Fix sql injection vulnerability

Use a variable binding instead of concatenation.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I0574e882e4d500408b6a6bab8986822669cba5d4

diff --git a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
index b99863e..59180d3 100644 (file)
--- a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
+++ b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
@@ -244,16 +244,15 @@ public class WidgetCatalogServiceImpl implements WidgetCatalogService {
                logger.debug("WidgetCatalogServiceImpl.getWidgetCatalog: result={}", widgets);
                return widgets;
        }
-       
-       
-       
-       
-       
+
        private void updateAppId(long widgetId, Set<RoleApp> roles){
                Session session = sessionFactory.openSession();
                for(RoleApp role: roles){
-                       String sql = "UPDATE ep_widget_catalog_role SET app_id = " + role.getApp().getAppId() + " WHERE widget_id = " + widgetId + " AND ROLE_ID = " + role.getRoleId() ;
+                       String sql = "UPDATE ep_widget_catalog_role SET app_id = :appId WHERE widget_id = :widgetId AND ROLE_ID = :roleId" ;
                        Query query = session.createSQLQuery(sql);
+                       query.setParameter("appId", role.getApp().getAppId());
+                       query.setParameter("widgetId", widgetId);
+                       query.setParameter("roleId", role.getRoleId());
                        query.executeUpdate();
                }
                session.flush();