From 44484dc3fe12385b64defb2f287826285e890a65 Mon Sep 17 00:00:00 2001
From: Dominik Orliński <d.orlinski@samsung.com>
Date: Mon, 17 Jun 2019 11:53:33 +0200
Subject: Fix sql injection vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use a variable binding instead of concatenation.
Change test 'getAppRolesForNonCentralizedPartnerAppTest'.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I676ed349746cdabf320027dd27a0c16949fff6d8
---
 .../onap/portalapp/portal/service/UserRolesCommonServiceImpl.java | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'ecomp-portal-BE-common/src/main/java')

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..4eeccaac 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -538,7 +538,9 @@ public class UserRolesCommonServiceImpl  {
 					// Delete from fn_menu_functional_roles
 					@SuppressWarnings("unchecked")
 					List<FunctionalMenuRole> funcMenuRoles = localSession
-							.createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + roleId)
+							.createQuery("from :name where roleId=:roleId")
+							.setParameter("name",FunctionalMenuRole.class.getName())
+							.setParameter("roleId",roleId)
 							.list();
 					int numMenuRoles = funcMenuRoles.size();
 					logger.debug(EELFLoggerDelegate.debugLogger,
@@ -550,7 +552,9 @@ public class UserRolesCommonServiceImpl  {
 						// so must null out the url too, to be consistent
 						@SuppressWarnings("unchecked")
 						List<FunctionalMenuRole> funcMenuRoles2 = localSession
-								.createQuery("from " + FunctionalMenuRole.class.getName() + " where menuId=" + menuId)
+								.createQuery("from :name where menuId=:menuId")
+								.setParameter("name",FunctionalMenuRole.class.getName())
+								.setParameter("menuId",menuId)
 								.list();
 						int numMenuRoles2 = funcMenuRoles2.size();
 						logger.debug(EELFLoggerDelegate.debugLogger,
-- 
cgit 1.2.3-korg