From bc81456aaed10ee5dfd3e5c031a7607d11be3e5b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Dominik=20Orli=C5=84ski?= <d.orlinski@samsung.com>
Date: Mon, 17 Jun 2019 11:53:27 +0200
Subject: [PATCH] Fix sql injection vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Use a variable binding instead of concatenation.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: Ia655ccf79800c132b3ac466016b8fdfd9f9c27bd
---
 .../onap/portalapp/portal/service/UserRolesCommonServiceImpl.java    | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..5e6f1d9a 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -323,7 +323,10 @@ public class UserRolesCommonServiceImpl  {
 					} else { // remote app
 						@SuppressWarnings("unchecked")
 						List<EPRole> roles = localSession
-								.createQuery("from " + EPRole.class.getName() + " where appId=" + appId).list();
+								.createQuery("from :name where appId=:appId")
+								.setParameter("name",EPRole.class.getName())
+								.setParameter("appId",appId)
+								.list();
 						for (EPRole role : roles) {
 							if (!extRequestValue && app.getCentralAuth()) {
 								rolesMap.put(role.getId(), role);
-- 
2.16.6