Fix XML injection issue

Fix XML injection security issue

Issue-ID: APPC-1068
Change-Id: Id534da6d0c8287ba32febd959c81c313ee21302a
Signed-off-by: Mei Su <ms6523@att.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java
index eaf5478c4..9f1715e60 100644
--- a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java
+++ b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java
@@ -35,6 +35,7 @@ import java.io.Reader;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.XMLConstants;
 import org.apache.velocity.app.Velocity;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.exception.MethodInvocationException;
@@ -134,6 +135,10 @@ public class ValidatorService {
 
         try {
             DocumentBuilderFactory dBF = DocumentBuilderFactory.newInstance();
+            dBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dBF.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
             DocumentBuilder builder = dBF.newDocumentBuilder();
             builder.parse(new InputSource(new ByteArrayInputStream(payload.getBytes("utf-8"))));
             return DesignServiceConstants.SUCCESS;