summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-analytics
diff options
context:
space:
mode:
authorChristopher Lott (cl778h) <clott@research.att.com>2017-10-20 08:22:19 -0400
committerChristopher Lott (cl778h) <clott@research.att.com>2017-10-20 08:44:33 -0400
commite3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch)
tree07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-analytics
parentddd8720d597fc9053a455b10445fb253adbc4bf7 (diff)
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion. Add filters to defend against common web Javascript attacks. Drop Greensock code with unusable license. Use OParent in EPSDK web application. Issue: US324470, US342324, PORTAL-127 Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142 Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-analytics')
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java27
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java17
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java22
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java9
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java16
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java8
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java26
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java22
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java4
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java4
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java3
-rw-r--r--ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java8
12 files changed, 92 insertions, 74 deletions
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java
index 1ffbde28..36c9d526 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java
@@ -88,6 +88,7 @@ import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
+import org.apache.commons.io.FilenameUtils;
import org.onap.portalsdk.analytics.error.RaptorException;
import org.onap.portalsdk.analytics.error.RaptorRuntimeException;
import org.onap.portalsdk.analytics.error.RaptorSchedularException;
@@ -127,6 +128,8 @@ import org.onap.portalsdk.analytics.view.ReportData;
import org.onap.portalsdk.analytics.xmlobj.DataColumnType;
import org.onap.portalsdk.analytics.xmlobj.FormFieldType;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -486,20 +489,13 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject {
request.getSession().removeAttribute(AppConstants.EMBEDDED_REPORTDATA_MAP);
}
//String pdfAttachmentKey = AppUtils.getRequestValue(request, "pdfAttachmentKey");
- String report_email_sent_log_id = AppUtils.getRequestValue(request, "log_id");
+ String report_email_sent_log_id = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),AppUtils.getRequestValue(request, "log_id"));
logger.debug(EELFLoggerDelegate.debugLogger, ("Email PDF" + pdfAttachmentKey+" "+ report_email_sent_log_id));
//email pdf attachment specific
if(nvl(pdfAttachmentKey).length()>0 && report_email_sent_log_id !=null)
isEmailAttachment = true;
if(isEmailAttachment) {
- /* String query = "Select user_id, rep_id from CR_REPORT_EMAIL_SENT_LOG" +
- " where rownum = 1" +
- " and gen_key='"+pdfAttachmentKey.trim()+"'" +
- " and log_id ="+report_email_sent_log_id.trim() +
- " and (sysdate - sent_date) < 1 ";*/
-
-
String query = Globals.getDownloadAllEmailSent();
query = query.replace("[pdfAttachmentKey.trim()]", pdfAttachmentKey.trim());
query = query.replace("[report_email_sent_log_id.trim()]", report_email_sent_log_id.trim());
@@ -1031,7 +1027,8 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject {
public String getQuickLinksJSON(HttpServletRequest request, String nextPage) {
String jsonInString = null;
try {
- ArrayList<QuickLink> quickLinks = ReportLoader.getQuickLinksJSON(request, request.getParameter("quick_links_menu_id"),true);
+
+ ArrayList<QuickLink> quickLinks = ReportLoader.getQuickLinksJSON(request, ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter("quick_links_menu_id")),true);
ObjectMapper mapper = new ObjectMapper();
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
@@ -1368,7 +1365,7 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject {
public String reportDelete(HttpServletRequest request, String nextPage) {
try {
- String reportID = AppUtils.getRequestValue(request, AppConstants.RI_REPORT_ID);
+ String reportID = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),AppUtils.getRequestValue(request, AppConstants.RI_REPORT_ID));
try {
int i = Integer.parseInt(reportID);
} catch(NumberFormatException ex) {
@@ -1757,9 +1754,9 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject {
if(request != null ) {
for (int i = 0; i < reqParameters.length; i++) {
if(!reqParameters[i].startsWith("ff"))
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) );
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i].toUpperCase()) ));
else
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i]) ));
}
}
if(session != null ) {
@@ -1886,7 +1883,7 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject {
}
}
logger.debug(EELFLoggerDelegate.debugLogger, ("SQL2:\n"+ rr.getCachedSQL()));
- String fileName = rr.getReportID()+"_"+userId+"_"+timestamp;
+ String fileName = FilenameUtils.normalize(rr.getReportID()+"_"+userId+"_"+timestamp);
boolean flag = false;
logger.debug(EELFLoggerDelegate.debugLogger, (""+Utils.isDownloadFileExists(rr.getReportID()+"_"+userId+"_"+dateStr)));
// if(Utils.isDownloadFileExists(rr.getReportID()+"_"+userId+"_"+dateStr)) {
@@ -1903,8 +1900,8 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject {
request.setAttribute("message", messageBuffer.toString());
}
else if(!flag) {
- String whole_fileName = (Globals.getShellScriptDir() +AppConstants.SHELL_QUERY_DIR+ fileName+AppConstants.FT_SQL);
- String whole_columnsfileName = (Globals.getShellScriptDir() +AppConstants.SHELL_QUERY_DIR+ fileName+AppConstants.FT_COLUMNS);
+ String whole_fileName = FilenameUtils.normalize (Globals.getShellScriptDir() +AppConstants.SHELL_QUERY_DIR+ fileName+AppConstants.FT_SQL);
+ String whole_columnsfileName = FilenameUtils.normalize (Globals.getShellScriptDir() +AppConstants.SHELL_QUERY_DIR+ fileName+AppConstants.FT_COLUMNS);
logger.debug(EELFLoggerDelegate.debugLogger, ("FILENAME "+whole_fileName));
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java
index 8a5e7e3c..b4c6faac 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java
@@ -108,6 +108,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import org.apache.commons.io.FilenameUtils;
import org.apache.poi.hssf.usermodel.HSSFCell;
import org.apache.poi.hssf.usermodel.HSSFCellStyle;
import org.apache.poi.hssf.usermodel.HSSFDateUtil;
@@ -2791,8 +2792,8 @@ public class ReportHandler extends org.onap.portalsdk.analytics.RaptorObject {
logger.debug(EELFLoggerDelegate.debugLogger, ("Xls File name " +
AppUtils.getTempFolderPath()
+ xlsFName));
- FileOutputStream xlsOut = new FileOutputStream(AppUtils.getTempFolderPath()
- + xlsFName);
+ FileOutputStream xlsOut = new FileOutputStream(FilenameUtils.normalize(AppUtils.getTempFolderPath()
+ + xlsFName));
// BufferedWriter xlsOut = new BufferedWriter(new
// FileWriter(AppUtils
// .getTempFolderPath()
@@ -2904,8 +2905,8 @@ public class ReportHandler extends org.onap.portalsdk.analytics.RaptorObject {
for(Iterator iter = setReportRuntime.iterator(); iter.hasNext(); ) {
count++;
try {
- xlsIn = new FileInputStream (AppUtils.getTempFolderPath()
- + xlsFName);
+ xlsIn = new FileInputStream (FilenameUtils.normalize(AppUtils.getTempFolderPath()
+ + xlsFName));
}
catch (FileNotFoundException e) {
System.out.println ("File not found in the specified path.");
@@ -2914,11 +2915,11 @@ public class ReportHandler extends org.onap.portalsdk.analytics.RaptorObject {
if(xlsIn != null) {
fileSystem = new POIFSFileSystem (xlsIn);
wb = new HSSFWorkbook(fileSystem);
- xlsOut = new FileOutputStream(AppUtils.getTempFolderPath()
- + xlsFName);
+ xlsOut = new FileOutputStream(FilenameUtils.normalize(AppUtils.getTempFolderPath()
+ + xlsFName));
} else {
- xlsOut = new FileOutputStream(AppUtils.getTempFolderPath()
- + xlsFName);
+ xlsOut = new FileOutputStream(FilenameUtils.normalize(AppUtils.getTempFolderPath()
+ + xlsFName));
wb = new HSSFWorkbook();
}
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java
index 0d416ae2..3fa3ff91 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java
@@ -88,6 +88,8 @@ import org.onap.portalsdk.analytics.util.AppConstants;
import org.onap.portalsdk.analytics.util.DataSet;
import org.onap.portalsdk.analytics.util.Utils;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
public class ReportLoader extends org.onap.portalsdk.analytics.RaptorObject {
@@ -488,19 +490,19 @@ public class ReportLoader extends org.onap.portalsdk.analytics.RaptorObject {
try{
String sql1= Globals.getDeleteReportRecordLog();
- sql1 = sql1.replace("[reportID]", reportID);
+ sql1 = sql1.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID));
String sql2= Globals.getDeleteReportRecordUsers();
- sql2 = sql2.replace("[reportID]", reportID);
+ sql2 = sql2.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID));
String sql3= Globals.getDeleteReportRecordSchedule();
- sql3 = sql3.replace("[reportID]", reportID);
+ sql3 = sql3.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID));
String sql4= Globals.getDeleteReportRecordAccess();
- sql4 = sql4.replace("[reportID]", reportID);
+ sql4 = sql4.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID));
String sql5= Globals.getDeleteReportRecordEmail();
- sql5 = sql5.replace("[reportID]", reportID);
+ sql5 = sql5.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID));
String sql6= Globals.getDeleteReportRecordFavorite();
- sql6 = sql6.replace("[reportID]", reportID);
+ sql6 = sql6.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID));
String sql7= Globals.getDeleteReportRecordReport();
- sql7 = sql7.replace("[reportID]", reportID);
+ sql7 = sql7.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID));
DbUtils.executeUpdate(con, sql1);
DbUtils.executeUpdate(con, sql2);
@@ -580,9 +582,9 @@ public class ReportLoader extends org.onap.portalsdk.analytics.RaptorObject {
roleList.append("," + ((String) iter.next()));
String query = Globals.getLoadQuickLinks();
- query = query.replace("[userID]", userID);
- query = query.replace("[roleList.toString()]", roleList.toString());
- query = query.replace("[nvls(menuId)]", nvls(menuId));
+ query = query.replace("[userID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),userID));
+ query = query.replace("[roleList.toString()]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),roleList.toString()));
+ query = query.replace("[nvls(menuId)]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),nvls(menuId)));
DataSet ds = DbUtils
.executeQuery(query);
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java
index 21c260bd..a6043ea7 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java
@@ -70,6 +70,7 @@ import java.util.Iterator;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.io.FilenameUtils;
import org.onap.portalsdk.analytics.controller.ErrorHandler;
import org.onap.portalsdk.analytics.error.RaptorException;
import org.onap.portalsdk.analytics.model.search.ReportSearchResult;
@@ -83,6 +84,8 @@ import org.onap.portalsdk.analytics.system.Globals;
import org.onap.portalsdk.analytics.util.AppConstants;
import org.onap.portalsdk.analytics.util.DataSet;
import org.onap.portalsdk.analytics.util.HtmlStripper;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
public class SearchHandler extends org.onap.portalsdk.analytics.RaptorObject {
private static final String HTML_FORM = "forma";
@@ -128,9 +131,9 @@ public class SearchHandler extends org.onap.portalsdk.analytics.RaptorObject {
String csvFName = AppUtils.generateFileName(request,
(sr.getPageNo() < 0) ? AppConstants.FT_CSV_ALL : AppConstants.FT_CSV);
- BufferedWriter csvOut = new BufferedWriter(new FileWriter(AppUtils
+ BufferedWriter csvOut = new BufferedWriter(new FileWriter(FilenameUtils.normalize(AppUtils
.getTempFolderPath()
- + csvFName));
+ + csvFName)));
createCSVFileContent(csvOut, sr);
csvOut.close();
@@ -292,7 +295,7 @@ public class SearchHandler extends org.onap.portalsdk.analytics.RaptorObject {
} else {
rep_name_sql = " AND UPPER(cr.title) LIKE UPPER('%%') ";
}
- sql = sql.replace("[fReportName]", rep_name_sql);
+ sql = sql.replace("[fReportName]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),rep_name_sql));
if (menuId.length() > 0){
/*sql += "AND INSTR('|'||cr.menu_id||'|', '|'||'" + menuId + "'||'|') > 0 "
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java
index 0ba8d4c7..156572f6 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java
@@ -109,6 +109,8 @@ import org.onap.portalsdk.analytics.xmlobj.Reports;
import org.onap.portalsdk.analytics.xmlobj.SemaphoreList;
import org.onap.portalsdk.analytics.xmlobj.SemaphoreType;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
/**<HR/>
* This class is part of <B><I>RAPTOR (Rapid Application Programming Tool for OLAP Reporting)</I></B><BR/>
@@ -2965,15 +2967,15 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject {
for (int i = 0; i < reqParameters.length; i++) {
if(!reqParameters[i].startsWith("ff")) {
if (nvl(request.getParameter(reqParameters[i].toUpperCase())).length() > 0)
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) );
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) ));
}
else
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) ));
}
for (int i = 0; i < scheduleSessionParameters.length; i++) {
if(nvl(request.getParameter(scheduleSessionParameters[i])).trim().length()>0 )
- sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) );
+ sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) ));
}
}
if(session != null ) {
@@ -2998,7 +3000,7 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject {
//debugLogger.debug("SQLSQLBASED no formfields " + sql);
if(request != null ) {
for (int i = 0; i < reqParameters.length; i++) {
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) ));
}
}
if(session != null ) {
@@ -3009,9 +3011,9 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject {
}
}
// if it is not multiple select and ParamValue is empty this is the place it can be replaced.
- sql = Utils.replaceInString(sql, "[LOGGED_USERID]", userId);
- sql = Utils.replaceInString(sql, "[USERID]", userId);
- sql = Utils.replaceInString(sql, "[USER_ID]", userId);
+ sql = Utils.replaceInString(sql, "[LOGGED_USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId));
+ sql = Utils.replaceInString(sql, "[USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId));
+ sql = Utils.replaceInString(sql, "[USER_ID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId));
//debugLogger.debug("SQLSQLBASED no formfields after" + sql);
//debugLogger.debug("Replacing String 2 "+ sql);
//debugLogger.debug("Replaced String " + sql);
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java
index e9a4df1f..f4b54a18 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java
@@ -74,6 +74,8 @@ import org.onap.portalsdk.analytics.util.DataSet;
import org.onap.portalsdk.analytics.util.Utils;
import org.onap.portalsdk.analytics.xmlobj.FormFieldType;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
public class ReportSchedule extends RaptorObject {
@@ -652,9 +654,9 @@ public class ReportSchedule extends RaptorObject {
if (paramValue!=null && paramValue.length() > 0) {
if(paramValue.toLowerCase().trim().startsWith("select ")) {
- paramValue = Utils.replaceInString(paramValue, "[LOGGED_USERID]", userId);
- paramValue = Utils.replaceInString(paramValue, "[USERID]", userId);
- paramValue = Utils.replaceInString(paramValue, "[USER_ID]", userId);
+ paramValue = Utils.replaceInString(paramValue, "[LOGGED_USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),userId));
+ paramValue = Utils.replaceInString(paramValue, "[USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),userId));
+ paramValue = Utils.replaceInString(paramValue, "[USER_ID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),userId));
paramValue = Utils.replaceInString(paramValue, "''", "'");
ds = ConnectionUtils.getDataSet(paramValue, dbInfo);
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java
index 0693a1c7..285142f9 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java
@@ -57,6 +57,8 @@ import org.onap.portalsdk.analytics.util.Utils;
import org.onap.portalsdk.analytics.xmlobj.ColFilterType;
import org.onap.portalsdk.analytics.xmlobj.DataColumnType;
import org.onap.portalsdk.analytics.xmlobj.FormFieldType;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
public class ReportFormFields extends Vector {
private int nextElemIdx = 0;
@@ -96,17 +98,17 @@ public class ReportFormFields extends Vector {
if(fieldSQL!=null) {
for (int i = 0; i < reqParameters.length; i++) {
if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0))
- fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) );
+ fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) ));
else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0)
- fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
+ fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) ));
}
for (int i = 0; i < scheduleSessionParameters.length; i++) {
//s_logger.debug(" Session " + " scheduleSessionParameters[i] " + scheduleSessionParameters[i].toUpperCase() + " " + request.getParameter(scheduleSessionParameters[i]));
if(request.getParameter(scheduleSessionParameters[i])!=null && request.getParameter(scheduleSessionParameters[i]).trim().length()>0 )
- fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) );
+ fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) ));
if(request.getAttribute(scheduleSessionParameters[i])!=null && ((String)request.getAttribute(scheduleSessionParameters[i])).trim().length()>0 )
- fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", (String) request.getAttribute(scheduleSessionParameters[i]) );
+ fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String) request.getAttribute(scheduleSessionParameters[i]) ));
}
@@ -129,16 +131,16 @@ public class ReportFormFields extends Vector {
if(fieldDefaultSQL!=null) {
for (int i = 0; i < reqParameters.length; i++) {
if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0))
- fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) );
+ fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) ));
else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0)
- fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
+ fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) ));
}
for (int i = 0; i < scheduleSessionParameters.length; i++) {
//s_logger.debug(" Session " + " scheduleSessionParameters[i] " + scheduleSessionParameters[i].toUpperCase() + " " + request.getParameter(scheduleSessionParameters[i]));
if(request.getParameter(scheduleSessionParameters[i])!=null && request.getParameter(scheduleSessionParameters[i]).trim().length()>0 )
- fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) );
+ fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) ));
if(request.getAttribute(scheduleSessionParameters[i])!=null && ((String)request.getAttribute(scheduleSessionParameters[i])).trim().length()>0 )
- fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", (String) request.getAttribute(scheduleSessionParameters[i]) );
+ fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String) request.getAttribute(scheduleSessionParameters[i]) ));
}
@@ -158,9 +160,9 @@ public class ReportFormFields extends Vector {
if(rangeStartDateSQL!=null) {
for (int i = 0; i < reqParameters.length; i++) {
if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0))
- rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) );
+ rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) ));
else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0)
- rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
+ rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) ));
}
for (int i = 0; i < sessionParameters.length; i++) {
if (session.getAttribute(sessionParameters[i])!=null && ((String)session.getAttribute(sessionParameters[i])).length() > 0)
@@ -170,13 +172,13 @@ public class ReportFormFields extends Vector {
if(rangeEndDateSQL!=null) {
for (int i = 0; i < reqParameters.length; i++) {
if(!reqParameters[i].startsWith("ff")&& (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0))
- rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) );
+ rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) ));
else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0)
rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
}
for (int i = 0; i < sessionParameters.length; i++) {
if (session.getAttribute(sessionParameters[i])!=null && ((String)session.getAttribute(sessionParameters[i])).length() > 0)
- rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + sessionParameters[i].toUpperCase()+"]", (String)session.getAttribute(sessionParameters[i]) );
+ rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + sessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String)session.getAttribute(sessionParameters[i]) ));
}
}
String helpText = fft.getComment();
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java
index d5911cbb..c50581e4 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java
@@ -52,6 +52,8 @@ import org.onap.portalsdk.analytics.util.AppConstants;
import org.onap.portalsdk.analytics.util.DataSet;
import org.onap.portalsdk.analytics.util.Utils;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
public class ReportParamValuesForPDFExcel extends Hashtable {
@@ -154,10 +156,10 @@ public class ReportParamValuesForPDFExcel extends Hashtable {
if(sql!=null && sql.trim().length()>0){
if(name.equals(ff.getFieldName())){
- sql = Utils.replaceInString(sql, "[VALUE]", value);
+ sql = Utils.replaceInString(sql, "[VALUE]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value));
}
if(name.equals(ff1.getFieldName())){
- sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", value);
+ sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value));
} else continue;
}
@@ -175,10 +177,10 @@ public class ReportParamValuesForPDFExcel extends Hashtable {
if(sql!=null && sql.trim().length()>0){
if(name.equals(ff.getFieldName())){
- sql = Utils.replaceInString(sql, "[VALUE]", value);
+ sql = Utils.replaceInString(sql, "[VALUE]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value));
}
if(name.equals(ff1.getFieldName())){
- sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", value);
+ sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value));
} else continue;
}
@@ -194,7 +196,7 @@ public class ReportParamValuesForPDFExcel extends Hashtable {
if(name.length()<=0) name = ff.getFieldName();
value = rr.getParamValue(name);
//debugLogger.debug("Name "+ name+ " value:" + value);
- String paramValue = getParamValueForSQL(name, value);
+ String paramValue = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), getParamValueForSQL(name, value));
//debugLogger.debug("PDFEXCEL " + name+ " " + ff.getFieldName()+ " " + value + " " + sql +" "+ paramValue);
if(name!=null && name.equals(ff.getFieldName()))
sql = Utils.replaceInString(sql, "[VALUE]", paramValue);
@@ -206,7 +208,7 @@ public class ReportParamValuesForPDFExcel extends Hashtable {
FormField ff2 = null;
for (Iterator iter1 = rff.iterator(); iter1.hasNext();) {
ff2 = (FormField)iter1.next();
- sql = Utils.replaceInString(sql, "[" + ff2.getFieldDisplayName() +"]", getParamValue(ff2.getFieldName()));
+ sql = Utils.replaceInString(sql, "[" + ff2.getFieldDisplayName() +"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),getParamValue(ff2.getFieldName())));
}
//debugLogger.debug("SQL Modified after replacing formfield" + sql);
try {
@@ -223,21 +225,21 @@ public class ReportParamValuesForPDFExcel extends Hashtable {
//debugLogger.debug("B4 request " + sql);
if(request != null ) {
for (int i = 0; i < scheduleSessionParameters.length; i++) {
- sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) );
+ sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) ));
}
for (int i = 0; i < reqParameters.length; i++) {
if(!reqParameters[i].startsWith("ff")) {
if (request.getParameter(reqParameters[i])!=null) {
sql = Utils.replaceInString(sql, "[" + reqParameters[i]+"]", request.getParameter(reqParameters[i]) );
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) ));
}
else {
sql = Utils.replaceInString(sql, "[" + reqParameters[i]+"]", request.getParameter(reqParameters[i].toUpperCase()) );
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) );
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) ));
}
}
else
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) );
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) ));
}
}
//debugLogger.debug("After request " + sql);
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java
index f9d58fee..03c8214d 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java
@@ -85,6 +85,8 @@ import org.onap.portalsdk.analytics.xmlobj.DataColumnType;
import org.onap.portalsdk.analytics.xmlobj.FormFieldType;
import org.onap.portalsdk.analytics.xmlobj.ObjectFactory;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -2455,7 +2457,7 @@ public class ReportRuntime extends ReportWrapper implements Cloneable, Serializa
if (param.charAt(startIdx + 1) == '#') {
// Parameter is a form field value
String fieldId = param.substring(startIdx + 2, endIdx);
- String fieldValue = request.getParameter(fieldId);
+ String fieldValue = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(fieldId));
sql = Utils.replaceInString(sql, "[" + fieldId.toUpperCase()+"]", fieldValue );
}
}
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java
index 96bc609f..55735090 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java
@@ -47,6 +47,8 @@ import javax.servlet.http.HttpServletRequest;
import org.onap.portalsdk.analytics.error.RaptorException;
import org.onap.portalsdk.analytics.util.AppConstants;
import org.onap.portalsdk.analytics.util.HtmlStripper;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
+import org.owasp.esapi.ESAPI;
public class AppUtils /* implements IAppUtils */{
private static String baseURL = null;
@@ -69,7 +71,7 @@ public class AppUtils /* implements IAppUtils */{
public static String getRequestValue(HttpServletRequest request, String valueID) {
String value = (String) request.getAttribute(valueID);
if (value == null)
- value = request.getParameter(valueID);
+ value = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(valueID));
return value;
} // getRequestValue
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java
index 1d1fdd84..b6c985a5 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java
@@ -58,6 +58,7 @@ import javax.servlet.http.HttpServletResponse;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.service.DataAccessService;
+import org.owasp.esapi.ESAPI;
import org.springframework.web.servlet.ModelAndView;;
@@ -175,7 +176,7 @@ public class FileServletController {
response.setContentLength((int) outStream.length);
response.setContentType("application/octet-stream");
response.setHeader("Content-disposition", "attachment; filename=\""
- + name + "\"");
+ + ESAPI.encoder().canonicalize(name) + "\"");
copyStream(response, outStream);
} catch (Exception ex) {
if (os == null)
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
index 8165801c..8478c73c 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
@@ -105,7 +105,9 @@ import org.onap.portalsdk.analytics.xmlobj.PredefinedValueList;
import org.onap.portalsdk.core.controller.RestrictedBaseController;
import org.onap.portalsdk.core.domain.User;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
import org.onap.portalsdk.core.web.support.UserUtils;
+import org.owasp.esapi.ESAPI;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
@@ -1415,10 +1417,10 @@ public class RaptorControllerAsync extends RestrictedBaseController {
for (int i = 0; i < reqParameters.length; i++) {
if (!reqParameters[i].startsWith("ff"))
sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]",
- request.getParameter(reqParameters[i].toUpperCase()));
+ ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i].toUpperCase())));
else
- sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]",
- request.getParameter(reqParameters[i]));
+ sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]",
+ ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i])));
}
}
if (session != null) {