Merge "Fix sql injection vulnerability"

author Sunder Tattavarada <statta@research.att.com>

Tue, 18 Jun 2019 16:04:36 +0000 (16:04 +0000)

committer Gerrit Code Review <gerrit@onap.org>

Tue, 18 Jun 2019 16:04:36 +0000 (16:04 +0000)
author Sunder Tattavarada <statta@research.att.com>
Tue, 18 Jun 2019 16:04:36 +0000 (16:04 +0000)
committer Gerrit Code Review <gerrit@onap.org>
Tue, 18 Jun 2019 16:04:36 +0000 (16:04 +0000)
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java

index a440c31..656cf9e 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -557,7 +557,9 @@ public class UserRolesCommonServiceImpl  {
                                         // Delete from fn_menu_functional_roles
                                         @SuppressWarnings("unchecked")
                                         List<FunctionalMenuRole> funcMenuRoles = localSession
-                                                       .createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + roleId)
+                                                       .createQuery("from :name where roleId=:roleId")
+                                                       .setParameter("name",FunctionalMenuRole.class.getName())
+                                                       .setParameter("roleId",roleId)
                                                         .list();
                                         int numMenuRoles = funcMenuRoles.size();
                                         logger.debug(EELFLoggerDelegate.debugLogger,
@@ -569,7 +571,9 @@ public class UserRolesCommonServiceImpl  {
                                                 // so must null out the url too, to be consistent
                                                 @SuppressWarnings("unchecked")
                                                 List<FunctionalMenuRole> funcMenuRoles2 = localSession
-                                                               .createQuery("from " + FunctionalMenuRole.class.getName() + " where menuId=" + menuId)
+                                                               .createQuery("from :name where menuId=:menuId")
+                                                               .setParameter("name",FunctionalMenuRole.class.getName())
+                                                               .setParameter("menuId",menuId)
                                                                 .list();
                                                 int numMenuRoles2 = funcMenuRoles2.size();
                                                 logger.debug(EELFLoggerDelegate.debugLogger,
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java

index 680d766..9b5058d 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -461,12 +461,16 @@ public class UserRolesCommonServiceImplTest {
                 Mockito.when(epUserAppsQuery.setParameter("roleId",15l)).thenReturn(epUserAppsQuery);
                 Mockito.doReturn(mockUserRolesList).when(epUserAppsQuery).list();
  
-               Mockito.when(session.createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + 15l))
+               Mockito.when(session.createQuery("from :name where roleId=:roleId"))
                                 .thenReturn(epFunctionalMenuQuery);
+               Mockito.when(epFunctionalMenuQuery.setParameter("name",FunctionalMenuRole.class.getName())).thenReturn(epFunctionalMenuQuery);
+               Mockito.when(epFunctionalMenuQuery.setParameter("roleId",15l)).thenReturn(epFunctionalMenuQuery);
                 Mockito.doReturn(mockFunctionalMenuRolesList).when(epFunctionalMenuQuery).list();
  
-               Mockito.when(session.createQuery("from " + FunctionalMenuRole.class.getName() + " where menuId=" + 10l))
+               Mockito.when(session.createQuery("from :name where menuId=:menuId"))
                                 .thenReturn(epFunctionalMenuQuery2);
+               Mockito.when(epFunctionalMenuQuery2.setParameter("name",FunctionalMenuRole.class.getName())).thenReturn(epFunctionalMenuQuery2);
+               Mockito.when(epFunctionalMenuQuery2.setParameter("menuId",10l)).thenReturn(epFunctionalMenuQuery2);
                 Mockito.doReturn(mockFunctionalMenuRolesList).when(epFunctionalMenuQuery2).list();
  
                 Mockito.when(session.createQuery("from " + FunctionalMenuItem.class.getName() + " where menuId=" + 10l))
author	Sunder Tattavarada <statta@research.att.com>
	Tue, 18 Jun 2019 16:04:36 +0000 (16:04 +0000)
committer	Gerrit Code Review <gerrit@onap.org>
	Tue, 18 Jun 2019 16:04:36 +0000 (16:04 +0000)
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java		patch \| blob \| history
ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java		patch \| blob \| history