HCMPRE-804-Removed sql injection in like queries

egovernments · Oct 14, 2024 · e2b660c · e2b660c
1 parent e68c5fb
commit e2b660c
Showing 1 changed file with 9 additions and 10 deletions.
diff --git a/...ervices/individual/src/main/java/org/egov/individual/repository/IndividualRepository.java b/...ervices/individual/src/main/java/org/egov/individual/repository/IndividualRepository.java
@@ -227,7 +227,7 @@ private String getQueryForIndividual(IndividualSearch searchObject, Integer limi
         }
         if (searchObject.getIndividualName() != null) {
             query = query + "AND givenname LIKE :individualName ";
-            paramsMap.put("individualName", "%"+searchObject.getIndividualName()+"%");
+            paramsMap.put("individualName", "%"+searchObject.getIndividualName().replace("%", "\\%").replace("_", "\\_")+"%");
         }
         if (searchObject.getGender() != null) {
             query = query + "AND gender =:gender ";
@@ -238,7 +238,9 @@ private String getQueryForIndividual(IndividualSearch searchObject, Integer limi
             paramsMap.put("dateOfBirth", searchObject.getDateOfBirth());
         }
         if (searchObject.getSocialCategory() != null) {
-            query = query + "AND additionaldetails->'fields' @> '[{\"key\": \"SOCIAL_CATEGORY\", \"value\":" + "\"" + searchObject.getSocialCategory() + "\"}]' ";
+            query += " AND additionaldetails->'fields' @> :socialCategory ";
+            String socialCategoryJson = "[{\"key\": \"SOCIAL_CATEGORY\", \"value\": \"" + searchObject.getSocialCategory() + "\"}]";
+            paramsMap.put("socialCategory", socialCategoryJson);
         }
         if (searchObject.getCreatedFrom() != null) {
 
@@ -264,14 +266,11 @@ private String getQueryForIndividual(IndividualSearch searchObject, Integer limi
             query = query + "AND lastModifiedTime>=:lastModifiedTime ";
         }
         if (searchObject.getRoleCodes() != null && !searchObject.getRoleCodes().isEmpty()) {
-            query = query + "AND roles @> '[";
-            for (int i = 0; i < searchObject.getRoleCodes().size(); i++) {
-                query = query + "{\"code\": \"" + searchObject.getRoleCodes().get(i) + "\"}";
-                if (i != searchObject.getRoleCodes().size() - 1) {
-                    query = query + ",";
-                }
-            }
-            query = query + "]' ";
+            query = query + "AND roles @> :roleCodesJson ";
+            String roleCodesJson = searchObject.getRoleCodes().stream()
+                        .map(code -> "{\"code\": \"" + code + "\"}")
+                        .collect(Collectors.joining(",", "[", "]"));
+            paramsMap.put("roleCodesJson", roleCodesJson);
         }
 
         if (searchObject.getUsername() != null) {