From 3264d36e04f57e7f9d407b49c1253f73c4bf5d72 Mon Sep 17 00:00:00 2001 From: Dominik Orliński Date: Tue, 30 Apr 2019 11:29:06 +0200 Subject: Fix sql injection vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use a variable binding instead of concatenation. Add new test for function 'createLocalUserIfNecessary'. Issue-ID: OJSI-174 Change-Id: Iddd65893bb2cb16c90d4f8db59816fdf261874bc Signed-off-by: Dominik Orliński --- .../service/UserRolesCommonServiceImplTest.java | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'ecomp-portal-BE-common/src/test/java/org') diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java index c907a6e5..82b902a1 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java @@ -55,6 +55,7 @@ import java.util.TreeSet; import javax.servlet.http.HttpServletResponse; import org.apache.cxf.transport.http.HTTPException; +import org.drools.core.command.assertion.AssertEquals; import org.hibernate.Query; import org.hibernate.SQLQuery; import org.hibernate.Session; @@ -237,6 +238,31 @@ public class UserRolesCommonServiceImplTest { return mockRoleInAppForUserList; } + @SuppressWarnings("unchecked") + @Test + public void checkTheProtectionAgainstSQLInjection() throws Exception { + EPUser user = mockUser.mockEPUser(); + user.setId(1l); + user.setOrgId(2l); + Query epUserQuery = Mockito.mock(Query.class); + List mockEPUserList = new ArrayList<>(); + mockEPUserList.add(user); + + // test with SQL injection, should return false + Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery); + Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery); + Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId() + "; select * from " + EPUser.class.getName() +";")).thenReturn(epUserQuery); + boolean ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId()); + assertFalse(ret); + + // test without SQL injection, should return true + Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery); + Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery); + Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId())).thenReturn(epUserQuery); + ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId()); + assertTrue(ret); + } + @SuppressWarnings("unchecked") @Test public void getAppRolesForUserNonCentralizedForPortal() throws Exception { -- cgit 1.2.3-korg