Fix sql injection vulnerability

Use a variable binding instead of concatenation.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: Ia655ccf79800c132b3ac466016b8fdfd9f9c27bd

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761c..5e6f1d9 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -323,7 +323,10 @@ public class UserRolesCommonServiceImpl  {
                                        } else { // remote app
                                                @SuppressWarnings("unchecked")
                                                List<EPRole> roles = localSession
-                                                               .createQuery("from " + EPRole.class.getName() + " where appId=" + appId).list();
+                                                               .createQuery("from :name where appId=:appId")
+                                                               .setParameter("name",EPRole.class.getName())
+                                                               .setParameter("appId",appId)
+                                                               .list();
                                                for (EPRole role : roles) {
                                                        if (!extRequestValue && app.getCentralAuth()) {
                                                                rolesMap.put(role.getId(), role);