Code Review / portal.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw (from parent 1: 9c75bfe)
Merge "Fix sql injection vulnerability"
authorSunder Tattavarada <statta@research.att.com>
Mon, 8 Jul 2019 19:28:28 +0000 (19:28 +0000)
committerGerrit Code Review <gerrit@onap.org>
Mon, 8 Jul 2019 19:28:28 +0000 (19:28 +0000)
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java patch | blob | history

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index a216564..b41dcd7 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -291,8 +291,12 @@ public class UserRolesCommonServiceImpl  {
                                EPUser client = userList.get(0);
                                roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";
                                @SuppressWarnings("unchecked")
-                               List<EPUserApp> userRoles = localSession.createQuery("from " + EPUserApp.class.getName()
-                                               + " where app.id=" + appId + roleActive + " and userId=" + client.getId()).list();
+                               List<EPUserApp> userRoles = localSession.createQuery("from :name where app.id=:appId :roleActive and userId=:userId")
+                                               .setParameter("name",EPUserApp.class.getName())
+                                               .setParameter("appId",appId)
+                                               .setParameter("roleActive",roleActive)
+                                               .setParameter("userId",client.getId())
+                                               .list();
                                
                                if ("DELETE".equals(reqType)) {
                                        for (EPUserApp userAppRoleList : userRoles) {
ARCHIVED- 2022-02-15 at the request of the project