From: Sunder Tattavarada <statta@research.att.com>
Date: Mon, 8 Jul 2019 19:26:49 +0000 (+0000)
Subject: Merge "Fix sql injection vulnerability"
X-Git-Tag: 3.2.0~263
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=portal.git;a=commitdiff_plain;h=3f56b9fdb4d2ec891344d6c9048363e1cac587d2;hp=0f32f237134aa2c455f30ad0d3ecb6ddfcea4d21

Merge "Fix sql injection vulnerability"
---

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 656cf9ea..1d9ed57e 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -587,8 +587,9 @@ public class UserRolesCommonServiceImpl  {
 									"syncAppRoles: There is exactly 1 menu item for this role, so emptying the url");
 							@SuppressWarnings("unchecked")
 							List<FunctionalMenuItem> funcMenuItems = localSession
-									.createQuery(
-											"from " + FunctionalMenuItem.class.getName() + " where menuId=" + menuId)
+									.createQuery("from :name where menuId=:menuId")
+									.setParameter("name",FunctionalMenuItem.class.getName())
+									.setParameter("menuId",menuId)
 									.list();
 							if (funcMenuItems.size() > 0) {
 								logger.debug(EELFLoggerDelegate.debugLogger, "got the menu item");
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index 9b5058d3..fb6c325c 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -473,8 +473,10 @@ public class UserRolesCommonServiceImplTest {
 		Mockito.when(epFunctionalMenuQuery2.setParameter("menuId",10l)).thenReturn(epFunctionalMenuQuery2);
 		Mockito.doReturn(mockFunctionalMenuRolesList).when(epFunctionalMenuQuery2).list();
 
-		Mockito.when(session.createQuery("from " + FunctionalMenuItem.class.getName() + " where menuId=" + 10l))
+		Mockito.when(session.createQuery("from :name where menuId=:menuId"))
 				.thenReturn(epFunctionalMenuItemQuery);
+		Mockito.when(epFunctionalMenuItemQuery.setParameter("name",FunctionalMenuItem.class.getName())).thenReturn(epFunctionalMenuItemQuery);
+		Mockito.when(epFunctionalMenuItemQuery.setParameter("menuId",10l)).thenReturn(epFunctionalMenuItemQuery);
 		Mockito.doReturn(mockFunctionalMenuItemList).when(epFunctionalMenuItemQuery).list();
 		List<EcompRole> mockEcompRoleList2 = new ArrayList<>();
 		EcompRole mockUserAppRoles = new EcompRole();