From bca9c68eaf0423eb4d8f1ca5bd36f40cf6ccddb2 Mon Sep 17 00:00:00 2001
From: Robert Varga <robert.varga@pantheon.tech>
Date: Wed, 16 Nov 2022 18:28:58 +0100
Subject: [PATCH] Drop dependency on commons-text

Fix the final SQL injection issue in GrantStore, which means we no
longer need to escape strings. This allows us to drop dependency on
common-text and fixup a warning by mentioning guava in our dependencies.

Change-Id: I3665a42fd81c7e07ea708d352c784f2bb75a86ad
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
(cherry picked from commit bdd04452563a1b375e02787d6821f0bf28205415)
---
 aaa-idm-store-h2/pom.xml                           |  4 ++--
 .../opendaylight/aaa/datastore/h2/GrantStore.java  | 14 +++++---------
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/aaa-idm-store-h2/pom.xml b/aaa-idm-store-h2/pom.xml
index 4094059b1..424470b1d 100644
--- a/aaa-idm-store-h2/pom.xml
+++ b/aaa-idm-store-h2/pom.xml
@@ -53,8 +53,8 @@
 
         <!-- External dependencies -->
         <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
         </dependency>
         <dependency>
             <groupId>net.sf.ehcache</groupId>
diff --git a/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java b/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
index a4b7bac7a..1fd8b64ee 100644
--- a/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
+++ b/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
@@ -8,13 +8,10 @@
 
 package org.opendaylight.aaa.datastore.h2;
 
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-import java.sql.Statement;
-import org.apache.commons.text.StringEscapeUtils;
 import org.opendaylight.aaa.api.IDMStoreUtil;
 import org.opendaylight.aaa.api.model.Grant;
 import org.opendaylight.aaa.api.model.Grants;
@@ -140,18 +137,17 @@ public class GrantStore extends AbstractStore<Grant> {
         }
     }
 
-    @SuppressFBWarnings("SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE")
-    protected Grant deleteGrant(String grantid) throws StoreException {
-        grantid = StringEscapeUtils.escapeHtml4(grantid);
+    protected Grant deleteGrant(final String grantid) throws StoreException {
         Grant savedGrant = this.getGrant(grantid);
         if (savedGrant == null) {
             return null;
         }
 
-        String query = String.format("DELETE FROM GRANTS WHERE grantid = '%s'", grantid);
+        String query = "DELETE FROM GRANTS WHERE grantid = ?";
         try (Connection conn = dbConnect();
-             Statement statement = conn.createStatement()) {
-            int deleteCount = statement.executeUpdate(query);
+             PreparedStatement statement = conn.prepareStatement(query)) {
+            statement.setString(1, grantid);
+            int deleteCount = statement.executeUpdate();
             LOG.debug("deleted {} records", deleteCount);
             return savedGrant;
         } catch (SQLException e) {
-- 
2.36.6