From d5c8465211b61f2ef8529aec851a2ca6b6b0d2ca Mon Sep 17 00:00:00 2001 From: Jonathan Platt Date: Tue, 13 Jul 2021 11:27:33 -0400 Subject: Fix XML external entity vulnerability Disabled XML external entity references to resolve XML external entity vulnerability. Also removed commented-out lines of code from previous attempt to resolve XML external entity vulnerability. Issue-ID: CCSDK-3321 Signed-off-by: Jonathan Platt Change-Id: Icb142cd1ace84c40d342ce0f08f418f43cc080e8 --- .../java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'sdnr/wt/common/src') diff --git a/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java b/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java index 2e0701257..c19cea08d 100644 --- a/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java +++ b/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java @@ -41,10 +41,8 @@ public class PomFile { public PomFile(InputStream is) throws ParserConfigurationException, SAXException, IOException { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); - // documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - // documentBuilderFactory.setFeature(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); - // documentBuilderFactory.setFeature(XMLInputFactory.SUPPORT_DTD, false); - + // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities: + documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); this.xmlDoc = documentBuilder.parse(is); } -- cgit 1.2.3-korg