Fix sql injection vulnerability

Use a variable binding instead of concatenation.
Change test 'getAppRolesForNonCentralizedPartnerAppTest'.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: I45895dc7665ff17394e602cbccf875e4e91b5ce1

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761c..17996ef 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -523,7 +523,10 @@ public class UserRolesCommonServiceImpl  {
                                        // Delete from fn_user_role
                                        @SuppressWarnings("unchecked")
                                        List<EPUserApp> userRoles = localSession.createQuery(
-                                                       "from " + EPUserApp.class.getName() + " where app.id=" + appId + " and role_id=" + roleId)
+                                                       "from :name where app.id=:appId and role_id=:roleId")
+                                                       .setParameter("name",EPUserApp.class.getName())
+                                                       .setParameter("appId",appId)
+                                                       .setParameter("roleId",roleId)
                                                        .list();
 
                                        logger.debug(EELFLoggerDelegate.debugLogger, "syncAppRoles: number of userRoles to delete: " + userRoles.size());

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index c907a6e..bb6f167 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -427,9 +427,11 @@ public class UserRolesCommonServiceImplTest {
                Mockito.when(session.createQuery("from " + EPRole.class.getName() + " where appId=" + mockApp.getId()))
                                .thenReturn(epRoleQuery);
                Mockito.doReturn(mockEPRoleList).when(epRoleQuery).list();
-               Mockito.when(session.createQuery(
-                               "from " + EPUserApp.class.getName() + " where app.id=" + mockApp.getId() + " and role_id=" + 15l))
+               Mockito.when(session.createQuery("from :name where app.id=:appId and role_id=:roleId"))
                                .thenReturn(epUserAppsQuery);
+               Mockito.when(epUserAppsQuery.setParameter("name",EPUserApp.class.getName())).thenReturn(epUserAppsQuery);
+               Mockito.when(epUserAppsQuery.setParameter("appId",mockApp.getId())).thenReturn(epUserAppsQuery);
+               Mockito.when(epUserAppsQuery.setParameter("roleId",15l)).thenReturn(epUserAppsQuery);
                Mockito.doReturn(mockUserRolesList).when(epUserAppsQuery).list();
 
                Mockito.when(session.createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + 15l))