Merge "Fix sql injection vulnerability"

[portal.git] / ecomp-portal-BE-common / src / main / java / org / onap / portalapp / portal / service / UserRolesCommonServiceImpl.java

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index a440c31..a216564 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -283,7 +283,10 @@ public class UserRolesCommonServiceImpl  {
                        transaction = localSession.beginTransaction();
                        @SuppressWarnings("unchecked")
                        List<EPUser> userList = localSession
-                                       .createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+                                       .createQuery("from :name where orgUserId=:userId")
+                                       .setParameter("name",EPUser.class.getName())
+                                       .setParameter("userId",userId)
+                                       .list();
                        if (userList.size() > 0) {
                                EPUser client = userList.get(0);
                                roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";
@@ -335,7 +338,10 @@ public class UserRolesCommonServiceImpl  {
                                        } else { // remote app
                                                @SuppressWarnings("unchecked")
                                                List<EPRole> roles = localSession
-                                                               .createQuery("from " + EPRole.class.getName() + " where appId=" + appId).list();
+                                                               .createQuery("from :name where appId=:appId")
+                                                               .setParameter("name",EPRole.class.getName())
+                                                               .setParameter("appId",appId)
+                                                               .list();
                                                for (EPRole role : roles) {
                                                        if (!extRequestValue && app.getCentralAuth()) {
                                                                rolesMap.put(role.getId(), role);
@@ -557,7 +563,9 @@ public class UserRolesCommonServiceImpl  {
                                        // Delete from fn_menu_functional_roles
                                        @SuppressWarnings("unchecked")
                                        List<FunctionalMenuRole> funcMenuRoles = localSession
-                                                       .createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + roleId)
+                                                       .createQuery("from :name where roleId=:roleId")
+                                                       .setParameter("name",FunctionalMenuRole.class.getName())
+                                                       .setParameter("roleId",roleId)
                                                        .list();
                                        int numMenuRoles = funcMenuRoles.size();
                                        logger.debug(EELFLoggerDelegate.debugLogger,
@@ -569,7 +577,9 @@ public class UserRolesCommonServiceImpl  {
                                                // so must null out the url too, to be consistent
                                                @SuppressWarnings("unchecked")
                                                List<FunctionalMenuRole> funcMenuRoles2 = localSession
-                                                               .createQuery("from " + FunctionalMenuRole.class.getName() + " where menuId=" + menuId)
+                                                               .createQuery("from :name where menuId=:menuId")
+                                                               .setParameter("name",FunctionalMenuRole.class.getName())
+                                                               .setParameter("menuId",menuId)
                                                                .list();
                                                int numMenuRoles2 = funcMenuRoles2.size();
                                                logger.debug(EELFLoggerDelegate.debugLogger,
@@ -583,8 +593,9 @@ public class UserRolesCommonServiceImpl  {
                                                                        "syncAppRoles: There is exactly 1 menu item for this role, so emptying the url");
                                                        @SuppressWarnings("unchecked")
                                                        List<FunctionalMenuItem> funcMenuItems = localSession
-                                                                       .createQuery(
-                                                                                       "from " + FunctionalMenuItem.class.getName() + " where menuId=" + menuId)
+                                                                       .createQuery("from :name where menuId=:menuId")
+                                                                       .setParameter("name",FunctionalMenuItem.class.getName())
+                                                                       .setParameter("menuId",menuId)
                                                                        .list();
                                                        if (funcMenuItems.size() > 0) {
                                                                logger.debug(EELFLoggerDelegate.debugLogger, "got the menu item");