[BIS-260] Fix SQL injections for custom queries

Add some defensive checks for parameter resolution. SVN: 27624

[BIS-260] Fix SQL injections for custom queries
60e27d9b · brinn · 309ed4cd · 60e27d9b
Commit 60e27d9b authored 12 years ago by brinn
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java
@@ -223,7 +223,11 @@ class DAO extends SimpleJdbcDaoSupport implements IDAO
                        for (Entry<String, String> entry : bindingsOrNull.getBindings().entrySet())
                        {
                            template.bind(entry.getKey(), "?");
-                            indexMap.put(template.tryGetIndex(entry.getKey()), entry);
+                            final int index = template.tryGetIndex(entry.getKey());
+                            if (index >= 0)
+                            {
+                                indexMap.put(index, entry);
+                            }
                        }
                    }
                    final PreparedStatement psm = con.prepareStatement(template.createText());
@@ -231,6 +235,10 @@ class DAO extends SimpleJdbcDaoSupport implements IDAO
                    for (int i = 1; i <= pmd.getParameterCount(); ++i)
                    {
                        final Entry<String, String> entry = indexMap.get(i - 1);
+                        if (entry == null)
+                        {
+                            throw new SQLDataException("No variable found for for parameter " + i);
+                        }
                        final String strValue = entry.getValue();
                        try
                        {