Fix sql injection vulnerability

Use a variable binding instead of concatenation.
Change test 'getAppRolesForNonCentralizedPartnerAppTest'.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I5cb7561e4b2b781834bd4f2ec36dee58b4738bf2

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761c..780a435 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -483,9 +483,13 @@ public class UserRolesCommonServiceImpl  {
                        transaction = localSession.beginTransaction();
                        // Attention! All roles from remote application supposed to be
                        // active!
+
                        @SuppressWarnings("unchecked")
-                       List<EPRole> currentAppRoles = localSession
-                                       .createQuery("from " + EPRole.class.getName() + " where appId=" + appId).list();
+                       List<EPRole> currentAppRoles = localSession.createQuery("from :name where appId = :appId")
+                                       .setParameter("name",EPRole.class.getName())
+                                       .setParameter("appId",appId)
+                                       .list();
+
                        List<EPRole> obsoleteRoles = new ArrayList<EPRole>();
                        for (int i = 0; i < currentAppRoles.size(); i++) {
                                EPRole oldAppRole = currentAppRoles.get(i);

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index c907a6e..87abdbb 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -424,8 +424,13 @@ public class UserRolesCommonServiceImplTest {
                Mockito.when(applicationsRestClientService.get(EcompRole[].class, mockApp.getId(), "/roles"))
                                .thenReturn(mockEcompRoleArray);
                // syncAppRolesTest
-               Mockito.when(session.createQuery("from " + EPRole.class.getName() + " where appId=" + mockApp.getId()))
+
+               Mockito.when(session.createQuery("from :name where appId = :appId"))
                                .thenReturn(epRoleQuery);
+
+               Mockito.when(epRoleQuery.setParameter("name",EPRole.class.getName())).thenReturn(epRoleQuery);
+               Mockito.when(epRoleQuery.setParameter("appId",mockApp.getId())).thenReturn(epRoleQuery);
+
                Mockito.doReturn(mockEPRoleList).when(epRoleQuery).list();
                Mockito.when(session.createQuery(
                                "from " + EPUserApp.class.getName() + " where app.id=" + mockApp.getId() + " and role_id=" + 15l))