diff options
author | Dan Timoney <dtimoney@att.com> | 2021-07-09 07:54:44 -0400 |
---|---|---|
committer | KAPIL SINGAL <ks220y@att.com> | 2021-07-09 17:13:07 +0000 |
commit | 2ab339240c1d0bd8246bebb75d12c4849dd9e4c5 (patch) | |
tree | 91b91d5ff11eb12103468ed1ce6f8a81feb2a6a5 /plugins/restconf-client/provider/src | |
parent | bab5ed7d5298d4c5e06d4656a90c45d4959e8026 (diff) |
Fix XML external entity vulnerability
Disabled XML external entity references to resolve XML external entity
vulnerability.
Issue-ID: CCSDK-3117
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: I1824b52c03148b2bc8a87b7eee8e08768d4284f4
Diffstat (limited to 'plugins/restconf-client/provider/src')
-rw-r--r-- | plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java index 14824f51e..0134a5a47 100644 --- a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java +++ b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java @@ -31,6 +31,8 @@ import java.io.Writer; import java.net.URI; import java.net.URISyntaxException; import java.util.Iterator; + +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -123,8 +125,11 @@ public final class DfSerializerUtil { public static Writer getXmlWriter(String input, String indent) throws SvcLogicException { try { - Transformer transformer = TransformerFactory.newInstance() - .newTransformer(); + TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance(); + // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities: + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = factory.newTransformer(); transformer.setOutputProperty(INDENT, YES); transformer.setOutputProperty(INDENT_XMLNS, indent); StreamResult result = new StreamResult(new StringWriter()); @@ -146,9 +151,12 @@ public final class DfSerializerUtil { */ private static Document parseXml(String in) throws SvcLogicException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db; + try { - db = dbf.newDocumentBuilder(); + // To remediate XML external entity vulnerability, completely disable external entities declarations: + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + DocumentBuilder db = dbf.newDocumentBuilder(); InputSource is = new InputSource(new StringReader(in)); return db.parse(is); } catch (SAXException | IOException | ParserConfigurationException e) { |