From 521f027574dbf784c1bb6bd511f2ec70381daa92 Mon Sep 17 00:00:00 2001
From: Jaguar0625 <jaguar0625@127.0.0.1>
Date: Mon, 19 Aug 2024 12:29:49 -0400
Subject: [PATCH] [nis]: MosaicDefinitionRetriever needs to sanitize user input

 problem: CodeQL flagged dangerous SQL statement
solution: sanitize SQL parameters
---
 .../retrievers/MosaicDefinitionRetriever.java    | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/nis/src/main/java/org/nem/nis/dao/retrievers/MosaicDefinitionRetriever.java b/nis/src/main/java/org/nem/nis/dao/retrievers/MosaicDefinitionRetriever.java
index 7944ffd12b..06b42dfe3a 100644
--- a/nis/src/main/java/org/nem/nis/dao/retrievers/MosaicDefinitionRetriever.java
+++ b/nis/src/main/java/org/nem/nis/dao/retrievers/MosaicDefinitionRetriever.java
@@ -23,11 +23,11 @@ public class MosaicDefinitionRetriever {
 	 */
 	public DbMosaicDefinition getMosaicDefinition(final Session session, final MosaicId mosaicId) {
 		MustBe.notNull(mosaicId, "mosaic id");
-		final String queryString = String.format(
-				"SELECT m.* FROM mosaicDefinitions m " + "WHERE namespaceId = '%s' AND NAME = '%s' " + "ORDER BY id DESC LIMIT 1",
-				mosaicId.getNamespaceId().toString(), mosaicId.getName());
+		final String queryString = "SELECT m.* FROM mosaicDefinitions m " + "WHERE namespaceId = :namespaceId AND NAME = :name ORDER BY id DESC LIMIT 1";
 		final Query query = session.createSQLQuery(queryString) // preserve-newline
-				.addEntity(DbMosaicDefinition.class);
+				.addEntity(DbMosaicDefinition.class)
+				.setParameter("namespaceId", mosaicId.getNamespaceId().toString())
+				.setParameter("name", mosaicId.getName());
 
 		return (DbMosaicDefinition) query.uniqueResult();
 	}
@@ -88,15 +88,19 @@ private Collection<DbMosaicDefinition> getMosaicDefinitions(final Session sessio
 		}
 
 		if (null != namespaceId) {
-			queryString += String.format("AND namespaceId = '%s' ", namespaceId.toString());
+			queryString += "AND namespaceId = :namespaceId ";
 		}
 
 		queryString += "ORDER BY id DESC LIMIT :limit";
-		final Query query = session.createSQLQuery(queryString) // preserve-newline
+		Query query = session.createSQLQuery(queryString) // preserve-newline
 				.addEntity(DbMosaicDefinition.class) // preserve-newline
 				.setParameter("maxId", maxId) // preserve-newline
 				.setParameter("limit", limit);
 
+		if (null != namespaceId) {
+			query = query.setParameter("namespaceId", namespaceId.toString());
+		}
+
 		return HibernateUtils.listAndCast(query);
 	}
 }