From 5247fe86ad346208a78b1bdd7565041018e56d57 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Dominik=20Orli=C5=84ski?= Date: Mon, 17 Jun 2019 11:53:35 +0200 Subject: [PATCH] Fix sql injection vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Use a variable binding instead of concatenation. Issue-ID: OJSI-174 Signed-off-by: Dominik Orliński Change-Id: I0574e882e4d500408b6a6bab8986822669cba5d4 --- .../widget/service/impl/WidgetCatalogServiceImpl.java | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java index b99863eb..59180d37 100644 --- a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java +++ b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java @@ -244,16 +244,15 @@ public class WidgetCatalogServiceImpl implements WidgetCatalogService { logger.debug("WidgetCatalogServiceImpl.getWidgetCatalog: result={}", widgets); return widgets; } - - - - - + private void updateAppId(long widgetId, Set roles){ Session session = sessionFactory.openSession(); for(RoleApp role: roles){ - String sql = "UPDATE ep_widget_catalog_role SET app_id = " + role.getApp().getAppId() + " WHERE widget_id = " + widgetId + " AND ROLE_ID = " + role.getRoleId() ; + String sql = "UPDATE ep_widget_catalog_role SET app_id = :appId WHERE widget_id = :widgetId AND ROLE_ID = :roleId" ; Query query = session.createSQLQuery(sql); + query.setParameter("appId", role.getApp().getAppId()); + query.setParameter("widgetId", widgetId); + query.setParameter("roleId", role.getRoleId()); query.executeUpdate(); } session.flush(); -- 2.16.6