Merge "Fix sql injection vulnerability"

author Sunder Tattavarada <statta@research.att.com>

Mon, 8 Jul 2019 19:27:46 +0000 (19:27 +0000)

committer Gerrit Code Review <gerrit@onap.org>

Mon, 8 Jul 2019 19:27:46 +0000 (19:27 +0000)
author Sunder Tattavarada <statta@research.att.com>
Mon, 8 Jul 2019 19:27:46 +0000 (19:27 +0000)
committer Gerrit Code Review <gerrit@onap.org>
Mon, 8 Jul 2019 19:27:46 +0000 (19:27 +0000)
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java

index 1d9ed57..bc0fd06 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -283,7 +283,10 @@ public class UserRolesCommonServiceImpl  {
                         transaction = localSession.beginTransaction();
                         @SuppressWarnings("unchecked")
                         List<EPUser> userList = localSession
-                                       .createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+                                       .createQuery("from :name where orgUserId=:userId")
+                                       .setParameter("name",EPUser.class.getName())
+                                       .setParameter("userId",userId)
+                                       .list();
                         if (userList.size() > 0) {
                                 EPUser client = userList.get(0);
                                 roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";
author	Sunder Tattavarada <statta@research.att.com>
	Mon, 8 Jul 2019 19:27:46 +0000 (19:27 +0000)
committer	Gerrit Code Review <gerrit@onap.org>
	Mon, 8 Jul 2019 19:27:46 +0000 (19:27 +0000)