Gitiles
Code Review Sign In
gerrit.nordix.org / onap / portal / a1db0d8fc1a98c8e22879059400d218402b82925^2..a1db0d8fc1a98c8e22879059400d218402b82925 / .
commita1db0d8fc1a98c8e22879059400d218402b82925[log] [tgz]
authorSunder Tattavarada <statta@research.att.com>Tue Jul 09 14:48:26 2019 +0000
committerGerrit Code Review <gerrit@onap.org>Tue Jul 09 14:48:26 2019 +0000
tree6d2d8089d2ce3fa1f8f5106638aab564aeebfdaa
parentb771e1ab3bc1a6c76c987d9c14fb3b77a338f155 [diff]
parent6fb5b257a327c64eb3e3f8df65db835ca6cb38aa [diff]
Merge "XSS Vulnerability fix in PortalAdminController"
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 656cf9e..b41dcd7 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java

@@ -283,13 +283,20 @@
 			transaction = localSession.beginTransaction();
 			@SuppressWarnings("unchecked")
 			List<EPUser> userList = localSession
-					.createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+					.createQuery("from :name where orgUserId=:userId")
+					.setParameter("name",EPUser.class.getName())
+					.setParameter("userId",userId)
+					.list();
 			if (userList.size() > 0) {
 				EPUser client = userList.get(0);
 				roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";
 				@SuppressWarnings("unchecked")
-				List<EPUserApp> userRoles = localSession.createQuery("from " + EPUserApp.class.getName()
-						+ " where app.id=" + appId + roleActive + " and userId=" + client.getId()).list();
+				List<EPUserApp> userRoles = localSession.createQuery("from :name where app.id=:appId :roleActive and userId=:userId")
+						.setParameter("name",EPUserApp.class.getName())
+						.setParameter("appId",appId)
+						.setParameter("roleActive",roleActive)
+						.setParameter("userId",client.getId())
+						.list();
 				
 				if ("DELETE".equals(reqType)) {
 					for (EPUserApp userAppRoleList : userRoles) {
@@ -335,7 +342,10 @@
 					} else { // remote app
 						@SuppressWarnings("unchecked")
 						List<EPRole> roles = localSession
-								.createQuery("from " + EPRole.class.getName() + " where appId=" + appId).list();
+								.createQuery("from :name where appId=:appId")
+								.setParameter("name",EPRole.class.getName())
+								.setParameter("appId",appId)
+								.list();
 						for (EPRole role : roles) {
 							if (!extRequestValue && app.getCentralAuth()) {
 								rolesMap.put(role.getId(), role);
@@ -587,8 +597,9 @@
 									"syncAppRoles: There is exactly 1 menu item for this role, so emptying the url");
 							@SuppressWarnings("unchecked")
 							List<FunctionalMenuItem> funcMenuItems = localSession
-									.createQuery(
-											"from " + FunctionalMenuItem.class.getName() + " where menuId=" + menuId)
+									.createQuery("from :name where menuId=:menuId")
+									.setParameter("name",FunctionalMenuItem.class.getName())
+									.setParameter("menuId",menuId)
 									.list();
 							if (funcMenuItems.size() > 0) {
 								logger.debug(EELFLoggerDelegate.debugLogger, "got the menu item");

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index 9b5058d..fb6c325 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java

@@ -473,8 +473,10 @@
 		Mockito.when(epFunctionalMenuQuery2.setParameter("menuId",10l)).thenReturn(epFunctionalMenuQuery2);
 		Mockito.doReturn(mockFunctionalMenuRolesList).when(epFunctionalMenuQuery2).list();
 
-		Mockito.when(session.createQuery("from " + FunctionalMenuItem.class.getName() + " where menuId=" + 10l))
+		Mockito.when(session.createQuery("from :name where menuId=:menuId"))
 				.thenReturn(epFunctionalMenuItemQuery);
+		Mockito.when(epFunctionalMenuItemQuery.setParameter("name",FunctionalMenuItem.class.getName())).thenReturn(epFunctionalMenuItemQuery);
+		Mockito.when(epFunctionalMenuItemQuery.setParameter("menuId",10l)).thenReturn(epFunctionalMenuItemQuery);
 		Mockito.doReturn(mockFunctionalMenuItemList).when(epFunctionalMenuItemQuery).list();
 		List<EcompRole> mockEcompRoleList2 = new ArrayList<>();
 		EcompRole mockUserAppRoles = new EcompRole();

diff --git a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
index b99863e..59180d3 100644
--- a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
+++ b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java

@@ -244,16 +244,15 @@
 		logger.debug("WidgetCatalogServiceImpl.getWidgetCatalog: result={}", widgets);
 		return widgets;
 	}
-	
-	
-	
-	
-	
+
 	private void updateAppId(long widgetId, Set<RoleApp> roles){
 		Session session = sessionFactory.openSession();
 		for(RoleApp role: roles){
-			String sql = "UPDATE ep_widget_catalog_role SET app_id = " + role.getApp().getAppId() + " WHERE widget_id = " + widgetId + " AND ROLE_ID = " + role.getRoleId() ;
+			String sql = "UPDATE ep_widget_catalog_role SET app_id = :appId WHERE widget_id = :widgetId AND ROLE_ID = :roleId" ;
 			Query query = session.createSQLQuery(sql);
+			query.setParameter("appId", role.getApp().getAppId());
+			query.setParameter("widgetId", widgetId);
+			query.setParameter("roleId", role.getRoleId());
 			query.executeUpdate();
 		}
 		session.flush();