Drop dependency on commons-text

Fix the final SQL injection issue in GrantStore, which means we no
longer need to escape strings. This allows us to drop dependency on
common-text and fixup a warning by mentioning guava in our dependencies.

Change-Id: I3665a42fd81c7e07ea708d352c784f2bb75a86ad
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>

diff --git a/aaa-idm-store-h2/pom.xml b/aaa-idm-store-h2/pom.xml
index b1949db58057e2cbea7528045cd0167c2f8384e3..0c464d4d7f05e09b2498c7b66681002b3d6e3e46 100644 (file)
--- a/aaa-idm-store-h2/pom.xml
+++ b/aaa-idm-store-h2/pom.xml
@@ -53,8 +53,8 @@
 
         <!-- External dependencies -->
         <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
         </dependency>
         <dependency>
             <groupId>net.sf.ehcache</groupId>

diff --git a/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java b/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
index c8730887c225eff166ea1166dede2a3d23071f36..65c480b50aee3f0811ba1448874a50ff900c7933 100644 (file)
--- a/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
+++ b/aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/GrantStore.java
@@ -9,11 +9,9 @@
 package org.opendaylight.aaa.datastore.h2;
 
 import com.google.common.annotations.VisibleForTesting;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-import org.apache.commons.text.StringEscapeUtils;
 import org.opendaylight.aaa.api.IDMStoreUtil;
 import org.opendaylight.aaa.api.model.Grant;
 import org.opendaylight.aaa.api.model.Grants;
@@ -165,21 +163,18 @@ final class GrantStore extends AbstractStore<Grant> {
         }
     }
 
-    @SuppressFBWarnings(value = "SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE", justification = "Weird original code")
     Grant deleteGrant(final String grantid) throws StoreException {
-        final String escaped = StringEscapeUtils.escapeHtml4(grantid);
-        final var savedGrant = getGrant(escaped);
+        final var savedGrant = getGrant(grantid);
         if (savedGrant == null) {
             return null;
         }
 
         try (var conn = dbConnect();
-             var stmt = conn.createStatement()) {
-            // FIXME: prepare statement instead
-            final String query = String.format("DELETE FROM " + TABLE +  " WHERE " + COL_ID + " = '%s'", escaped);
-            LOG.debug("deleteGrant() request: {}", query);
+             var stmt = conn.prepareStatement("DELETE FROM " + TABLE +  " WHERE " + COL_ID + " = ?")) {
+            stmt.setString(1, grantid);
+            LOG.debug("deleteGrant() request: {}", stmt);
 
-            int deleteCount = stmt.executeUpdate(query);
+            int deleteCount = stmt.executeUpdate();
             LOG.debug("deleted {} records", deleteCount);
             return savedGrant;
         } catch (SQLException e) {