From 2ab339240c1d0bd8246bebb75d12c4849dd9e4c5 Mon Sep 17 00:00:00 2001
From: Dan Timoney <dtimoney@att.com>
Date: Fri, 9 Jul 2021 07:54:44 -0400
Subject: Fix XML external entity vulnerability

Disabled XML external entity references to resolve XML external entity
vulnerability.

Issue-ID: CCSDK-3117
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: I1824b52c03148b2bc8a87b7eee8e08768d4284f4
---
 .../yangserializers/dfserializer/DfSerializerUtil.java   | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'plugins/restconf-client/provider/src')

diff --git a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java
index 14824f51e..0134a5a47 100644
--- a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java
+++ b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/yangserializers/dfserializer/DfSerializerUtil.java
@@ -31,6 +31,8 @@ import java.io.Writer;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.Iterator;
+
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -123,8 +125,11 @@ public final class DfSerializerUtil {
     public static Writer getXmlWriter(String input, String indent)
             throws SvcLogicException {
         try {
-            Transformer transformer = TransformerFactory.newInstance()
-                    .newTransformer();
+            TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
+            // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities:
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            Transformer transformer = factory.newTransformer();
             transformer.setOutputProperty(INDENT, YES);
             transformer.setOutputProperty(INDENT_XMLNS, indent);
             StreamResult result = new StreamResult(new StringWriter());
@@ -146,9 +151,12 @@ public final class DfSerializerUtil {
      */
     private static Document parseXml(String in) throws SvcLogicException {
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        DocumentBuilder db;
+
         try {
-            db = dbf.newDocumentBuilder();
+            // To remediate XML external entity vulnerability, completely disable external entities declarations:
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+             dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            DocumentBuilder db = dbf.newDocumentBuilder();
             InputSource is = new InputSource(new StringReader(in));
             return db.parse(is);
         } catch (SAXException | IOException | ParserConfigurationException e) {
-- 
cgit 1.2.3-korg