From 87bd7fe2daaa236dea20b4eba7b347175b0e5799 Mon Sep 17 00:00:00 2001 From: Jonathan Platt Date: Tue, 13 Jul 2021 13:54:35 -0400 Subject: Fix XML external entity vulnerability (CCSDK-3322) Disabled XML external entity references to resolve XML external entity vulnerability in 'VNFOperationalStateValidatorImpl.java' Issue-ID: CCSDK-3322 Signed-off-by: Jonathan Platt Change-Id: I88dc0a0ef8e9a587e8f9b3be15ef55e70c687b6e --- .../ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java b/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java index 3a6b1428a..44d7bdbd2 100644 --- a/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java +++ b/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java @@ -85,6 +85,8 @@ public class VNFOperationalStateValidatorImpl implements OperationalStateValidat List entryList = null; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities: + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new ByteArrayInputStream(xmlText.getBytes(StandardCharsets.UTF_8))); -- cgit 1.2.3-korg