From 87bd7fe2daaa236dea20b4eba7b347175b0e5799 Mon Sep 17 00:00:00 2001
From: Jonathan Platt <jonathan.platt@att.com>
Date: Tue, 13 Jul 2021 13:54:35 -0400
Subject: Fix XML external entity vulnerability (CCSDK-3322)

Disabled XML external entity references to resolve XML external entity
vulnerability in 'VNFOperationalStateValidatorImpl.java'

Issue-ID: CCSDK-3322
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: I88dc0a0ef8e9a587e8f9b3be15ef55e70c687b6e
---
 .../ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java b/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java
index 3a6b1428a..44d7bdbd2 100644
--- a/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java
+++ b/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java
@@ -85,6 +85,8 @@ public class VNFOperationalStateValidatorImpl implements OperationalStateValidat
         List<Map.Entry> entryList = null;
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities:
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder builder = factory.newDocumentBuilder();
         Document document = builder.parse(new ByteArrayInputStream(xmlText.getBytes(StandardCharsets.UTF_8)));
 
-- 
cgit 1.2.3-korg