Fix sql injection vulnerability
Use a variable binding instead of concatenation. Change test 'getAppRolesForNonCentralizedPartnerAppTest'. Issue-ID: OJSI-174 Signed-off-by: Dominik Orliński <d.orlinski@samsung.com> Change-Id: I45895dc7665ff17394e602cbccf875e4e91b5ce1
Diffstat (limited to 'ecomp-portal-BE-common')
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java5
-rw-r--r--ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java6
2 files changed, 8 insertions, 3 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..17996ef8 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -523,7 +523,10 @@ public class UserRolesCommonServiceImpl {
// Delete from fn_user_role
@SuppressWarnings("unchecked")
List<EPUserApp> userRoles = localSession.createQuery(
- "from " + EPUserApp.class.getName() + " where app.id=" + appId + " and role_id=" + roleId)
+ "from :name where app.id=:appId and role_id=:roleId")
+ .setParameter("name",EPUserApp.class.getName())
+ .setParameter("appId",appId)
+ .setParameter("roleId",roleId)
.list();
logger.debug(EELFLoggerDelegate.debugLogger, "syncAppRoles: number of userRoles to delete: " + userRoles.size());
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index c907a6e5..bb6f1676 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -427,9 +427,11 @@ public class UserRolesCommonServiceImplTest {
Mockito.when(session.createQuery("from " + EPRole.class.getName() + " where appId=" + mockApp.getId()))
.thenReturn(epRoleQuery);
Mockito.doReturn(mockEPRoleList).when(epRoleQuery).list();
- Mockito.when(session.createQuery(
- "from " + EPUserApp.class.getName() + " where app.id=" + mockApp.getId() + " and role_id=" + 15l))
+ Mockito.when(session.createQuery("from :name where app.id=:appId and role_id=:roleId"))
.thenReturn(epUserAppsQuery);
+ Mockito.when(epUserAppsQuery.setParameter("name",EPUserApp.class.getName())).thenReturn(epUserAppsQuery);
+ Mockito.when(epUserAppsQuery.setParameter("appId",mockApp.getId())).thenReturn(epUserAppsQuery);
+ Mockito.when(epUserAppsQuery.setParameter("roleId",15l)).thenReturn(epUserAppsQuery);
Mockito.doReturn(mockUserRolesList).when(epUserAppsQuery).list();
Mockito.when(session.createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + 15l))