diff options
2 files changed, 6 insertions, 0 deletions
diff --git a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java index adec7b27d..fdceaad55 100644 --- a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java +++ b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java @@ -598,6 +598,9 @@ public class SvcLogicParser { } SAXParserFactory factory = SAXParserFactory.newInstance(); + // To remediate XML external entity vulnerability, completely disable external entities declarations: + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); if (schema != null) { factory.setNamespaceAware(true); diff --git a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java index 6ea770ad9..154dbbf19 100644 --- a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java +++ b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java @@ -62,6 +62,9 @@ public final class XmlParser { Handler handler = new Handler(listNameList); try { SAXParserFactory factory = SAXParserFactory.newInstance(); + // To remediate XML external entity vulnerability, completely disable external entities declarations: + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); SAXParser saxParser = factory.newSAXParser(); InputStream in = new ByteArrayInputStream(s.getBytes()); saxParser.parse(in, handler); |