summaryrefslogtreecommitdiffstats
path: root/plugins/sshapi-call-node/provider/src/main/java
diff options
context:
space:
mode:
authorJonathan Platt <jonathan.platt@att.com>2021-07-13 13:57:07 -0400
committerJonathan Platt <jonathan.platt@att.com>2021-07-13 13:57:07 -0400
commitc0e96d09d487e224f0b3cbf40102b749cb3f4b02 (patch)
tree9d7cc959a410ce702b79b86b900f0f4644141dc1 /plugins/sshapi-call-node/provider/src/main/java
parentf64710dd1f3d8f9e168bd613f992d7506a8cb170 (diff)
Fix XML external entity vulnerability (CCSDK-3327)
Disabled XML external entity references to resolve XML external entity vulnerability in 'XmlParser.java' Issue-ID: CCSDK-3327 Issue-ID: CCSDK-3317 Signed-off-by: Jonathan Platt <jonathan.platt@att.com> Change-Id: I7bae80f3e5858e05d6782c6a290fba33bc7a38ed
Diffstat (limited to 'plugins/sshapi-call-node/provider/src/main/java')
-rw-r--r--plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java3
1 files changed, 3 insertions, 0 deletions
diff --git a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
index 6ea770ad9..154dbbf19 100644
--- a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
+++ b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
@@ -62,6 +62,9 @@ public final class XmlParser {
Handler handler = new Handler(listNameList);
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
+ // To remediate XML external entity vulnerability, completely disable external entities declarations:
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
SAXParser saxParser = factory.newSAXParser();
InputStream in = new ByteArrayInputStream(s.getBytes());
saxParser.parse(in, handler);