From: Dominik Orliński Date: Mon, 17 Jun 2019 09:53:25 +0000 (+0200) Subject: Fix sql injection vulnerability X-Git-Tag: 3.2.0~260^2 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=portal.git;a=commitdiff_plain;h=55d9f1b146a9c421bed9d2613cefcfcb41ab3037 Fix sql injection vulnerability Use a variable binding instead of concatenation. Issue-ID: OJSI-174 Signed-off-by: Dominik Orliński Change-Id: I9dcec677ee9edd0d274a486af37eb950d8e828cf --- diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java index 5d9761ce..29817214 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java @@ -276,8 +276,12 @@ public class UserRolesCommonServiceImpl { EPUser client = userList.get(0); roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'"; @SuppressWarnings("unchecked") - List userRoles = localSession.createQuery("from " + EPUserApp.class.getName() - + " where app.id=" + appId + roleActive + " and userId=" + client.getId()).list(); + List userRoles = localSession.createQuery("from :name where app.id=:appId :roleActive and userId=:userId") + .setParameter("name",EPUserApp.class.getName()) + .setParameter("appId",appId) + .setParameter("roleActive",roleActive) + .setParameter("userId",client.getId()) + .list(); if ("DELETE".equals(reqType)) { for (EPUserApp userAppRoleList : userRoles) {