summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-widget-ms
diff options
context:
space:
mode:
authorDominik Orliński <d.orlinski@samsung.com>2019-06-17 11:53:35 +0200
committerDominik Orliński <d.orlinski@samsung.com>2019-06-19 13:49:30 +0200
commit5247fe86ad346208a78b1bdd7565041018e56d57 (patch)
tree7f02bd48456fbc2b70c12adf0db3a7d1734e059a /ecomp-portal-widget-ms
parenta543a773266e13155d739e00c4b9d4b0d1529abf (diff)
Fix sql injection vulnerability
Use a variable binding instead of concatenation. Issue-ID: OJSI-174 Signed-off-by: Dominik Orliński <d.orlinski@samsung.com> Change-Id: I0574e882e4d500408b6a6bab8986822669cba5d4
Diffstat (limited to 'ecomp-portal-widget-ms')
-rw-r--r--ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java11
1 files changed, 5 insertions, 6 deletions
diff --git a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
index b99863eb..59180d37 100644
--- a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
+++ b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
@@ -244,16 +244,15 @@ public class WidgetCatalogServiceImpl implements WidgetCatalogService {
logger.debug("WidgetCatalogServiceImpl.getWidgetCatalog: result={}", widgets);
return widgets;
}
-
-
-
-
-
+
private void updateAppId(long widgetId, Set<RoleApp> roles){
Session session = sessionFactory.openSession();
for(RoleApp role: roles){
- String sql = "UPDATE ep_widget_catalog_role SET app_id = " + role.getApp().getAppId() + " WHERE widget_id = " + widgetId + " AND ROLE_ID = " + role.getRoleId() ;
+ String sql = "UPDATE ep_widget_catalog_role SET app_id = :appId WHERE widget_id = :widgetId AND ROLE_ID = :roleId" ;
Query query = session.createSQLQuery(sql);
+ query.setParameter("appId", role.getApp().getAppId());
+ query.setParameter("widgetId", widgetId);
+ query.setParameter("roleId", role.getRoleId());
query.executeUpdate();
}
session.flush();