From f64710dd1f3d8f9e168bd613f992d7506a8cb170 Mon Sep 17 00:00:00 2001 From: Jonathan Platt Date: Tue, 13 Jul 2021 13:55:12 -0400 Subject: Fix XML external entity vulnerability (CCSDK-3323) Disabled XML external entity references to resolve XML external entity vulnerability in 'SvcLogicParser.java' Issue-ID: CCSDK-3323 Signed-off-by: Jonathan Platt Change-Id: Ic4a6a13e228a699abf60181a537198913900cec7 --- .../src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java index adec7b27d..fdceaad55 100644 --- a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java +++ b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java @@ -598,6 +598,9 @@ public class SvcLogicParser { } SAXParserFactory factory = SAXParserFactory.newInstance(); + // To remediate XML external entity vulnerability, completely disable external entities declarations: + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); if (schema != null) { factory.setNamespaceAware(true); -- cgit 1.2.3-korg