summaryrefslogtreecommitdiffstats
path: root/plugins/restconf-client/provider/src
diff options
context:
space:
mode:
authorDan Timoney <dtimoney@att.com>2021-07-09 07:54:44 -0400
committerKAPIL SINGAL <ks220y@att.com>2021-07-09 17:13:07 +0000
commit2ab339240c1d0bd8246bebb75d12c4849dd9e4c5 (patch)
tree91b91d5ff11eb12103468ed1ce6f8a81feb2a6a5 /plugins/restconf-client/provider/src
parentbab5ed7d5298d4c5e06d4656a90c45d4959e8026 (diff)
Fix XML external entity vulnerability
Disabled XML external entity references to resolve XML external entity vulnerability. Issue-ID: CCSDK-3117 Signed-off-by: Dan Timoney <dtimoney@att.com> Change-Id: I1824b52c03148b2bc8a87b7eee8e08768d4284f4
Diffstat (limited to 'plugins/restconf-client/provider/src')
-rw-r--r--plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java16
1 files changed, 12 insertions, 4 deletions
diff --git a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java
index 14824f51e..0134a5a47 100644
--- a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java
+++ b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java
@@ -31,6 +31,8 @@ import java.io.Writer;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Iterator;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -123,8 +125,11 @@ public final class DfSerializerUtil {
public static Writer getXmlWriter(String input, String indent)
throws SvcLogicException {
try {
- Transformer transformer = TransformerFactory.newInstance()
- .newTransformer();
+ TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
+ // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities:
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer transformer = factory.newTransformer();
transformer.setOutputProperty(INDENT, YES);
transformer.setOutputProperty(INDENT_XMLNS, indent);
StreamResult result = new StreamResult(new StringWriter());
@@ -146,9 +151,12 @@ public final class DfSerializerUtil {
*/
private static Document parseXml(String in) throws SvcLogicException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- DocumentBuilder db;
+
try {
- db = dbf.newDocumentBuilder();
+ // To remediate XML external entity vulnerability, completely disable external entities declarations:
+ dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(new StringReader(in));
return db.parse(is);
} catch (SAXException | IOException | ParserConfigurationException e) {