From fbee0d0f4e36289a294894adc7377a098a85e65c Mon Sep 17 00:00:00 2001 From: Mei Su Date: Wed, 11 Jul 2018 11:55:24 -0400 Subject: Fix XML injection issue Fix XML injection security issue Issue-ID: APPC-1068 Change-Id: Id534da6d0c8287ba32febd959c81c313ee21302a Signed-off-by: Mei Su --- .../main/java/org/onap/appc/design/validator/ValidatorService.java | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'appc-inbound/appc-design-services/provider') diff --git a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java index eaf5478c4..9f1715e60 100644 --- a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java +++ b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java @@ -35,6 +35,7 @@ import java.io.Reader; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; +import javax.xml.XMLConstants; import org.apache.velocity.app.Velocity; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.exception.MethodInvocationException; @@ -134,6 +135,10 @@ public class ValidatorService { try { DocumentBuilderFactory dBF = DocumentBuilderFactory.newInstance(); + dBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dBF.setFeature("http://xml.org/sax/features/external-general-entities", false); + dBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + DocumentBuilder builder = dBF.newDocumentBuilder(); builder.parse(new InputSource(new ByteArrayInputStream(payload.getBytes("utf-8")))); return DesignServiceConstants.SUCCESS; -- cgit 1.2.3-korg