From 55d9f1b146a9c421bed9d2613cefcfcb41ab3037 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Dominik=20Orli=C5=84ski?= Date: Mon, 17 Jun 2019 11:53:25 +0200 Subject: [PATCH] Fix sql injection vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Use a variable binding instead of concatenation. Issue-ID: OJSI-174 Signed-off-by: Dominik Orliński Change-Id: I9dcec677ee9edd0d274a486af37eb950d8e828cf --- .../onap/portalapp/portal/service/UserRolesCommonServiceImpl.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java index 5d9761ce..29817214 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java @@ -276,8 +276,12 @@ public class UserRolesCommonServiceImpl { EPUser client = userList.get(0); roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'"; @SuppressWarnings("unchecked") - List userRoles = localSession.createQuery("from " + EPUserApp.class.getName() - + " where app.id=" + appId + roleActive + " and userId=" + client.getId()).list(); + List userRoles = localSession.createQuery("from :name where app.id=:appId :roleActive and userId=:userId") + .setParameter("name",EPUserApp.class.getName()) + .setParameter("appId",appId) + .setParameter("roleActive",roleActive) + .setParameter("userId",client.getId()) + .list(); if ("DELETE".equals(reqType)) { for (EPUserApp userAppRoleList : userRoles) { -- 2.16.6