You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2015/06/17 22:38:50 UTC

git commit: updated refs/heads/master to 1407033

Repository: cloudstack
Updated Branches:
  refs/heads/master f3afcb089 -> 1407033cc


Fix findbugs SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING warning in UserVmDaoImpl.java detail field was vulnerable

Signed-off-by: Daan Hoogland <da...@gmail.com>

This closes #473


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/1407033c
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/1407033c
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/1407033c

Branch: refs/heads/master
Commit: 1407033cc2e0742653d82bb0181c041b31253693
Parents: f3afcb0
Author: Rafael da Fonseca <rs...@gmail.com>
Authored: Wed Jun 17 20:08:06 2015 +0200
Committer: Daan Hoogland <da...@gmail.com>
Committed: Wed Jun 17 22:38:19 2015 +0200

----------------------------------------------------------------------
 engine/schema/src/com/cloud/vm/dao/UserVmDaoImpl.java | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/1407033c/engine/schema/src/com/cloud/vm/dao/UserVmDaoImpl.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/vm/dao/UserVmDaoImpl.java b/engine/schema/src/com/cloud/vm/dao/UserVmDaoImpl.java
index 5fa3b06..14870e7 100644
--- a/engine/schema/src/com/cloud/vm/dao/UserVmDaoImpl.java
+++ b/engine/schema/src/com/cloud/vm/dao/UserVmDaoImpl.java
@@ -105,9 +105,7 @@ public class UserVmDaoImpl extends GenericDaoBase<UserVmVO, Long> implements Use
             + "left join networks on nics.network_id=networks.id " + "left join user_ip_address on user_ip_address.vm_id=vm_instance.id " + "where vm_instance.id in (";
 
     private static final String VMS_DETAIL_BY_NAME = "select vm_instance.instance_name, vm_instance.vm_type, vm_instance.id , user_vm_details.value, user_vm_details.name from vm_instance "
-            + "left join user_vm_details on vm_instance.id = user_vm_details.vm_id where (user_vm_details.name is null or user_vm_details.name = '";
-
-    private static final String VMS_DETAIL_BY_NAME2 = "') and vm_instance.instance_name in (";
+            + "left join user_vm_details on vm_instance.id = user_vm_details.vm_id where (user_vm_details.name is null or user_vm_details.name = ? ) and vm_instance.instance_name in (";
 
     private static final int VM_DETAILS_BATCH_SIZE = 100;
 
@@ -645,8 +643,9 @@ public class UserVmDaoImpl extends GenericDaoBase<UserVmVO, Long> implements Use
 
         PreparedStatement pstmt = null;
         try {
-            pstmt = txn.prepareStatement(VMS_DETAIL_BY_NAME + detail + VMS_DETAIL_BY_NAME2 + getQueryBatchAppender(vmNames.size()));
-            int i = 1;
+            pstmt = txn.prepareStatement(VMS_DETAIL_BY_NAME + getQueryBatchAppender(vmNames.size()));
+            pstmt.setString(1, detail);
+            int i = 2;
             for(String name : vmNames) {
                 pstmt.setString(i, name);
                 i++;