From c0e96d09d487e224f0b3cbf40102b749cb3f4b02 Mon Sep 17 00:00:00 2001 From: Jonathan Platt Date: Tue, 13 Jul 2021 13:57:07 -0400 Subject: Fix XML external entity vulnerability (CCSDK-3327) Disabled XML external entity references to resolve XML external entity vulnerability in 'XmlParser.java' Issue-ID: CCSDK-3327 Issue-ID: CCSDK-3317 Signed-off-by: Jonathan Platt Change-Id: I7bae80f3e5858e05d6782c6a290fba33bc7a38ed --- .../java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java | 3 +++ 1 file changed, 3 insertions(+) (limited to 'plugins') diff --git a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java index 6ea770ad9..154dbbf19 100644 --- a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java +++ b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java @@ -62,6 +62,9 @@ public final class XmlParser { Handler handler = new Handler(listNameList); try { SAXParserFactory factory = SAXParserFactory.newInstance(); + // To remediate XML external entity vulnerability, completely disable external entities declarations: + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); SAXParser saxParser = factory.newSAXParser(); InputStream in = new ByteArrayInputStream(s.getBytes()); saxParser.parse(in, handler); -- cgit 1.2.3-korg