From 65eefe6b82eecb64efb6c8e2cc0eb2ac2f518b6e Mon Sep 17 00:00:00 2001
From: Robert Varga <robert.varga@pantheon.tech>
Date: Wed, 16 Nov 2022 18:20:59 +0100
Subject: [PATCH] Use prepareStatement() in RoleStore.deleteRole()

The conversion to prepared statements has not dealt with the delete
function, leaving the ability to wipe the entire RoleStore with SQL
injection. Fix this by using a proper prepared statement.

JIRA: AAA-239
Change-Id: If46a900951b4f1769239bd5f38516b299284f88b
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
(cherry picked from commit e0ead2109e45d770b48bb3b848d9e75185c98c4c)
---
 .../aaa/datastore/h2/RoleStore.java            | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java b/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java
index 3a911dd18..d65c2e72e 100644
--- a/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java
+++ b/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java
@@ -9,13 +9,10 @@ package org.opendaylight.aaa.datastore.h2;
 
 import static java.util.Objects.requireNonNull;
 
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-import java.sql.Statement;
-import org.apache.commons.text.StringEscapeUtils;
 import org.opendaylight.aaa.api.IDMStoreUtil;
 import org.opendaylight.aaa.api.model.Role;
 import org.opendaylight.aaa.api.model.Roles;
@@ -103,7 +100,7 @@ public class RoleStore extends AbstractStore<Role> {
 
     protected Role putRole(final Role role) throws StoreException {
 
-        Role savedRole = this.getRole(role.getRoleid());
+        Role savedRole = getRole(role.getRoleid());
         if (savedRole == null) {
             return null;
         }
@@ -127,17 +124,16 @@ public class RoleStore extends AbstractStore<Role> {
         return savedRole;
     }
 
-    @SuppressFBWarnings("SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE")
-    protected Role deleteRole(String roleid) throws StoreException {
-        roleid = StringEscapeUtils.escapeHtml4(roleid);
-        Role savedRole = this.getRole(roleid);
+    protected Role deleteRole(final String roleid) throws StoreException {
+        Role savedRole = getRole(roleid);
         if (savedRole == null) {
             return null;
         }
 
-        String query = String.format("DELETE FROM ROLES WHERE roleid = '%s'", roleid);
-        try (Connection conn = dbConnect(); Statement statement = conn.createStatement()) {
-            int deleteCount = statement.executeUpdate(query);
+        String query = "DELETE FROM ROLES WHERE roleid = ?";
+        try (Connection conn = dbConnect(); PreparedStatement statement = conn.prepareStatement(query)) {
+            statement.setString(1, roleid);
+            int deleteCount = statement.executeUpdate();
             LOG.debug("deleted {} records", deleteCount);
             return savedRole;
         } catch (SQLException s) {
-- 
2.36.6