The conversion to prepared statements has not dealt with the delete
function, leaving the ability to wipe the entire DomainStore with SQL
injection. Fix this by using a proper prepared statement.
JIRA: AAA-240
Change-Id: I4650e4561482864c90df737e964dcc5514221a15
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
(cherry picked from commit
11295189db80dd45fb0c460d9e9cb3598ed7f229)
import static java.util.Objects.requireNonNull;
import static java.util.Objects.requireNonNull;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
-import java.sql.Statement;
-import org.apache.commons.text.StringEscapeUtils;
import org.opendaylight.aaa.api.model.Domain;
import org.opendaylight.aaa.api.model.Domains;
import org.slf4j.Logger;
import org.opendaylight.aaa.api.model.Domain;
import org.opendaylight.aaa.api.model.Domains;
import org.slf4j.Logger;
}
protected Domain putDomain(final Domain domain) throws StoreException {
}
protected Domain putDomain(final Domain domain) throws StoreException {
- Domain savedDomain = this.getDomain(domain.getDomainid());
+ Domain savedDomain = getDomain(domain.getDomainid());
if (savedDomain == null) {
return null;
}
if (savedDomain == null) {
return null;
}
- @SuppressFBWarnings("SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE")
- protected Domain deleteDomain(String domainid) throws StoreException {
- domainid = StringEscapeUtils.escapeHtml4(domainid);
- Domain deletedDomain = this.getDomain(domainid);
+ protected Domain deleteDomain(final String domainid) throws StoreException {
+ Domain deletedDomain = getDomain(domainid);
if (deletedDomain == null) {
return null;
}
if (deletedDomain == null) {
return null;
}
- String query = String.format("DELETE FROM DOMAINS WHERE domainid = '%s'", domainid);
+ String query = "DELETE FROM DOMAINS WHERE domainid = ?";
try (Connection conn = dbConnect();
try (Connection conn = dbConnect();
- Statement statement = conn.createStatement()) {
- int deleteCount = statement.executeUpdate(query);
+ PreparedStatement statement = conn.prepareStatement(query)) {
+ statement.setString(1, domainid);
+ int deleteCount = statement.executeUpdate();
LOG.debug("deleted {} records", deleteCount);
return deletedDomain;
} catch (SQLException e) {
LOG.debug("deleted {} records", deleteCount);
return deletedDomain;
} catch (SQLException e) {