From e4156ab1214268e88716d6153cd7216ef918d1eb Mon Sep 17 00:00:00 2001
From: wr148d <wr148d@att.com>
Date: Tue, 20 Jul 2021 13:00:28 -0400
Subject: Fix CRITICAL xxe (XML External Entity) issues identified in
 sonarcloud

Issue-ID: AAI-3347
Change-Id: I5b187fea722eb2749dfb5336c3b5ae24fa7df336
Signed-off-by: wr148d <wr148d@att.com>
---
 .../org/onap/aai/schemaservice/nodeschema/NodeIngestor.java    | 10 ++++++++++
 .../DefaultDuplicateNodeDefinitionValidationModule.java        |  5 +++++
 2 files changed, 15 insertions(+)

(limited to 'aai-schema-service/src/main')

diff --git a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java
index 16136d5..2c32985 100644
--- a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java
+++ b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java
@@ -113,6 +113,11 @@ public class NodeIngestor {
         Set<String> types = new HashSet<>();
         final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
         docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
         final DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
 
         ArrayList<Node> javaTypes = new ArrayList<>();
@@ -136,6 +141,11 @@ public class NodeIngestor {
     private Document createCombinedSchema(List<String> files, SchemaVersion v) throws ParserConfigurationException, SAXException, IOException {
         final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
         docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
         final DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
         DocumentBuilder masterDocBuilder = docFactory.newDocumentBuilder();
         Document combinedDoc = masterDocBuilder.parse(getShell(v));
diff --git a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java
index 915a54d..ac3a450 100644
--- a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java
+++ b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java
@@ -54,6 +54,11 @@ public class DefaultDuplicateNodeDefinitionValidationModule implements Duplicate
 		try {
 			final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
 			docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
 			final DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
 
 			Multimap<String, String> types = ArrayListMultimap.create();
-- 
cgit 1.2.3-korg