From 3264d36e04f57e7f9d407b49c1253f73c4bf5d72 Mon Sep 17 00:00:00 2001
From: Dominik Orliński <d.orlinski@samsung.com>
Date: Tue, 30 Apr 2019 11:29:06 +0200
Subject: Fix sql injection vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use a variable binding instead of concatenation.
Add new test for function 'createLocalUserIfNecessary'.

Issue-ID: OJSI-174
Change-Id: Iddd65893bb2cb16c90d4f8db59816fdf261874bc
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
---
 .../portalapp/portal/service/UserRolesCommonServiceImpl.java  | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'ecomp-portal-BE-common/src/main')

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..aaaf91bd 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -176,10 +176,10 @@ public class UserRolesCommonServiceImpl  {
 	 * 
 	 * @param userId
 	 */
-	protected void createLocalUserIfNecessary(String userId) {
+	protected boolean createLocalUserIfNecessary(String userId) {
 		if (StringUtils.isEmpty(userId)) {
 			logger.error(EELFLoggerDelegate.errorLogger, "createLocalUserIfNecessary : empty userId!");
-			return;
+			return false;
 		}
 		Session localSession = null;
 		Transaction transaction = null;
@@ -188,7 +188,10 @@ public class UserRolesCommonServiceImpl  {
 			transaction = localSession.beginTransaction();
 			@SuppressWarnings("unchecked")
 			List<EPUser> userList = localSession
-					.createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+					.createQuery("from :name where orgUserId=:userId")
+					.setParameter("name",EPUser.class.getName())
+					.setParameter("userId",userId)
+					.list();
 			if (userList.size() == 0) {
 				EPUser client = searchService.searchUserByUserId(userId);
 				if (client == null) {
@@ -202,9 +205,11 @@ public class UserRolesCommonServiceImpl  {
 				}
 			}
 			transaction.commit();
+			return true;
 		} catch (Exception e) {
 			EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
 			EcompPortalUtils.rollbackTransaction(transaction, "searchOrCreateUser rollback, exception = " + e);
+			return false;
 		} finally {
 			EcompPortalUtils.closeLocalSession(localSession, "searchOrCreateUser");
 		}
-- 
cgit