From c0e96d09d487e224f0b3cbf40102b749cb3f4b02 Mon Sep 17 00:00:00 2001
From: Jonathan Platt <jonathan.platt@att.com>
Date: Tue, 13 Jul 2021 13:57:07 -0400
Subject: Fix XML external entity vulnerability (CCSDK-3327)

Disabled XML external entity references to resolve XML external entity
vulnerability in 'XmlParser.java'

Issue-ID: CCSDK-3327
Issue-ID: CCSDK-3317
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: I7bae80f3e5858e05d6782c6a290fba33bc7a38ed
---
 .../java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java    | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'plugins')

diff --git a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
index 6ea770ad9..154dbbf19 100644
--- a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
+++ b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
@@ -62,6 +62,9 @@ public final class XmlParser {
         Handler handler = new Handler(listNameList);
         try {
             SAXParserFactory factory = SAXParserFactory.newInstance();
+            // To remediate XML external entity vulnerability, completely disable external entities declarations:
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             SAXParser saxParser = factory.newSAXParser();
             InputStream in = new ByteArrayInputStream(s.getBytes());
             saxParser.parse(in, handler);
-- 
cgit 1.2.3-korg