summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java3
-rw-r--r--plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java3
2 files changed, 6 insertions, 0 deletions
diff --git a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
index adec7b27d..fdceaad55 100644
--- a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
+++ b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
@@ -598,6 +598,9 @@ public class SvcLogicParser {
}
SAXParserFactory factory = SAXParserFactory.newInstance();
+ // To remediate XML external entity vulnerability, completely disable external entities declarations:
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
if (schema != null) {
factory.setNamespaceAware(true);
diff --git a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
index 6ea770ad9..154dbbf19 100644
--- a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
+++ b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
@@ -62,6 +62,9 @@ public final class XmlParser {
Handler handler = new Handler(listNameList);
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
+ // To remediate XML external entity vulnerability, completely disable external entities declarations:
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
SAXParser saxParser = factory.newSAXParser();
InputStream in = new ByteArrayInputStream(s.getBytes());
saxParser.parse(in, handler);