From 6dfa45c5b883af5d9d3371f303513180cefa6f86 Mon Sep 17 00:00:00 2001 From: Jonathan Platt Date: Thu, 15 Jul 2021 12:38:16 -0400 Subject: Fix XML external entity vulnerability (CCSDK-3324) Disabled XML external entity references to resolve XML external entity vulnerability in 'SdncUebCallback.java' Issue-ID: CCSDK-3324 Signed-off-by: Jonathan Platt Change-Id: If959e915921042fdd0ba2ff16e167005ba1beed8 --- .../org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'northbound') diff --git a/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java b/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java index 8c3a290e0..ba060924e 100644 --- a/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java +++ b/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java @@ -1194,9 +1194,10 @@ public class SdncUebCallback implements INotificationCallback { outFile = File.createTempFile("tmp", "xml"); TransformerFactory factory = TransformerFactory.newInstance(); - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - //factory.setFeature("http://xml.org/sax/features/external-general-entities", false); -- breaks transform - //factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + // To remediate XML external entity vulnerability, completely disable external entities declarations: + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Source xslt = new StreamSource(new File(xsltPath)); Transformer transformer = factory.newTransformer(xslt); Source text = new StreamSource(inFile); -- cgit 1.2.3-korg