From bdd04452563a1b375e02787d6821f0bf28205415 Mon Sep 17 00:00:00 2001
From: Robert Varga <robert.varga@pantheon.tech>
Date: Wed, 16 Nov 2022 18:28:58 +0100
Subject: [PATCH] Drop dependency on commons-text

Fix the final SQL injection issue in GrantStore, which means we no
longer need to escape strings. This allows us to drop dependency on
common-text and fixup a warning by mentioning guava in our dependencies.

Change-Id: I3665a42fd81c7e07ea708d352c784f2bb75a86ad
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
---
 aaa-idm-store-h2/pom.xml                          |  4 ++--
 .../opendaylight/aaa/datastore/h2/GrantStore.java | 15 +++++----------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/aaa-idm-store-h2/pom.xml b/aaa-idm-store-h2/pom.xml
index b1949db58..0c464d4d7 100644
--- a/aaa-idm-store-h2/pom.xml
+++ b/aaa-idm-store-h2/pom.xml
@@ -53,8 +53,8 @@
 
         <!-- External dependencies -->
         <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
         </dependency>
         <dependency>
             <groupId>net.sf.ehcache</groupId>
diff --git a/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java b/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
index c8730887c..65c480b50 100644
--- a/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
+++ b/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
@@ -9,11 +9,9 @@
 package org.opendaylight.aaa.datastore.h2;
 
 import com.google.common.annotations.VisibleForTesting;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-import org.apache.commons.text.StringEscapeUtils;
 import org.opendaylight.aaa.api.IDMStoreUtil;
 import org.opendaylight.aaa.api.model.Grant;
 import org.opendaylight.aaa.api.model.Grants;
@@ -165,21 +163,18 @@ final class GrantStore extends AbstractStore<Grant> {
         }
     }
 
-    @SuppressFBWarnings(value = "SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE", justification = "Weird original code")
     Grant deleteGrant(final String grantid) throws StoreException {
-        final String escaped = StringEscapeUtils.escapeHtml4(grantid);
-        final var savedGrant = getGrant(escaped);
+        final var savedGrant = getGrant(grantid);
         if (savedGrant == null) {
             return null;
         }
 
         try (var conn = dbConnect();
-             var stmt = conn.createStatement()) {
-            // FIXME: prepare statement instead
-            final String query = String.format("DELETE FROM " + TABLE +  " WHERE " + COL_ID + " = '%s'", escaped);
-            LOG.debug("deleteGrant() request: {}", query);
+             var stmt = conn.prepareStatement("DELETE FROM " + TABLE +  " WHERE " + COL_ID + " = ?")) {
+            stmt.setString(1, grantid);
+            LOG.debug("deleteGrant() request: {}", stmt);
 
-            int deleteCount = stmt.executeUpdate(query);
+            int deleteCount = stmt.executeUpdate();
             LOG.debug("deleted {} records", deleteCount);
             return savedGrant;
         } catch (SQLException e) {
-- 
2.36.6