Fix sql injection vulnerability

Use a variable binding instead of concatenation.
Change test 'getAppRolesForNonCentralizedPartnerAppTest'.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: Ia75da49ed582836a47b5fdcddab62fbe02e36e72

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761c..a26c6ef 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -564,8 +564,9 @@ public class UserRolesCommonServiceImpl  {
                                                                        "syncAppRoles: There is exactly 1 menu item for this role, so emptying the url");
                                                        @SuppressWarnings("unchecked")
                                                        List<FunctionalMenuItem> funcMenuItems = localSession
-                                                                       .createQuery(
-                                                                                       "from " + FunctionalMenuItem.class.getName() + " where menuId=" + menuId)
+                                                                       .createQuery("from :name where menuId=:menuId")
+                                                                       .setParameter("name",FunctionalMenuItem.class.getName())
+                                                                       .setParameter("menuId",menuId)
                                                                        .list();
                                                        if (funcMenuItems.size() > 0) {
                                                                logger.debug(EELFLoggerDelegate.debugLogger, "got the menu item");

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index c907a6e..1029650 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -440,8 +440,10 @@ public class UserRolesCommonServiceImplTest {
                                .thenReturn(epFunctionalMenuQuery2);
                Mockito.doReturn(mockFunctionalMenuRolesList).when(epFunctionalMenuQuery2).list();
 
-               Mockito.when(session.createQuery("from " + FunctionalMenuItem.class.getName() + " where menuId=" + 10l))
+               Mockito.when(session.createQuery("from :name where menuId=:menuId"))
                                .thenReturn(epFunctionalMenuItemQuery);
+               Mockito.when(epFunctionalMenuItemQuery.setParameter("name",FunctionalMenuItem.class.getName())).thenReturn(epFunctionalMenuItemQuery);
+               Mockito.when(epFunctionalMenuItemQuery.setParameter("menuId",10l)).thenReturn(epFunctionalMenuItemQuery);
                Mockito.doReturn(mockFunctionalMenuItemList).when(epFunctionalMenuItemQuery).list();
                List<EcompRole> mockEcompRoleList2 = new ArrayList<>();
                EcompRole mockUserAppRoles = new EcompRole();