From 6dfa45c5b883af5d9d3371f303513180cefa6f86 Mon Sep 17 00:00:00 2001
From: Jonathan Platt <jonathan.platt@att.com>
Date: Thu, 15 Jul 2021 12:38:16 -0400
Subject: Fix XML external entity vulnerability (CCSDK-3324)

Disabled XML external entity references to resolve XML external entity
vulnerability in 'SdncUebCallback.java'

Issue-ID: CCSDK-3324
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: If959e915921042fdd0ba2ff16e167005ba1beed8
---
 .../org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java   | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'northbound/ueb-listener/src/main')

diff --git a/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java b/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java
index 8c3a290e0..ba060924e 100644
--- a/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java
+++ b/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java
@@ -1194,9 +1194,10 @@ public class SdncUebCallback implements INotificationCallback {
 
                     outFile = File.createTempFile("tmp", "xml");
                     TransformerFactory factory = TransformerFactory.newInstance();
-                    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);  
-                    //factory.setFeature("http://xml.org/sax/features/external-general-entities", false); -- breaks transform
-                    //factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);                   
+                    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                    // To remediate XML external entity vulnerability, completely disable external entities declarations:
+                    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");               
                     Source xslt = new StreamSource(new File(xsltPath));
                     Transformer transformer = factory.newTransformer(xslt);
                     Source text = new StreamSource(inFile);
-- 
cgit 1.2.3-korg