DMAAP-DR SQL Injection fix

Change-Id: Ie85bbb46455d79f9e6eb23bc32253ea355a8e3b2
Signed-off-by: david.mcweeney <david.mcweeney@est.tech>
Issue-ID: DMAAP-1623

diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java
index c564db8..8a82c5c 100755 (executable)
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java
@@ -79,6 +79,8 @@ public class StatisticsServlet extends BaseServlet {
     private static final String SQL_JOIN_RECORDS = " e JOIN LOG_RECORDS m ON m.PUBLISH_ID = e.PUBLISH_ID AND e.FEEDID IN (";\r
     private static final String SQL_STATUS_204 = " AND m.STATUS=204 AND e.RESULT=204 ";\r
     private static final String SQL_GROUP_SUB_ID = " group by SUBID";\r
+    private static final String JSON_OUTPUT_TYPE = "json";\r
+    private static final String CSV_OUTPUT_TYPE = "csv";\r
 \r
 \r
     /**\r
@@ -109,7 +111,7 @@ public class StatisticsServlet extends BaseServlet {
         // check Accept: header??\r
         resp.setStatus(HttpServletResponse.SC_OK);\r
         resp.setContentType(LOGLIST_CONTENT_TYPE);\r
-        String outputType = "json";\r
+        String outputType = JSON_OUTPUT_TYPE;\r
         if (req.getParameter(FEEDID) == null && req.getParameter(GROUPID) == null) {\r
             try {\r
                 resp.getOutputStream().print("Invalid request, Feedid or Group ID is required.");\r
@@ -153,8 +155,12 @@ public class StatisticsServlet extends BaseServlet {
         if (req.getParameter("type") != null) {\r
             map.put(EVENT_TYPE, req.getParameter("type").replace("|", ","));\r
         }\r
-        if (req.getParameter(OUTPUT_TYPE) != null) {\r
-            map.put(OUTPUT_TYPE, req.getParameter(OUTPUT_TYPE));\r
+        if (req.getParameter(OUTPUT_TYPE) != null && req.getParameter(OUTPUT_TYPE).equals(CSV_OUTPUT_TYPE)) {\r
+            map.put(OUTPUT_TYPE, req.getParameter(CSV_OUTPUT_TYPE));\r
+            outputType = CSV_OUTPUT_TYPE;\r
+        }\r
+        if (req.getParameter(OUTPUT_TYPE) != null && req.getParameter(OUTPUT_TYPE).equals(JSON_OUTPUT_TYPE)) {\r
+            map.put(OUTPUT_TYPE, req.getParameter(JSON_OUTPUT_TYPE));\r
         }\r
         if (req.getParameter(START_TIME) != null) {\r
             map.put(START_TIME, req.getParameter(START_TIME));\r
@@ -166,9 +172,6 @@ public class StatisticsServlet extends BaseServlet {
             map.put(START_TIME, req.getParameter("time"));\r
             map.put(END_TIME, null);\r
         }\r
-        if (req.getParameter(OUTPUT_TYPE) != null) {\r
-            outputType = req.getParameter(OUTPUT_TYPE);\r
-        }\r
         try {\r
             this.getRecordsForSQL(map, outputType, resp.getOutputStream(), resp);\r
         } catch (IOException ioe) {\r
@@ -511,7 +514,7 @@ public class StatisticsServlet extends BaseServlet {
             try (Connection conn = ProvDbUtils.getInstance().getConnection();\r
                 PreparedStatement ps = conn.prepareStatement(filterQuery);\r
                 ResultSet rs = ps.executeQuery()) {\r
-                if ("csv".equals(outputType)) {\r
+                if (CSV_OUTPUT_TYPE.equals(outputType)) {\r
                     resp.setContentType("application/octet-stream");\r
                     DateTimeFormatter formatter = DateTimeFormatter.ofPattern("dd-MM-yyyy HH:mm:ss");\r
                     resp.setHeader("Content-Disposition",\r