summaryrefslogtreecommitdiffstats
path: root/properties-node
diff options
context:
space:
mode:
authorDan Timoney <dtimoney@att.com>2020-10-19 15:35:27 -0400
committerDan Timoney <dtimoney@att.com>2020-10-19 15:35:27 -0400
commit1668af4b170153f07a103e5dfc23c0437629d13e (patch)
treeab068df0116274867fb20153ee2638d09c2ae877 /properties-node
parentc37395832b700f66f5087c59c2b0e73a4c34922a (diff)
Disable external entities reference
Disable external entities reference in properties node XML parser to avoid XXE vulnerability. Change-Id: I5136dc7edb575d944dfe9fbab334629ec18c5d47 Issue-ID: CCSDK-2918 Signed-off-by: Dan Timoney <dtimoney@att.com>
Diffstat (limited to 'properties-node')
-rw-r--r--properties-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/prop/XmlParser.java5
1 files changed, 5 insertions, 0 deletions
diff --git a/properties-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/prop/XmlParser.java b/properties-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/prop/XmlParser.java
index 68b2f74ec..f48a21e9d 100644
--- a/properties-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/prop/XmlParser.java
+++ b/properties-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/prop/XmlParser.java
@@ -28,6 +28,7 @@ import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
import org.xml.sax.helpers.DefaultHandler;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -57,6 +58,10 @@ public final class XmlParser {
Handler handler = new Handler(listNameList);
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
+
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
SAXParser saxParser = factory.newSAXParser();
InputStream in = new ByteArrayInputStream(s.getBytes());
saxParser.parse(in, handler);