From e4156ab1214268e88716d6153cd7216ef918d1eb Mon Sep 17 00:00:00 2001 From: wr148d <wr148d@att.com> Date: Tue, 20 Jul 2021 13:00:28 -0400 Subject: Fix CRITICAL xxe (XML External Entity) issues identified in sonarcloud Issue-ID: AAI-3347 Change-Id: I5b187fea722eb2749dfb5336c3b5ae24fa7df336 Signed-off-by: wr148d <wr148d@att.com> --- .../org/onap/aai/schemaservice/nodeschema/NodeIngestor.java | 10 ++++++++++ .../DefaultDuplicateNodeDefinitionValidationModule.java | 5 +++++ 2 files changed, 15 insertions(+) (limited to 'aai-schema-service/src/main') diff --git a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java index 16136d5..2c32985 100644 --- a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java +++ b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java @@ -113,6 +113,11 @@ public class NodeIngestor { Set<String> types = new HashSet<>(); final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); final DocumentBuilder docBuilder = docFactory.newDocumentBuilder(); ArrayList<Node> javaTypes = new ArrayList<>(); @@ -136,6 +141,11 @@ public class NodeIngestor { private Document createCombinedSchema(List<String> files, SchemaVersion v) throws ParserConfigurationException, SAXException, IOException { final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); final DocumentBuilder docBuilder = docFactory.newDocumentBuilder(); DocumentBuilder masterDocBuilder = docFactory.newDocumentBuilder(); Document combinedDoc = masterDocBuilder.parse(getShell(v)); diff --git a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java index 915a54d..ac3a450 100644 --- a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java +++ b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java @@ -54,6 +54,11 @@ public class DefaultDuplicateNodeDefinitionValidationModule implements Duplicate try { final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); final DocumentBuilder docBuilder = docFactory.newDocumentBuilder(); Multimap<String, String> types = ArrayListMultimap.create(); -- cgit 1.2.3-korg