diff options
author | Mei Su <ms6523@att.com> | 2018-07-11 11:55:24 -0400 |
---|---|---|
committer | Takamune Cho <tc012c@att.com> | 2018-07-11 23:52:23 +0000 |
commit | fbee0d0f4e36289a294894adc7377a098a85e65c (patch) | |
tree | 747178db438b51b49c2bdeb273a1ede27898e472 /appc-inbound/appc-design-services/provider/src/main | |
parent | 0bca5f40a33cd5663002c49ed3d6950ab8417487 (diff) |
Fix XML injection issue
Fix XML injection security issue
Issue-ID: APPC-1068
Change-Id: Id534da6d0c8287ba32febd959c81c313ee21302a
Signed-off-by: Mei Su <ms6523@att.com>
Diffstat (limited to 'appc-inbound/appc-design-services/provider/src/main')
-rw-r--r-- | appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java index eaf5478c4..9f1715e60 100644 --- a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java +++ b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java @@ -35,6 +35,7 @@ import java.io.Reader; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; +import javax.xml.XMLConstants; import org.apache.velocity.app.Velocity; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.exception.MethodInvocationException; @@ -134,6 +135,10 @@ public class ValidatorService { try { DocumentBuilderFactory dBF = DocumentBuilderFactory.newInstance(); + dBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dBF.setFeature("http://xml.org/sax/features/external-general-entities", false); + dBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + DocumentBuilder builder = dBF.newDocumentBuilder(); builder.parse(new InputSource(new ByteArrayInputStream(payload.getBytes("utf-8")))); return DesignServiceConstants.SUCCESS; |