summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJonathan Platt <jonathan.platt@att.com>2021-07-13 11:27:33 -0400
committerJonathan Platt <jonathan.platt@att.com>2021-07-13 11:38:31 -0400
commitd5c8465211b61f2ef8529aec851a2ca6b6b0d2ca (patch)
treed2f6ffd7366afa14d9fccd8090193e12e429f0ec
parentb8ee8acad363ec587f5e73184bf382c51bb87781 (diff)
Fix XML external entity vulnerability
Disabled XML external entity references to resolve XML external entity vulnerability. Also removed commented-out lines of code from previous attempt to resolve XML external entity vulnerability. Issue-ID: CCSDK-3321 Signed-off-by: Jonathan Platt <jonathan.platt@att.com> Change-Id: Icb142cd1ace84c40d342ce0f08f418f43cc080e8
-rw-r--r--sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java6
1 files changed, 2 insertions, 4 deletions
diff --git a/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java b/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
index 2e0701257..c19cea08d 100644
--- a/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
+++ b/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
@@ -41,10 +41,8 @@ public class PomFile {
public PomFile(InputStream is) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
- // documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
- // documentBuilderFactory.setFeature(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
- // documentBuilderFactory.setFeature(XMLInputFactory.SUPPORT_DTD, false);
-
+ // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities:
+ documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
this.xmlDoc = documentBuilder.parse(is);
}