summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJonathan Platt <jonathan.platt@att.com>2021-07-13 13:55:12 -0400
committerJonathan Platt <jonathan.platt@att.com>2021-07-13 13:55:12 -0400
commitf64710dd1f3d8f9e168bd613f992d7506a8cb170 (patch)
tree095da2c082ad26cd047134fe9bb1917b77f9888a
parent87bd7fe2daaa236dea20b4eba7b347175b0e5799 (diff)
Fix XML external entity vulnerability (CCSDK-3323)
Disabled XML external entity references to resolve XML external entity vulnerability in 'SvcLogicParser.java' Issue-ID: CCSDK-3323 Signed-off-by: Jonathan Platt <jonathan.platt@att.com> Change-Id: Ic4a6a13e228a699abf60181a537198913900cec7
-rw-r--r--core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java3
1 files changed, 3 insertions, 0 deletions
diff --git a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
index adec7b27d..fdceaad55 100644
--- a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
+++ b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
@@ -598,6 +598,9 @@ public class SvcLogicParser {
}
SAXParserFactory factory = SAXParserFactory.newInstance();
+ // To remediate XML external entity vulnerability, completely disable external entities declarations:
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
if (schema != null) {
factory.setNamespaceAware(true);