Fix sql injection vulnerability

Use a variable binding instead of concatenation.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I8d72c819004f05fbbf464cde73b405f2028c7bb6

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761c..14f3972 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -271,7 +271,10 @@ public class UserRolesCommonServiceImpl  {
                        transaction = localSession.beginTransaction();
                        @SuppressWarnings("unchecked")
                        List<EPUser> userList = localSession
-                                       .createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+                                       .createQuery("from :name where orgUserId=:userId")
+                                       .setParameter("name",EPUser.class.getName())
+                                       .setParameter("userId",userId)
+                                       .list();
                        if (userList.size() > 0) {
                                EPUser client = userList.get(0);
                                roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";