From 30aaf77277e4437a4a57e659db1cdc84adc96dab Mon Sep 17 00:00:00 2001
From: Dominik Orliński <d.orlinski@samsung.com>
Date: Tue, 30 Apr 2019 11:44:27 +0200
Subject: Fix sql injection vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use a variable binding instead of concatenation.
Change test 'getAppRolesForNonCentralizedPartnerAppTest'.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I5cb7561e4b2b781834bd4f2ec36dee58b4738bf2
---
 .../portalapp/portal/service/UserRolesCommonServiceImplTest.java   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'ecomp-portal-BE-common/src/test/java/org')

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index c907a6e5..87abdbbd 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -424,8 +424,13 @@ public class UserRolesCommonServiceImplTest {
 		Mockito.when(applicationsRestClientService.get(EcompRole[].class, mockApp.getId(), "/roles"))
 				.thenReturn(mockEcompRoleArray);
 		// syncAppRolesTest
-		Mockito.when(session.createQuery("from " + EPRole.class.getName() + " where appId=" + mockApp.getId()))
+
+		Mockito.when(session.createQuery("from :name where appId = :appId"))
 				.thenReturn(epRoleQuery);
+
+		Mockito.when(epRoleQuery.setParameter("name",EPRole.class.getName())).thenReturn(epRoleQuery);
+		Mockito.when(epRoleQuery.setParameter("appId",mockApp.getId())).thenReturn(epRoleQuery);
+
 		Mockito.doReturn(mockEPRoleList).when(epRoleQuery).list();
 		Mockito.when(session.createQuery(
 				"from " + EPUserApp.class.getName() + " where app.id=" + mockApp.getId() + " and role_id=" + 15l))
-- 
cgit