dotCMS · mbiuki · Nov 3, 2025 · semgrep-code-dotcms-test · May 14, 2026
diff --git a/dotCMS/src/main/java/com/dotcms/publisher/business/PublishAuditAPIImpl.java b/dotCMS/src/main/java/com/dotcms/publisher/business/PublishAuditAPIImpl.java
@@ -225,29 +225,23 @@ public PublishAuditStatus getPublishAuditStatus(String bundleId)
 	@CloseDBIfOpened
 	public List<PublishAuditStatus> getPublishAuditStatuses(List<String> bundleIds)
             throws DotPublisherException {
-		if (bundleIds == null || bundleIds.isEmpty()) {
-			return Collections.emptyList();
-		}
 		try {
 			final List<PublishAuditStatus> result = new ArrayList<>();
 
-			final DotConnect dc = new DotConnect();
-			final String placeholders = bundleIds.stream()
-					.map(id -> "?")
-					.collect(Collectors.joining(","));
+			DotConnect dc = new DotConnect();
+			final List<String> parameter = bundleIds.stream().map(id -> "'" + id + "'").collect(Collectors.toList());
 
-			dc.setSQL(String.format(SELECT_ALL_BY_BUNDLES_IDS, placeholders));
-			bundleIds.forEach(dc::addParam);
-			final List<Map<String, Object>> items = dc.loadObjectResults();
+			dc.setSQL(String.format(SELECT_ALL_BY_BUNDLES_IDS,  String.join(",", parameter)));
-			dc.setSQL(String.format(SELECT_ALL_BY_BUNDLES_IDS,  String.join(",", parameter)));
+ // Build a list of '?' placeholders based on the number of bundleIds
+ String placeholders = bundleIds.stream().map(id -> "?").collect(Collectors.joining(","));
+ String newQueryString = String.format(SELECT_ALL_BY_BUNDLES_IDS, placeholders);
+ dc.setSQL(newQueryString);
+ // Safely bind each bundleId to a parameter in the query
+ for (String id : bundleIds) {
+ 	dc.addParam(id);
+ }
-			dc.setSQL(String.format(SELECT_ALL_BY_BUNDLES_IDS,  String.join(",", parameter)));
+ // Build a list of '?' placeholders based on the number of bundleIds
+ String placeholders = bundleIds.stream().map(id -> "?").collect(Collectors.joining(","));
+ String newQueryString = String.format(SELECT_ALL_BY_BUNDLES_IDS, placeholders);
+ dc.setSQL(newQueryString);
+ // Safely bind each bundleId to a parameter in the query
+ for (String id : bundleIds) {
+ 	dc.addParam(id);
+ }
+			List<Map<String, Object>> items = dc.loadObjectResults();
 
-			for (final Map<String, Object> item : items) {
-				result.add(turnIntoPublishAuditStatus(NO_LIMIT_ASSETS, item));
+			for(Map<String, Object> item: items) {
+				result.add(turnIntoPublishAuditStatus(NO_LIMIT_ASSETS,  item));
 			}
 
 			return result;
-		} catch (Exception e) {
-			Logger.error(PublishAuditAPIImpl.class, e.getMessage(), e);
-			throw new DotPublisherException("Unable to get list of elements with error:" + e.getMessage(), e);
+		}catch(Exception e){
+			Logger.debug(PublisherUtil.class,e.getMessage(),e);
+			throw new DotPublisherException("Unable to get list of elements with error:"+e.getMessage(), e);
 		}
 
 	}

diff --git a/dotCMS/src/main/java/com/dotcms/publisher/business/PublisherQueueJob.java b/dotCMS/src/main/java/com/dotcms/publisher/business/PublisherQueueJob.java
@@ -654,7 +654,6 @@ private List<PublishAuditHistory> getRemoteHistoryFromEndpoint(final  List<Strin
 
 		final String responseBody = webTarget
 				.request(MediaType.APPLICATION_JSON)
-				.header("Authorization", AuthCredentialPushPublishUtil.INSTANCE.getRequestToken(targetEndpoint).orElse(""))
 				.post(Entity.entity(bundleIds, MediaType.APPLICATION_JSON))
 				.readEntity(String.class);
 

diff --git a/dotCMS/src/main/java/com/dotcms/rest/AuditPublishingResource.java b/dotCMS/src/main/java/com/dotcms/rest/AuditPublishingResource.java
@@ -3,19 +3,18 @@
 import com.dotcms.publisher.business.DotPublisherException;
 import com.dotcms.publisher.business.PublishAuditAPI;
 import com.dotcms.publisher.business.PublishAuditStatus;
-import com.dotcms.publisher.pusher.AuthCredentialPushPublishUtil;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.*;
-import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
+import com.dotmarketing.util.Config;
 import com.dotmarketing.util.Logger;
+import com.google.common.collect.Lists;
+import io.swagger.v3.oas.annotations.parameters.RequestBody;
 import io.swagger.v3.oas.annotations.tags.Tag;
 
 import java.util.List;
-import java.util.Optional;
 
 @Path("/auditPublishing")
 @Tag(name = "Publishing")
@@ -54,18 +53,7 @@ public Response get(@PathParam("bundleId") final String bundleId,
     @POST
     @Path("/getAll")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response getAll(final List<String> bundleIds,
-                           @Context final HttpServletRequest request) {
-
-        final AuthCredentialPushPublishUtil.PushPublishAuthenticationToken ppAuthToken =
-                AuthCredentialPushPublishUtil.INSTANCE.processAuthHeader(request);
-
-        final Optional<Response> failResponse = PushPublishResourceUtil.getFailResponse(request, ppAuthToken);
-
-        if (failResponse.isPresent()) {
-            return failResponse.get();
-        }
-
+    public Response getAll( List<String> bundleIds) {
         try {
             final List<PublishAuditStatus> statuses = auditAPI.getPublishAuditStatuses(bundleIds);