From: Sunder Tattavarada <statta@research.att.com>
Date: Tue, 18 Jun 2019 16:04:36 +0000 (+0000)
Subject: Merge "Fix sql injection vulnerability"
X-Git-Tag: 3.2.0~271
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=portal.git;a=commitdiff_plain;h=2a462c99939b19f972813b64c7a4d6e33b9aaa5a;hp=37ea104d5c99b4100381cc0e8e79be3feb98a0ec

Merge "Fix sql injection vulnerability"
---

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index a440c311..656cf9ea 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -557,7 +557,9 @@ public class UserRolesCommonServiceImpl  {
 					// Delete from fn_menu_functional_roles
 					@SuppressWarnings("unchecked")
 					List<FunctionalMenuRole> funcMenuRoles = localSession
-							.createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + roleId)
+							.createQuery("from :name where roleId=:roleId")
+							.setParameter("name",FunctionalMenuRole.class.getName())
+							.setParameter("roleId",roleId)
 							.list();
 					int numMenuRoles = funcMenuRoles.size();
 					logger.debug(EELFLoggerDelegate.debugLogger,
@@ -569,7 +571,9 @@ public class UserRolesCommonServiceImpl  {
 						// so must null out the url too, to be consistent
 						@SuppressWarnings("unchecked")
 						List<FunctionalMenuRole> funcMenuRoles2 = localSession
-								.createQuery("from " + FunctionalMenuRole.class.getName() + " where menuId=" + menuId)
+								.createQuery("from :name where menuId=:menuId")
+								.setParameter("name",FunctionalMenuRole.class.getName())
+								.setParameter("menuId",menuId)
 								.list();
 						int numMenuRoles2 = funcMenuRoles2.size();
 						logger.debug(EELFLoggerDelegate.debugLogger,
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index 680d766d..9b5058d3 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -461,12 +461,16 @@ public class UserRolesCommonServiceImplTest {
 		Mockito.when(epUserAppsQuery.setParameter("roleId",15l)).thenReturn(epUserAppsQuery);
 		Mockito.doReturn(mockUserRolesList).when(epUserAppsQuery).list();
 
-		Mockito.when(session.createQuery("from " + FunctionalMenuRole.class.getName() + " where roleId=" + 15l))
+		Mockito.when(session.createQuery("from :name where roleId=:roleId"))
 				.thenReturn(epFunctionalMenuQuery);
+		Mockito.when(epFunctionalMenuQuery.setParameter("name",FunctionalMenuRole.class.getName())).thenReturn(epFunctionalMenuQuery);
+		Mockito.when(epFunctionalMenuQuery.setParameter("roleId",15l)).thenReturn(epFunctionalMenuQuery);
 		Mockito.doReturn(mockFunctionalMenuRolesList).when(epFunctionalMenuQuery).list();
 
-		Mockito.when(session.createQuery("from " + FunctionalMenuRole.class.getName() + " where menuId=" + 10l))
+		Mockito.when(session.createQuery("from :name where menuId=:menuId"))
 				.thenReturn(epFunctionalMenuQuery2);
+		Mockito.when(epFunctionalMenuQuery2.setParameter("name",FunctionalMenuRole.class.getName())).thenReturn(epFunctionalMenuQuery2);
+		Mockito.when(epFunctionalMenuQuery2.setParameter("menuId",10l)).thenReturn(epFunctionalMenuQuery2);
 		Mockito.doReturn(mockFunctionalMenuRolesList).when(epFunctionalMenuQuery2).list();
 
 		Mockito.when(session.createQuery("from " + FunctionalMenuItem.class.getName() + " where menuId=" + 10l))