Merge "Fix sql injection vulnerability"

author Sunder Tattavarada <statta@research.att.com>

Tue, 18 Jun 2019 16:04:19 +0000 (16:04 +0000)

committer Gerrit Code Review <gerrit@onap.org>

Tue, 18 Jun 2019 16:04:19 +0000 (16:04 +0000)
author Sunder Tattavarada <statta@research.att.com>
Tue, 18 Jun 2019 16:04:19 +0000 (16:04 +0000)
committer Gerrit Code Review <gerrit@onap.org>
Tue, 18 Jun 2019 16:04:19 +0000 (16:04 +0000)
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java

index ae1670d..39aed6b 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -495,9 +495,13 @@ public class UserRolesCommonServiceImpl  {
                         transaction = localSession.beginTransaction();
                         // Attention! All roles from remote application supposed to be
                         // active!
+
                         @SuppressWarnings("unchecked")
-                       List<EPRole> currentAppRoles = localSession
-                                       .createQuery("from " + EPRole.class.getName() + " where appId=" + appId).list();
+                       List<EPRole> currentAppRoles = localSession.createQuery("from :name where appId = :appId")
+                                       .setParameter("name",EPRole.class.getName())
+                                       .setParameter("appId",appId)
+                                       .list();
+
                         List<EPRole> obsoleteRoles = new ArrayList<EPRole>();
                         for (int i = 0; i < currentAppRoles.size(); i++) {
                                 EPRole oldAppRole = currentAppRoles.get(i);
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java

index f58e90f..d3ac4b9 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -446,8 +446,13 @@ public class UserRolesCommonServiceImplTest {
                 Mockito.when(applicationsRestClientService.get(EcompRole[].class, mockApp.getId(), "/roles"))
                                 .thenReturn(mockEcompRoleArray);
                 // syncAppRolesTest
-               Mockito.when(session.createQuery("from " + EPRole.class.getName() + " where appId=" + mockApp.getId()))
+
+               Mockito.when(session.createQuery("from :name where appId = :appId"))
                                 .thenReturn(epRoleQuery);
+
+               Mockito.when(epRoleQuery.setParameter("name",EPRole.class.getName())).thenReturn(epRoleQuery);
+               Mockito.when(epRoleQuery.setParameter("appId",mockApp.getId())).thenReturn(epRoleQuery);
+
                 Mockito.doReturn(mockEPRoleList).when(epRoleQuery).list();
                 Mockito.when(session.createQuery(
                                 "from " + EPUserApp.class.getName() + " where app.id=" + mockApp.getId() + " and role_id=" + 15l))
author	Sunder Tattavarada <statta@research.att.com>
	Tue, 18 Jun 2019 16:04:19 +0000 (16:04 +0000)
committer	Gerrit Code Review <gerrit@onap.org>
	Tue, 18 Jun 2019 16:04:19 +0000 (16:04 +0000)
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java		patch \| blob \| history
ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java		patch \| blob \| history